Recently I sat down to talk to David Jacquet of InfoSec Group to talk about some of the security risks inherent in social media activity, and what businesses can do to alleviate those risks. Below is the transcript of that interview. For those of you with really short term attention spans I’ve summarized some of David’s points into a blog post over at Fast Company.com called The 5 Biggest Social Media Security Risks for Businesses.
For those of you who think even that’s too long, well, you probably already stopped reading.
Rich: Today I’m going to be talking to David Jacquet of InfoSec Group. What we’re going to be talking about are some of the issues arising around information security and general security when it comes to social media.
David, thank you very much for being here with us today.
David: You’re welcome, my pleasure.
Rich: Just to start off with a really basic question, what is information security?
David: Information security is understanding that as a business or an organization or an entity, we have assets and that those assets needs to be protected.
Information security is basically a business goal and it’s the idea of protecting those assets from unauthorized third parties.
Rich: How does that then tie into social media ‒ things like Twitter, Facebook, YouTube and so on?
David: Because information security, as I said, is a business goal, it encompasses protecting any assets which may or may not be shared in the context of doing business.
If people are going to be using social media, presumably they’re going to be talking about a fair amount of information that belongs to their entity, organization or company. Some of that information may be of a confidential nature and therefore needs to be protected.
It’s the idea of trying to make sure that we do not expose the organization to undue risk through the use of social media.
Rich: Let’s talk a little bit about that risk. What do you think some of the biggest risk issues are when it comes to using social media and keeping our information secure?
David: The first risk and the most obvious risk is to ignore that risk. A lot of businesses are involved in social media, and I might add I think they should be. I think it’s a great vector of growth and marketing for most any enterprise out there. However, to do it without understanding the risks that it involves and are inherent to the practice of social media is extremely dangerous because you can’t protect yourself against what you don’t identify as a potential threat.
I think that once that risk awareness has been gained, the idea beyond that is to find some controls, some ways to mitigate the risks in such a fashion that we can continue to reap the benefits of social media without suffering the consequences.
Among the actual threats, it depends on how it’s beings used. It goes from a confidentiality risk, as I mentioned. Somebody may say a little more than they intended to say or share.
Another issue is that a lot of people treat the internet like it’s a private space, where it’s obviously a public space. And needless to say, one is supposed to change their behavior when one moves from a private to a public space.
There are also potential issues to the computer network that a company may be running. For example, a lot of social media platforms such as Facebook or LinkedIn, for example, allow connectivity and messaging back and forth, including sharing files. If I’m a nefarious hacker and I’m trying to propagate some malware, such as a virus or a Trojan or any of those things, it’s a beautiful way to do it because people will more often than not fall for it. There are a lot of different risks involved.
There are also personal risks. A lot of people like to broadcast where they are at any given time during the day, using Twitter, for example. And if I can determine a pattern that this particular person is at this particular location most every morning between that time and that time, it may give me some insight that I normally should not have on the whereabouts of that person.
There are many ways and many threats, in fact, with the use of social media. The number one thing is to be aware of it, and then to try and mitigate.
Rich: In terms of monitoring social media activity among employees, what should we be aware of? What can we do, what should we do, and what shouldn’t we do?
David: I think it all starts at the top. I think it all starts at the policy level. I think it’s extremely important to create policies and procedures that clearly detail what is acceptable for employees to do and what is not acceptable for them to do, then to provide the supportive procedures about it. For example, I can say it is acceptable for my employees to use LinkedIn but not Facebook. Then I can potentially create a procedure that helps, step by step, my employees create the appropriate level of online participation in LinkedIn.
Obviously, the next level beyond the policy and procedure is to make sure to train your employees so that they understand that there are policies and procedures. They cannot be expected to follow a policy if they don’t know that policy exists, quite obviously.
After that, there are a lot of things you can monitor and a lot of things you clearly do not have the time to monitor. For example, you cannot necessarily monitor each and every action that your employees are going to take online. And in a lot of ways, some people might argue that you don’t want to.
