The Dangers of Employee Social Media Usage

Employers are hearing constantly of social media this and social media that. When your employees go on break or eat lunch, they are always on their cell phones talking. But, now there are also applications on phones like Facebook, Twitter, FourSquare and others where an employee can actually send photo uploads while being mobile and even post to Facebook automatically. Are employees using social media securely?

Does your company have anything in place for protecting confidentiality through social media usage? Do you have a Social Media Security Policy? Employees sign agreements when joining the company but did the business cover disclosing things like pictures or private conversations and even meeting information via Google Buzz or Facebook? What about brand new products being developed that are trade secrets?

If your employees are online working to do their job and Facebook, MySpace, or gaming sites like Pogo are not blocked, how do you know they are doing their work 100% of the time? Just because their production numbers look great, doesn’t mean they are not slacking. Have you done a Social Media Security Assessment?

It is becoming an epidemic in the work force with employees breaking rules and ultimately being fired every day. If security monitoring technologies are in place you could possibly sue the former employee but your trade secrets are gone and so might be your reputation. If an employee is bad-mouthing your company and tells everyone to not buy or shop with you, there goes your business immediately.

You can make a legal policy for employees to sign when they start their job that they will not talk, disclose, or say anything bad about the company on social media sites. If businesses do not step up soon and do something it can be a total free for all!

Here are a few interesting facts to consider. One out of every ten employees admitted overriding their job’s security system so they could access restricted sites. In 2009, 24% of eight hundred employers surveyed said they had to discipline an employee for using social media sites. Another study showed 8% of employees were terminated for accessing Facebook out of two hundred businesses polled. Twenty eight thousand people were polled in the United Kingdom at the beginning of 2010 and a whopping 87% said they can do what they want; it is their right to do so. There is a whole category of companies geared towards your social media reputation such as Reputation.com   There are options out there if companies are willing to explore.

It is now believed that social networking will replace email by 2014 as the main way to communicate for 20% of all business owners or users. Is your company prepared for Secure Social Media?

Social media sites have gained popularity in the past ten years as a medium to keep in contact with loved ones, business associates and friends. However, there can be drawbacks to the usage of said media when one is employed in certain career fields, such as the healthcare industry. Utilizing social media networks can inadvertently give way to the sharing of confidential patient information with people that may not have a need to know which would then cause the company to violate HIPAA Security Rule compliance. Social media applications are not just a part of one’s personal lifestyle; this has also become incorporated in the corporate climate. Many places use these applications for marketing, file sharing, communication, and employee recruitment. While these applications can open up a great many doors of communication, some type of guidance or governance is necessary. Because banning the use of such sites is most likely unenforceable or impractical, a hospital or other such entity that must shield private information should at least ask or force their employees to adhere to some Social Media Policy guidelines. For instance, when utilizing social networking sites, one should use separate passwords for the different sites, as an individual can easily hack all of one’s accounts if they know the one password. A security breach of one account could snowball. Passwords should be complex and change every 90 days. Accessing social media sites should be over SSL and only from trusted network connections, not coffee shops especially for business purposes! In the case of company documents or patient information, if it isn’t found on the company’s web page it probably should not be posted elsewhere. There are sites that exude a feeling of privacy and security, but are far from it. Allowing one’s corporate information security team to determine what sites are acceptable is the best option. Another thing one should not do is post his or her own identifying information publicly, such as date of birth, his or her social security number, or an employee ID number. If a site requires this information, 1) it is most likely not a reputable site, and/or 2) one could make something up or ensure that it is not going to be displayed in a profile that will be public. Some information may not be considered confidential; yet not posting these items to public social media sites is probably a good idea. This can include anything from rumors, to purchases the company plans on making, anything about the technology one’s company uses or will use, and any projects the individual may be working on. So in one’s personal endeavors, it is most beneficial to all involved if confidential information, or information that could be considered secret, stays out of the hands of the public. Follow practical posting guidelines and do not share more information than is necessary in corporate social media activities. Gary Bahadur CEO KRAA Security, baha@kraasecurity.com http://www.kraasecurity.com http://blog.kraasecurity.com http://twitter.com/kraasecurity *Managed Security Services *Vulnerability Management *Compliance & Police Development *PGP Security *Free Website Security Test
Enhanced by Zemanta

