Stay secure in the social realm
Taming threats through strategy and savvy
Emerging technologies such as cloud, mobile and social can provide powerful new opportunities for organizations to operate with greater agility, focus on their core capabilities and extend their reach. But these technologies can also provide new points of entry for hackers attempting to exploit information for monetary or political gain.
|Stay secure in the social realm|
Sharing and trusting
As an enabling technology, social media allows organizations to extend their marketing reach and form a more intimate bond with customers. Such efforts rely on sharing meaningful, trusted information. Sharing and trusting are the heart of social media's power. They are also at the heart of social media's hazards. Without a solid social media strategy, organizations might unwittingly share sensitive information via their social presence, or they might place too much trust in those who could do them harm.
Those who would attack your organization begin with reconnaissance, and your social media presence provides an excellent opportunity for hackers to learn about your weaknesses and find an entrée into your organization—to sniff for vulnerabilities and then to exploit them. A hacker presenting a false identify online can easily discover and befriend your employees via social sites and then begin to glean information they could leverage to access your "crown jewels"—your most critical information assets. For example, if an employee's LinkedIn résumé boasts of the firewall tools and other security applications he/she has used at your organization and if that employee unwittingly befriends a hacker, the hacker can gain instant clues on how your organization operates. And hackers can use social media to assemble other clues—organizational charts, the location of physical IT assets, the categories of data you collect—to build a better picture of your organization and begin planning an attack on your crown jewels.
Amplifying the threat is the complexity of the social landscape. Social media is deeper than you think. It's more than social networking sites such as Facebook and LinkedIn or microblogging sites such as Twitter. The social web is expansive—encompassing game platforms, video and photos sites, blogging and publishing sites, online communities, conversation apps, and virtual worlds. It involves scores of online properties, frequented by thousands of companies and millions of individuals—communicating through billions of posts and messages. Leaking sensitive data can happen. Trusting the wrong people can happen.
Without a solid social media strategy, organizations might unwittingly share sensitive information via their social presence, or they might place too much trust in those who could do them harm.
Setting aside fear
Social can sound scary, but closing the door on your organization's social activity is not the solution. It's too important—as a tool for disseminating meaningful information and for understanding the interests and activities of others, whether friends or customers. Social media has become the preeminent way in which we share news, whether personal or otherwise.
Organizations that fail to use social media as a business tool will watch idly as competitors blast by them to pursue growth opportunities. Meanwhile, customers have grown to expect corporations to have some sort of social media presence—a place to discover meaningful information and pursue meaningful interactions. If you're not visible in the social realm, you're not visible at all.
Addressing security concerns with social media relies on basic awareness and planning techniques. And organizations, regardless of their current level of social savvy, can begin taking steps today to mitigate information vulnerabilities that can arise in the social sphere.
Get smart. When it comes to understanding social-based threats, it helps to understand what's at risk. That means knowing the following:
- Know your crown jewels—your critical assets and sensitive data.
- Know the risks themselves. That is, know the threats and know what can happen if someone gets to your crown jewels. For example, will breach of a certain type of data result in diminished public trust or lost revenue, or will it merely embarrass your organization?
- Know more. Continue to update your knowledge on emerging vulnerabilities and threats in social media.
Get organized. Develop a policy for how your organization will operate in the social realm. Get started by making key decisions about content and duties.
- Determine what type of content you will post and on which social sites.
- Understand who will create, access, excerpt, or edit information before posting it on social media. To help you develop controls for information and ensure that sensitive data does not make its way into the wrong hands. Determine the type and tone of interactions that you will allow.
- Set roles, responsibilities, and rules for who can manage your social accounts—as well as rules for how that management occurs. For example, will a social media manager be allowed to use his/her personal mobile device to post on social media on the organization's behalf?
- Establish rules for how employees can access their personal accounts when working on company time or using company equipment.
- Outline the consequences for violation of policy.
Stay on top of things. Make sure your social policy works by doing the following:
- Police your social activity to make sure your organization is adhering to its policy. Audit your activity against your policy.
- Look critically at your content to ensure that the information and messages you're disseminating fit not only with your social media policy, but with your overall security plan and your business goals.
Stay in shape. It's not enough to roll out a successful social media policy. You have to work to keep it successful.
- Continually reassess your policy and your social activity in light of new threats and new needs.
- Simulate scenarios to test how well your policy and procedures work.
- Make changes in your social media strategy to adjust for new weaknesses and new challenges.
Tools and techniques
Developing a comprehensive policy to address security with social media will require your organization to create more than a broad strategy. You will need to address specific questions and specific challenges—and take specific steps to ensure that you can minimize social vulnerabilities while maximizing the power of social media. Here are a few essential pieces of guidance that can help you strenghten your organization's social media security strategy.
