Social Media – Security Risks? It Depends Where You Happen to be Sitting
No doubt the eruption of social media applications, networks and tools has caused a significant ground disturbance; some would say it’s been a series of category nine earthquakes. I recently had the pleasure of reviewing the results of a Cisco commissioned survey provided to 500 information technology security professionals in the US, Germany, Japan, China, and India concerning social media and personal devices conducted by InsightExpress.
Do take the time to review these results, and in doing so I think you will share my realization, that with everything new there are unintended and unforeseen security issues, both real and perceived. These issues appear to be at the root of the substantial consternation amongst the participating information technology security professionals. Indeed, this multidimensional capability called social media is in fact permeating the hermetically sealed secure environments of our businesses, or so it would seem. It is time to get out the plow, hitch up the horses and hoe a few rows in order to plant the seeds to grow healthy and sustainable security practices and capabilities surrounding these concerns.
So let’s dig into the issues that are making the respondents twitch. “Our employees are using unsupported applications on their laptops.” Is that you making the comment? Or are they thinking of you when they responded? Are “unsupported” social media applications used at the office? Is it you? How about peer-to-peer (P2P) software and networks, is it a necessity of your business for you to be connected and sharing work content? Or perhaps you are using an externally hosted and maintained service (aka cloud); especially given the large number of respondents who indicated they had employee clientele doing just this. But I believe a bit more context needs to be evolved to fully understand the issue(s) or we may find ourselves making “much ado about nothing” (with a tip of the hat to The Bard).
What does this mean? It means the “consumerization of IT” has arrived. It means companies need to know who, what, where, when and how their employees are accessing their employer’s environment. It also means one needs to have an understanding of the device(s) being used to access their infrastructures. With just over half of employers conducting their own assessments and studies to determine what types of devices employees are using, is it fair to assume those who don’t measure don’t know? Or could those that don’t assess be the truly fortunate ones whose user clientele only use what is issued, because you and your colleagues understand why the policies exist.
I urge all to assess. It is important to know not only what devices, networks, and applications are being used, but also to understand why they are being used. It is very infrequent an employee will purposefully use a new tool or capability with the purpose of putting their employer/employment at risk. Your understanding can only come from collaborative dialog. An assessment effort will provide a crystalline view into what may be your opaque situation. With this, you are well positioned to create your messaging and roadmap to the future to ensure your data is safe and remains safe.
Alternatively, you could of course move to a draconian solution and lock down and restrict access to the Internet, social media tools, applications and services, and in so doing signal the participation of such should be made on a device with no connectivity to your business. It may also signal to your future employee prospect that you are not yet advancing into the new business model. If that’s you, how’s that working for you? I wasn’t surprised to read that those with a highly restricted environment still faced employees using unsupported devices and methods. From my optic it appears this is analogous to when the ground is saturated and more water arrives, the employee, like the water, will find an available route to connect and engage, even if it isn’t the employer’s preferred route. And of course when this happens, a mop is needed in both instances to clean up the ensuing mess. Even though it may feel like you are living under the constant threat of a flood, perhaps with a bit of investment the risk of damage can be mitigated and greatly reduced.
I don’t advocate draconian restrictions. In my own instance I am permitted to use unsupported applications and devices. I am also governed by a clear and concise “code of business conduct” and “information handling policy.” In addition, I don’t have to divine the expectations of my employer; they are shared with me regularly, and they evolve with equal regularity. For example, I know that I shouldn’t copy my internal email to my web-based account, even if it is more convenient to have a copy accessible from my personal laptop (and I know that my personal laptop is an inappropriate device, as it isn’t configured and provisioned with the security applications that my employer implements. If I choose an application poorly, I am fully accountable and responsible should the application wreak havoc.
While not an advocate of a total lock down, I do submit that certain data sets absolutely require restricted access, and this means your environment and your employer’s environment must be equally secured. I think it is totally appropriate to have sterile lab environments where no electronic devices are allowed — and to implement and enforce such an environment requires the occupants to understand that excluding technology is for the following reasons: A, B, C, D, … With such articulation and demonstration, you raise the level of understanding that your employees will not only comply with your desired restrictions surrounding the data, but also they will actually know when they may be putting their employer at risk and by extension their employment at risk.
The policies are there to guide the employees in their engagements, but policies without teeth are feckless and will be ignored. In my instance, those policies governing my behavior have teeth. Do yours? Make sure they do, and more importantly, make sure you can articulate the why the policy exists. From my seat, good policy adherence requires an investment in a robust and omnipresent education and awareness regime. This is not a topic relegated to your employee’s first day of work and never revisited.
In sum, the perspective of the information technology security professional is that social media evolution carries new risks that need to be understood by those implementing technology, those using the technology, and those leveraging the technology. A great way to drive that understanding is to look at the multiple sides to social media and reduce the tendency to become myopic. The practitioner is usually found in the marketing or communications departments and the audience, those with whom we wish to engage in conversation and collaboration are both the internal clientele and the customers. The importance and understanding of these risks are often shaded by where you sit. The solution to these can be addressed and mitigated via continual communication, awareness and education.