Many organisations currently face a dilemma over allowing the use of social networking sites within their companies. On the one hand, they represent useful sales and marketing tools and represent the communication method of choice for the so-called “generation Y” – those that were born from the late 1970’s to 2000 and hence grew up with the Internet in their childhood. It is estimated that in 10 years’ time, every detail about generation Y, from date of birth, credit card details, their shopping habits and mother’s maiden name will be available somewhere online (legally or illicitly). This generation entering the workplace may not understand the rationale behind placing restrictions on its use within the workplace, and may become resentful if they are denied what they see as useful way of maintaining contact with colleagues and business associates.
On the other hand, the use of such sites presents many security risks: both to the individual and to the organisation. Facebook has outstripped Google in terms of hits in the US according to Hitwise, which gives an indication of its popularity. Many Facebook users freely post up their hometown, first school, date of birth, etc. without giving a second thought to the fact that these are often security questions used by financial institutions and worse still, the users don’t protect this information by only allowing their friends to see it. Thus any cyber criminal can help themselves to their private information: handed to them on a plate. In addition, many users seem to connect to new users in an indiscriminate way, and rarely, if ever, validate the identity of the user through another means. Would you establish a friendship with someone you didn’t recognise and given them all your personal details in the first minute of conversation? Or would you make friends with someone you had never met, let alone trust? No! Yet people do it in Cyberspace!
Facebook allows users to create their own applications. Cyber thieves have moved in by creating their own fake applications, which contain malware. This, combined with exploiting human nature means users are tricked into clicking on seemingly innocuous links e.g. “take a look at my holiday photos: xxx” which then directs them to a fake website (e.g. a YouTube video) and prompt the user to download some malware which can harvest personal information.
Twitter too is a useful sales and marketing tool for organisations but it too has risks. The use of URL shortening services, such as tinyURL, which people use in the tweets to save space, means that users are dropping their safeguards with regards to clicking on links. How many times have you questioned a colleague’s or friend’s shortened URL in a tweet is an actually a valid link to a bona-fide website or one to a malicious site? The “LOL- is this you?” virus on Twitter did exactly that, and exploited Twitter users’ implicit trust of a follower’s tweet. Twitter also allows users to record their GPS location with their tweets, and occasionally people have not only posted up their physical locations but what security products their organisations are using as well! Hackers have such an easy time these days: they don’t need to be good at social engineering anymore; the social networking users frequently do half their job for them.
Clearly, these sites are here to stay, and to move completely against the tide would be churlish. A “one size fits all” approach to security is not appropriate and the use and control of these media must be done in a context that is appropriate to the organisation, industry and to the risk. If you work in the government or defence sectors, using Twitter and posting your current location is clearly not a good idea. Similarly, those working in the information security sector need to think carefully when marketing their services or products when it is and isn’t a good idea to report what security products an organisation is using. For large organisations, it may be prudent to restrict the use of Twitter and Facebook to the marketing team only, with user education to the risks involved in its use. Twitter, for example, allows Tweets to be protected to be only visible to those approved by the organisation: thus it doesn’t appear in the public timeline for all to see but only to an approved audience. If you work in the media industry, this probably won’t be for you: clearly there’s a huge difference between a band letting the world know when their latest album is due and an information security organisation letting the world know what firewall a bank is using! Twitter does also contain a verification service so that high profile twitters, like 10 Downing Street, are verified by them and published as such. Be careful of who you allow to follow you, until you have established they are who they say there are.
As with all things in our industry, technical controls alone are not enough. There needs to be user awareness and education. If you are to allow the use of social networking for your organisation, be sure to train your users that whilst these media have business benefits they also have risk – and that what is posted on the web stays up there – via web caching. In years gone by yesterday’s news was tomorrow’s fish and chip paper – gone and forgotten; today it has permanence via Web caching. Do you really want libellous material to remain up on the web posted from your organisation? Think carefully about your social media usage strategy, educate users – and tweet safely!