Understand the value of what your organization and your employees are posting online. And know that you can't control it all. Any information you post—even a corporate bio or news on an event—could provide intelligence for hackers. But withholding such basic information can make your organization seem shadowy. Take a balanced approach. Determine the areas in which you should exercise restraint and encourage employees to be mindful of the details they share. For example, talking about IT projects might offer clues about your technology vulnerabilities and holes.
Know that the people interacting with you might not be who they claim to be. And alert workers to the threat of malware delivered via social media contacts. Make employees aware of "social engineering" attacks that use manipulation or deception in an attempt to access information (e.g., fake but official-seeming links, fake profiles, etc.).
Make data-loss prevention part of your thinking when it comes to social accounts. Are there controls in place to ensure that data you might share on social media (for example, the number of new customers in February) isn't cross-contaminated with sensitive data such as personally identifiable information about those customers?
Keep the "permanence factor" in mind. What you post online can live forever, even if you delete it. Site mirrors and cached content can make your posts available far into the future. So consider the future potential value that content might hold for attackers. It might be useless today, for example, a single physical-location "check-in" posted by an employee on a social site might not seem like a big deal. But over time, check-ins could help cyber criminals establish patterns that they could use to plan a physical break-in or time a cyber attack.
Analyze who's saying what about your organization and your industry in social media. If you spot a growing pattern of dissatisfaction or disgruntlement among comments, it could forewarn of a cyber attack. Know when you're becoming a bigger target. Know who is following you and what their goals might be. Apply analytics and social listening tools to spot trends and anticipate problems and attacks. It also helps to understand the two main types of threats: traditional hackers (seeking assets that hold value for them) and hacktivists (who might target your organization to further their agenda). Also be on the lookout for spoofs of your social media presence—for example, impostors masquerading as your organization and asking your customers to provide personal data that hackers in turn can use to access customer accounts.
Encourage employees to be skeptical of strangers as they use personal accounts. Strangers may be seeking proprietary information from them. Also remind employees about the need to review the privacy settings on their personal social media accounts. Depending on your overall security posture, you also may wish to set rules for employee use of social media during work.
Be mindful of entangling apps and social sites. For example, one social site might give you the option to link your account to another social site or to an e-mail account—for the purpose of easily republishing posts or discovering friends. Be aware that a successful attack on one account could give a hacker access to information in those other accounts.
Review internal controls for protecting your data assets. Which employees have permission to log in to which accounts? Which types of information or topics are off limits? Review training procedures for personnel handling sensitive data. Also be mindful of the potential for malicious insiders. Disgruntled employees can use social media to leak sensitive data—in obvious or not so obvious ways. Audit your controls and related activities to help minimize the potential loss of sensitive data through social channels.
Understand the role of partners. Know what your partners are doing with social media and how they are including your organization. Their social media activities could have an impact on your security posture. If you're outsourcing some of your social media activities to a third party, make sure you understand the value and sensitivity of the information you are sharing with them, and know their controls and procedure for security. Ultimately, know the controls in place for how you handle data from third parties, and how your third-party partners handle your data.
Ensure that you're using strong passwords for your accounts. Also make sure that you're not using the same password for multiple accounts.
Create an inventory of your social accounts—from social networks to online communities. Your organization might be doing more in the social sphere than you realize. Have an onboarding plan for new social sites. Since social involves hundreds of sites, forums, and applications, know how your organization will add new sites and new corporate accounts to the mix.
Determine what the public can post on your social sites. Police or moderate the content that others post to your sites. Foes or disgruntled former employees could use your social presence against you to post information that could reveal security vulnerabilities.
Have a crisis-response plan. Know what to do when passwords leak—when employees or hackers post social posts in your name. learn how to recover or reset passwords—or how to suspend an account. Determine how you will announce or explain a breach to the public, using social media as a tool to communicate about privacy and leak issues. Understand who has responsibility for which crisis-related activities, and simulate crises to make sure you're prepared.
Don't forget about mobile. Your social media account managers might be using mobile devices to post on the company's behalf. Mobile brings with it security challenges such as malicious mobile apps and the potential for lost devices. Craft policies and procedures to improve security for mobile device and apps management. Know the actions you will take when a device is lost, infected, or compromised.
Befriending social media
With social media emerging as a critical business-communication and marketing tool, ignoring its potential and its pitfalls can prove to be foolish. Organizations that embrace social media while remaining mindful of the security challenges—and while addressing those challenges head on—stand a greater chance at success.
Navigating the social landscape requires understanding how you're using social media, how you can leverage it to meet your business goals, and how attackers can leverage it against you. It is changing faster than many organizations can respond and asking the right questions and finding the right answers is essential. Deloitte can offer help. We have extensive experience aiding organizations in developing strategies and applying tools to improve an organization's ability to be secure, vigilant and resilient in the social realm.