Comment: How to Make Social Media Safe and Secure

Social media can be a double-edged sword for most organizations
Social media can be a double-edged sword for most organizations

Social media: short of getting all your customers, vendors, employees, partners and prospects together in one room, there is no better way to directly interact with key people quickly and effectively. Not to mention that should you ever try the all-together-in-one-room idea, it would get out of control very quickly.

Social media makes keeping track of interactions more manageable and, of course, the internet allows for a variety of multimedia to be used and shared during any interaction. In this regard, one edge of the social media sword makes it a very useful business weapon.

The other edge of the sword is that social media is still a vast, uncharted, constantly changing environment that can sometimes make it difficult to use safely and productively. Not having the proper measures in place to guard corporate data, secure connections and protect against increasingly common malicious attacks via these channels can quickly make social media a losing proposition for any organization.

However, the fact of the matter is that plenty of companies use social media regularly, and to great effect. Similarly, more companies are accommodating ‘generation standby’ employees who expect to lead their social lives online throughout the work day in exchange for being expected to respond to work requirements after hours.

There are still potential pitfalls, but corporations that have allowed social media use have clearly not suffered as a result, which means they must be able to dull the potential problem edge of the social media sword. What kinds of security measures and policies have these companies created that you can follow to make social media safe and effective?

Three Things You Definitely Should NOT Do:
  1. Create a new rulebook: The first thing to know about social media security is that, at its root, it’s still web security. Many of the same best practices that work for effective web and email security work well for social media security. Perhaps the only somewhat-meaningful difference is that social media security might require a stronger emphasis on outbound security: social media, after all, is much more of a two-way street than typical internet traffic. Strong content management and filtering systems on the upload side of the connection are worth investing in so that corporate data stays where it should.
  2. Expect IT to do it all: Even the best IT team can’t understand the full requirements of every department in your organization. Just as you would with other security policies, enlisting managers from various departments will have the dual benefit of a) allowing the nuances of HR security or financial compliance regulations, for example, to be integrated into a more complete security policy, and b) not over-burdening the IT department by forcing them to judge what is acceptable or unacceptable behavior and make decisions that paint them as either overprotecting the business and stifling the free flow of information or under-protecting and allowing serious breaches to go unblocked. Share the load. Be more protected.
  3. Block it and forget it: Blocking specific URLs works in some cases, but it will never solve all of your problems. This holds even truer for social media, as it is one of the most rapidly evolving technology sectors these days. Take Facebook and Google, for example. Your company might not like the idea of allowing full access to Facebook, but might think Google applications are OK. But in the last few months, Google has experimented with a set of more social applications, most notably the now-defunct Google Buzz, which enabled many similar functions to Facebook. Blocking one site like Facebook might solve your problems one day, but before that day is out a rival social media site or service might launch with similar functions to the blocked site. Rather than wholesale blocking of sites, focus on security policies and systems that are more about the actual content being shared.
Three Things You Absolutely Should Do:
  1. Be clear: IT security has always had a mystique about it – such as it is best conducted in secret by those who might actually use the phrase “you’re on a need to know basis”. This is an outdated, ineffective way of approaching security. A UK retail giant had a hard time dismissing an employee over a blog post they claimed damaged the company’s reputation when he defended himself by pointing out that the company had no clear policy on blogging. If the point is to keep problems from occurring in the first place, then making social media, web, email and other security-related policies clear to employees is a more logical path to take. Bring security out of the black box.
  2. Be granular: Blanket security policies generally don’t work – even more so for social media. Many companies choose to assign ownership of interactions for certain online social mediums: one person for Facebook, another for customer forums, another for LinkedIn, for example. Not only does this mean that these people might need additional network privileges that others don’t, but the company might choose to share different kinds of data on LinkedIn than on Facebook. Different people. Different roles. Different sites. Different mediums. They all require different rules.
  3. Unify and simplify: We love smartphones because they let us do so much from just one device: talk, text, surf the web, email, listen to music – even access social media applications. Where possible, don’t complicate the issue of managing security across web, email, remote workstations, social media policies, etc., by trying to keep track of a different system for each. Increasingly common are unified solutions that can federate content-inspection and encryption policies in one place and create reports and new policies in real-time across all digital communications channels.

People are now accustomed to living their lives online while at work. To restrict the mechanisms that make this possible – social media – is not just detrimental to employee productivity and motivation but can also harm new revenue opportunities, as social media becomes an increasingly viable sales channel. And because social media is so new, it is often regarded as something that needs new tools, new rules and new people. In reality, it just requires more of the same strategies that have been proven to work already: policy personalization and transparency, involving more people in the security decision-making process, and integrating solutions as much as possible.

So, as you were people.


Bob Pritchard is the vice president of Americas at Clearswift, which provides email and web security solutions to customers around the globe. Pritchard is a 20-year technology veteran, including past roles as VP of Worldwide Data Security sales at RSA, the Security Division of EMC², as well as executive roles at Oracle, Software AG, Venafi and Gradient. He is a graduate of the University of Massachusetts.

What’s hot on Infosecurity Magazine?