There are two aspects of social media security of which businesses must be acutely aware:
- End user security and network/computing resource protection and
- Corporate social media account security.
Corporate implications for individual account security
The first is critical because social networks are breeding grounds for phishing scams, malware distribution, and identity theft, all of which can have a direct impact on IT. Even if employees are simply checking their Facebook accounts during lunch, it’s all too easy for naive users to click through a malicious link or respond to a phishing scam using corporate credentials. This isn’t to say that employees should be prevented from accessing social networks for personal (or even business) uses at work; that’s a matter of organizational policy and worthy of plenty of internal discussion. Rather, employees need to be trained and educated on the safe and secure use of social media at a personal level.
Not only is phishing becoming increasingly sophisticated, often looking far more legitimate than the Nigerian banking schemes of old, but thoughtless use of social media can expose corporate networks to attacks by savvy hackers. For example, consider an employee who uses a corporate email address to set up an account on Facebook, posts pictures of his kids tagged with their names (as most social media users are wont to do), and lets an innocuous third-party application access his birthday and various posts. Suddenly, hackers have all sorts of fodder for a brute force attack on his network credentials which invariably use an insecure password based on this personal information. Sound far fetched? Unfortunately, it’s all too common.
The bigger challenge – Corporate social channels
However, problems at the personal social account level tend to be easily remedied through training and appropriate policies. Things get more complicated when companies begin building out their brands and reaching out to customers via social media channels. As the recent mess at music retailer HMV demonstrated, even large, multinational companies lack control over their social streams. At no time should a disgruntled (or merely incompetent) employee be able to hijack a Twitter or Facebook account and give a business exactly the wrong kind of viral exposure.
Nor should any company be unable to regain control of its feeds if they happen to be compromised (which, again, was the case with HMV). Instead, the right policies, procedures, and software can ensure that social media are keys to building brand instead of doors to embarrassment (or worse).
The right policies
From a policy and procedure perspective, businesses need to
- Limit and focus their social channels (how many Twitter accounts does a company really need?) – The more accounts that exist, the more likely that one will be forgotten, orphaned, compromised, or left out of software solutions for managing social media.
- Implement a process for review and monitoring by senior marketing managers if junior staff are tweeting, interacting with customers on Facebook pages, or engaging in discussions on LinkedIn. The degree of monitoring should be proportional to the profile of the account, wherein an official Twitter feed might require senior management approval for all tweets but a customer support page on Google+ might get a cursory review each day.
- Ensure that only those employees with a clear need have access to account credentials and that passwords are universally strong and unique.
The right software
Much of the risk around corporate use of social media can be mitigated through specialized software like HootSuite and Vitrue. Essentially content management systems for social media, these platforms enable the review and approval processes noted above but also implement single sign-on, such that no end users ever need direct access to passwords. They can simply log into the systems in the same way that they log into the network and their interactions across social accounts are managed by the software and appropriate business rules.
Businesses shouldn’t look at recent breaches of corporate social channels and run away from social media entirely. Doing so also means they run away from customers. Instead, the right training, policies, and software simply need to be in place to make sure that social media are a value-add rather than a liability.
Chris Dawson is a writer, speaker, and analyst with particular interests in educational technology, healthcare IT, and the intersection of the two with the cloud and BI. He is a contributing editor at ZDNet, Ziff Davis, and UBM Channel, and a senior editor at Edukwest. You can follow him on Twitter (@mrdatahs) and Google+ (+Christopher Dawson).Tags: IT Security,Technology