 Social Media Policy

Social Media has become part of the user community several years ago. Today we have social media in the corporate environment. The main problem we have is how social media has evolved. It has been a bottom up approach. By bottom up I mean that the consumer has determined how to use a technology and the corporation is playing catch up. But the social norms that are appropriate for a consumer “product” are not appropriate in a corporate environment. Social media usage is being retrofitted into the corporate environment. But the consumer is already used to using social media in an insecure, “information must be free” manner. Employees who have been used to giving up all their information in places such as Facebook and Twitter must now be retrained to use social media in a whole different manner to meet corporate standards. (Assuming we have a corporate standard for social media security) But what is a corporate standard for using social media in an appropriate fashion that does not put the company at risk? Corporations have not made a concerted effort to define that secure social media strategy, or even a strategy for training their employees in the “correct” use of social media. What is a good starting point for implementing a social media policy? Here is a basic guideline. 1) Define a policy – You cannot assume employees will do the right thing without guidance. You already have things like Expense Policies, Acceptable Use Policies, Internet Use Policies. Write a basic guideline. What’s in that guideline will vary from company to company. 2) Information Classification – You have to explicitly define what information can be shared and what information should not be Tweeted, FaceBooked, BlibbedBlabbaded (I made that up)about. If your employees do not know how valuable information is that you cannot blame them for inadvertently being sucked into the blogosphere. (I am not sure blogosphere is yet a word, but who cares) 3) Keep It professional – If you allow your employees to Socialize (that a word with any meaning here?) information about your company, you have to give them standards to follow. Things like cursing, grammar mistakes, casual conversation style discussions might not be the image you want to portray when discussing anything related to your company. 4) Tracking and Monitoring – If you are going to have a policy for anything, you have to have a mechanism for tracking compliance, reporting on activity and have consequences for breaking that policy. How much tweets that are over the line makes you bring an employee before HR? What is a firing Facebook picture offense? This is a very abbreviated start. In later posts I will define more aspects of a social media policy. But let’s get the conversation started about the necessity for this as a standard policy in every organization, both large and small. Gary Bahadur www.kraasecurity.com info@kraasecurity.com
Enhanced by Zemanta
The Data Lifecycle goes through 5 steps: creation, usage, transport, storage and destruction. Most companies have parts of this lifecycle under control, but that means there are lots of areas for gaps in the control measures that could let a threat affect the data. The multiple part blog, (I am not sure how many parts it will take), will walk through the steps of the data lifecycle and what a company can do to implement a good process for all the data management challenges. Data lifecycle management (DLM) is a policy and procedure based approach to manage information movement. Data has to be classified and evaluated to properly protect it with the right resources. Ownership is a key factor in managing and maintaining data throughout the lifecycle The 5 Steps
  1. Creation – How does data creation get managed?
  2. Usage – What limitations are on data usage?
  3. Storage – What controls are in place for storage?
  4. Transportation – How is data transmitted between company, customers and business partners?
  5. Destruction – What is the validation and verification process over data destruction?
The Data Management Problem
  • Weak processes in place to track creation usage, transportation, storage and destruction
  • Weak ability to monitor and manage a customer record throughout the lifecycle
  • Inconsistent processes across each phase of data movement
  • Lack of enforcement capabilities
What should be the goal of data lifecycle management?
  • Provide practical steps to manage each step of the customer record management process
  • Provide cost effective solution for risk mitigation
  • Provide framework for data management
  • Reduce risk of data loss
Challenges to Customer Data Records Management
  • Rarely does a company have a centralized process to track controls over data, over management processes around data, over logging and monitoring, and removal
  • Organizations rely on technology to secure data not processes that drive technology purchases
  • The 5 steps of data management are not followed by all functional groups in a company
  • No clear ownership and classification of customer data elements
Did you know…
  • 1 in 400 emails contains confidential information
  • 1 in 50 network files contains confidential data
  • 4 out of 5 companies have lost confidential data when a laptop was lost
  • 1 in 2 USB drives contains confidential information
  • Companies that incur a data breach experience a significant increase in customer turnover—as much as 11%
  • Over 35 states have enacted security breach notification laws
  • Can openers were invented 48 years after can

Why does traditional security not work for DLM?

Users have risky behavior. They will always have risk behavior and we rely on mostly technology controls to keep them in a secure box.  Solutions aimed at the external threats coming in, not the regulation and governance of internal communications going out. Problems we see are typically:
  • Unauthorized application use: 70% of IT say the use of unauthorized programs result in as many as half of data loss incidents.
  • Misuse of corporate computers: 44% of employees share work devices with others without supervision.
  • Unauthorized access: 39% of IT said they have dealt with an employee accessing unauthorized parts of a company’s network or facility.
  • Remote worker security: 46% of employees transfer files between work and personal computers.
  • Misuse of passwords: 18% of employees share passwords with co-workers.
The reasons typical technology controls will not work in the full DLM process are:
  • Products are not geared to protect a full life cycle of a customer records
  • Most solutions and processes are outward facing, based on perimeter security
  • Encryption can affect data management
  • Real-time intrusion detection and remediation is rare
  • Context and intent of messages was not analyzed properly
  • Functional areas in organizations create different policies, monitoring requirements, enforcement priorities and reporting
  • New technologies can avoid security measures
  • Technologies look at the network, the operating system or the application not the data across all environments
  • Not mapped properly to regulations

What risks does customer data loss pose for organizations?

If we know that security is not working, what are the risks we face? A very recent example of how this can have a practical affect is with the Massachusetts Privacy Law 201 CMR 17.00. Loss of data can have a great financial impact with this law. Key things we need to consider include:
  • Penalties: Not complying with regulations can cause civil and financial penalties
  • Confidence: Loss of customer confidence because of a customer data breach can lose customers
  • Reputation: Damage to reputation will lose customer and damage relationships
  • Competitive Advantage: Information and customers can move to competitors
  • Costs: Ponemon Institute’s 2008 annual study, average $6.6 million per breach.
  • Valuation: Decreased stock prices could result