Social media a boon for businesses, but creates security quagmire

Main dangers: Fraudsters, malware and employees who leak sensitive data

Social media -- Facebook, Twitter, LinkedIn, Google+ and so forth -- has become a way of life for companies and their employees to interact with the public, but beating back the fraudsters that try to prey on customers, not to mention keeping employees from spilling sensitive data, is becoming a full-time job for many.

"We do a lot of social media, It's actually an important part of our business," says Yaron Baitch, director of information technology and security at Bob's Stores, the apparel retailer in the Northeast region which counts about 1,500 employees. The store chain uses its Facebook site and Twitter for continuous interaction with the public.

MORE: Facebook hacker comes clean on 'what really happened' 

MORE: DARPA seeks Holy Grail: Quantum-based data security system

But the Bob's Stores Facebook site, especially, needs constant attention for security reasons since fraudsters have been known to attempt to lure visitors to "various traps anywhere around the world," says Baitch. "We try to work hard to make sure none of our customers are put at risk."

Stats for social media use

This is the kind of danger for business that comes with social media, says Charles Renert, vice president of Websense security labs. "Video lures" have become one of the biggest threats on social media. "It's all about social engineering and the lures," he says.

While Bob's Stores uses social media to draw attention to sales at its stores and e-commerce website, for instance, the apparel retailer does not often favor its employees using social media.

The acceptable-use policy the company established generally prohibits employee use of social media unless the job function calls for it, says Baitch. To enforce that, Bob's Stores makes use of the Websense security gateway dubbed Triton to block employee access to Internet-based social media via the corporate network resources.

Baitch says the main rationale to block employee access to social media is that the company would appear to bear legal responsible for any employee's wrongful or reckless behavior, if it occurred, if the employee were using the company's network. But if an employee, aware of corporate policy making social media off limits, did something wrong using their own network resources, the liability risk would more squarely rest on the employee.

Concerns about safeguarding customer data according to the Payment Card Industry security guidelines also influenced the decision by Bob's Stores to keep employees off social media. The company is so concerned that it might be possible to get by the Websense gateway, it's also investigating use of whitelisting technologies to lock down corporate computers.

Social media is important in other areas, such as sports, too, where there are also risks.

"Social media is big, like Twitter and Facebook," said Bill Bolt, vice president of information technology for the Phoenix Suns NBA team. "And now there's Google." It's now common practice to interact with fans, tweeting team news and posting video interviews with the team's stars, such as Jared Dudley and Steve Nash, or selling game tickets through direct interaction online.

But when big playoff games are scheduled between competing teams, things can get pretty wild among the fans on all sides. "Some of this crosses the line," says Bolt, noting the Phoenix Suns has to dedicate resources to screening and eliminating expressions of virulent hate or verbal abuse coming in through Facebook and other sources.

Finding the right balance between allowing or prohibiting employees to use social media has been an evolving process over the years for many businesses.

At Summa Health Systems, the healthcare provider based in Akron, Ohio, the network systems engineer there, Mike Wade, says management has typically viewed social networking for employees as "wasting time" or a potential for "mistakes." At first Summa Health Systems tried blocking it through a traditional firewall, which didn't always work since "people found a way around that."

Currently, the healthcare group uses a Palo Alto Networks next-generation firewall (NGFW), setting fine-grained controls on social media application usage for each employee. Policy has evolved to allow human resources, research and management to make some use of social media, though for the hospital clinical staff, sites such as Facebook, MySpace and Twitter are still off limits.

Sensitivity to privacy guidelines in the HIPAA regulation plays a big part since if any information about patients turned up on social-networking sites, that could be a serious legal problem. Summa Health Systems is starting to make use of a "Web DLP" function in the Palo Alto NGFW as a data-loss prevention function to monitor for outgoing patient data and block it. The hospital is also looking at deploying desktop-based DLP for the same reason.

Some consultants express some doubt that technology is the main answer to keeping employees from doing foolish or wrong things on social media that will harm their companies or themselves.

Gary Loveland, principal, national security leader at PricewaterhouseCoopers, says the chief concern about social networking is that sensitive information could be shared outside on social-networking sites when it shouldn't be.

But just setting up the equivalent of a corporate blockade to social media is a "limited" approach at best, says Loveland, for the obvious reason that someone can get to Facebook or other sites using a personal mobile device or a home network. Security education of employees from the day they hire on is necessary to drive the message home to them about the risks that social media pose, even while businesses monitor sites to see what's being said about the company. "It's about coming to grips with reality on this," said Loveland.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies