As increasingly popular places to chat and post photos of family members and acquaintances, social networking sites can seem benign enough. But therein lurk socalled “friends” who, if you let guard down, could make you the victim of their next malware attack.
That’s a message you’ll hear from Steve Attias, a first vice president and chief information security officer at New York Life Insurance Company, who will be presenting here today at 3:15 p.m. in a session on: “The Information Security Implications of Social Networking.”
The session will explore a range of issues and potential remedies as social networking embeds itself in the corporate world.
“What I have to say is this: There is a lot of dangerous stuff happening in the social networking space,” reported Mr. Attias. “So deal with it. These sites are here to stay.”
The perils of communicating with families, friends and colleagues on social media sites—LinkedIn, Facebook, My Space and other portals—are increasingly a focus of the corporate IT community. The reason: These sites can be used as vehicles with which to spread malicious software or prod unwitting employees to divulge sensitive personal or corporate information.
The threat from bad actors has grown in tandem with the adoption of social media tools by the business community.
Many companies now use social media sites internally to collaborate on projects, recruit new employees, distribute information about products or services, arrange meetings and carry out other business functions. But the interactive nature of such media also makes users vulnerable to the kind of “phishing” attacks that have long been the bane of the Internet.
How to counter these threats? The first step, according Mr. Attias, is to ensure that technical safeguards, such as anti-virus or anti-spyware software and security gateways, are in place to block malware attacks. But he also stressed that businesses need to educate their employees about the dangers associated with social media sites. These sites are not generally viewed with the same wariness as, say, unknown sources of e-mail.
“We need to make people aware that social networking sites cannot be trusted any more than random e-mail,” said Mr. Attias. “The same tactics used to counteract phishing attacks also need to be brought to bear in the social networking space. These sites are not all bad, just as not all e-mail is bad. But you have to increase the awareness level.” In addition to education, companies can establish policies outlining how such networking sites are to be used—and, conversely, not used. Staffers should be instructed, for example, to avoid clicking on a link purportedly sent by a “friend” until the URL’s legitimacy is established by checking with the friend through regular e-mail. Companies should also communicate what information employees may divulge about themselves or their firms and how they can use social networking sites’ functionality to limit information to trusted or known contacts. For instance, instruct staffers to display their full bio and photo only to close friends and colleagues.
Rules of engagement also need to be imparted to administrators who are given responsibility for setting up and managing a Facebook or LinkedIn page for the firm. Staffers need to exercise discretion about the information they reveal on social networking sites, in part because they may no longer have control over the data they post.
“You can say, ‘I don’t want my photo to appear anymore on the site, so I’m going to remove it.’
But the site’s statement of terms and conditions may stipulate that personal biographical information, once posted, may be kept by the site owner. Once the information is divulged, there may not be much you can do to get it back.
However great the concerns about social media sites, corporate IT professionals should be careful not to establish policies that are overly restrictive or that prohibit their use altogether,” cautioned Mr. Attias. He observed that some companies have established portals that mimic popular social networking sites but that restrict access to company employees. These initiatives have garnered mixed reviews.
“Many Generation Y staffers have said, ‘All of my content and the colleagues with whom I share intellectual knowledge are on Facebook or My Space. So why would I want to duplicate that knowledge on a company site?’” explained Mr. Attias. “Companies really need to think seriously about whether it’s worth the time and expense of setting up their own social media site.
“We in the IT community have to be pragmatic,” he concluded. “We have to be able to communicate with new constituents who have fallen in love with these on-line tools. That’s where they all hang out. And the new producers we hope to recruit will come from the same community.”