At the same time, at a proxy server level, you can see how many people go to Facebook. If you have a published policy that says that nobody does Facebook on company time, you can monitor if it’s actually happening through looking at your logs for internet access.
You can also have a certain person be responsible for very regularly scanning the Twitter activity of those employees that are allowed and empowered by the company to represent the company on Twitter, and make sure that the vocabulary used, the topics broached and so on and so forth are in agreement with the policies that have been created by the company.
Rich: How do you develop these policies? Are there sites online that we can just go to or are these things that really need to be changed based on the company?
David: That’s a good question actually. Obviously, I’m biased in my answer where I think that you should always hire a professional to do that because there are people out there who create policies for a living and they understand what the traps are that need to be looked at.
I think there are two ways to look at this. There are policies that need to be created from scratch. For example, I think that every company should have a policy that dictates who owns the accounts. Say you decide to run Twitter. Who owns the account? The company owns the account? Or the person who has been employed by the company and provided the content, do they own the account? And who owns the content created in the name of that account?
That should be specified from the start. You should have a policy that dictates that the company owns all the content that is created in its name, if you will. I would assume that if a company hires somebody to tweet full-time or even part-time that they would have to sign a contract recognizing the fact that the company owns both the account and the content created.
As I said, there are two types of policies that I would personally recommend be created:
There would be those that are social media specific, and therefore probably do not currently exist in your array of business policies or security policies.
Then there are the policies that already should exist, such as a password policy, for example, that should be augmented with whichever portion is appropriate to meet your needs on the social media side of things.
For example, let’s pretend that you have a company and this company has a Twitter account in the name of the company. This company has a password policy that says that all passwords must be uppercase or lowercase, at least eight characters and not be in a dictionary and so on and so forth. But it does not amend that policy to say that it includes all social media related accounts.
Somebody in the company who is supposed to legitimately be tweeting creates a Twitter account and that password is extremely easy to guess. If that password were to be guessed by somebody else, that somebody else could impersonate the company and start disseminating all kinds of false information. Basically, the company is at risk, at the very least reputation speaking.
To prove that it was not your person that was doing that, you would have to have computer forensics involved. So there are policies that already exist, such as the password policy, that then need to be updated from the context of social security specifically.
Rich: That’s some great information.
Do you have any horror stories to share with us, like some companies that because they weren’t planning just something bad happened to them?
David: First of all, it’s still fairly new and I think that there are a limited amount of horror stories out there.
There is one very famous one on the internet of this gentleman that was going down to Columbia, the country that is, and basically tweeted his arrival and everything else. The next tweet we see is a ransom demand because he has been kidnapped at the airport. That’s pretty extreme, obviously.
There are also several companies that I know of personally where malware was distributed all across their network because they received an infected message. It was opened and all hell broke loose after that. We know of several of those.
I think that realistically we are going to hear more and more about it. I know that the Marines decided, for example, that they were not going to allow their troops to do social media anymore because their business is clearly life and death and it’s very easy for people to say more than they thought they were saying.
There are a lot of errors. There’s a classic example on the internet on Facebook of this person disparaging her boss on her Facebook page, and then the next message is her boss saying, “Gee, I guess you forgot that you added me as a friend,” and then this person lost their job.
At the same time, I think there is a company reputational risk there because now you wonder what sort of an outfit this is. There’s a bit of negativity attached to that sort of experience being published and being public knowledge.
Rich: David, tell us a little bit about your company, what you guys do, and where we can find you online.
David: We do penetration testing and compliance. We do training, we do computer forensics and we do software security as well. We can be found online at www.InfoSecGroup.com.
Rich: Thank you very much. It was a pleasure talking to you and you certainly gave us some good information on how we can be more secure while we’re using the social web.
David: Thanks for the opportunity. I appreciate it.