Social media isn't friends with enterprise security

Security threats are changing as enterprises embrace the use of social media sites. Security experts at Forsythe, Info-Tech and nCircle weigh in on how IT can adjust to accommodate the new risks.

Social media is rewriting the rules of IT security and changing the jobs of enterprise security officers, a consultant says.

"Social media is quite the challenge for our industry right now," said Jeff Sizemore, managing security consultant at Skokie, Ill.-based Forsythe Solutions Group Inc. "It's hard to be proactive in a security manner with social media sites, versus reacting and reading log files ... it's much easier to be proactive and limit data breeches, for example, in e-mail."

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Security threats are changing as enterprises embrace the use of social media sites. Security experts at Forsythe, Info-Tech and nCircle weigh in on how IT can adjust to accommodate the new risks.

Social media is rewriting the rules of IT security and changing the jobs of enterprise security officers, a consultant says.

"Social media is quite the challenge for our industry right now," said Jeff Sizemore, managing security consultant at Skokie, Ill.-based Forsythe Solutions Group Inc. "It's hard to be proactive in a security manner with social media sites, versus reacting and reading log files ... it's much easier to be proactive and limit data breeches, for example, in e-mail."

Social media sites are "very sophisticated because they are very well-packaged," said Sizemore. "It's very tricky because you have to manage to allow a user to use a Web site, but not access specific pieces of a Web site," he said.

These sites can't be tracked well and may contain vulnerabilities that are untraceable to a lot of security technologies on the market. Many enterprise technologies, from Web filtering to traditional firewalls to network security devices, are inadequate to deal with these challenges, said Sizemore.

"You have to have something on the machine that is smart enough to understand there is an application within that Web site, and a lot of firewalls can't do it today, and a lot of the typical solutions on the end points aren't able to do it today," he said.

The first thing IT must do is educate employees, he said. "You have to start educating employees about how to actively use IT in a manner safely from a privacy (and) confidentiality perspective, not a specific program or a specific application," he said.

Employees must understand what confidential data is, so when they are on these sites, they understand the ramifications of what they are doing, he said. "A lot of these tools are very immature with social media today, but once we fix that social media site, there will be another ... at some point, you have to start to retrain users," he said.

"The risk with social media is all about the leakage of information," said James Quin, lead analyst at London, ON-based Info-Tech Research Group Ltd.

While traditional risks are about people pulling data out of the organization, often by breaking into the network illicitly to steal information, social media is a push problem. And because a lot of social media is created on-the-fly, organizations don't necessarily review the material, he said.

"They don't have the time to make sure that information that shouldn't be leaked isn't being leaked by actively reviewing the content that is being posted, so the risk is that employees are either maliciously or accidentally sharing information that they shouldn't," he said.

The early technical response was to just block social media and put tools in place to disallow that kind of traffic across the network. Many organizations are still doing that, Quin said. But an increasing number of organizations are starting to make use of social media for business purposes, and in doing so, they have to open up the network, he said.