Secure computing: Five social media risks

Thursday, June 10, 2010 @ 05:06 PM gHale


As social media becomes more common in the workplace, there are heavy risks involved.
ISACA, formerly the Information Systems Audit and Control Association, which researches IT governance and control, released a study on the top five risks posed from social media.
The top risks are viruses and malware, brand hijacking, lack of control over corporate content, unrealistic expectations of customer service, and noncompliance with record management regulations.


The crux of the study is not to scare companies from using these tools, but rather to ensure everyone is working off the same page and to have a plan in place and know the benefits along with all the risks.
Most of the risks, according to the study, stem from users not understanding how their own behavior could possibly impact the company. Organizations need to educate users about how posting something could breach company security, hurt the company’s image or even open the company up to malware.
Also, if workers are using social media, they need to understand the line between social and business. They also need to have set corporate guidelines about what information they can share and what needs to stay inside corporate walls.
Company executives also need to be aware workers are using social networking sites, and the leaders need to stay on top of what is said out there to better protect themselves.
The elements identified in ISACA’s Business Model for Information Security (BMIS) present a foundation for professionals to ensure people are managing risks appropriately:
1. Strategy and Governance
• Has the users conducted a risk assessment to map the risks to the enterprise presented by the use of social media?
– The risk assessment should evaluate the planned business processes for leveraging social media and also the specific sites.
– The risk assessment should undergo review whenever there are substantive changes to the social media resources in use, as well as when the company may adopt new social media resources.
• Is there an established policy (and supporting standards) that addresses social media use?
– Policies and standards should define appropriate behavior in relation to the use of social media.
• Do the policies address all aspects of social media use in the workplace — business and personal?
– Policies for social media should address four specific areas:
• Employee personal use of social media in the workplace
• Employee personal use of social media outside the workplace
• Employee use of media for business purposes (personally owned devices)
• Required monitoring and follow-up processes for brand protection
2. People
• Have all users undergone effective training, and do users (and customers) receive regular awareness communications regarding policies and risks?
– It is imperative all users understand what is (and is not) appropriate and how to protect themselves and the enterprise while using social media.
– Customers who will be accessing an enterprise social media presence will need to understand what is an appropriate use of the communication channel and what information they should (and should not) share.
3. Processes
• Have business processes that utilize social media undergone review to ensure they align with policies and standards of the enterprise?
– Unless business processes align with social media policies, there cannot be assurance they will not expose sensitive information or otherwise place the enterprise at risk.
– Change controls should be in place to ensure changes or additions to processes that leverage social media align with the policy prior to implementation.
4. Technology
• Does IT have a strategy and the supporting capabilities to manage technical risks presented by social media?
– The vast majority of technical risks presented by social media are in the use of malicious email and standard web sites. IT should have controls in place, network-based and host-based, to mitigate the risks presented by malware.
– Suitable controls can include download restrictions, browser settings, data leak prevention products, content monitoring and filtering, and antivirus and antimalware applications.
– Appropriate incident response plans should be in place to address any infection that does get through.
• Do technical controls and processes adequately support social media policies and standards?
– The user should verify any required technical controls are present and functioning as expected, or there are clear plans with timelines and a required budget to reach a specific capability.
• Does the enterprise have an established process to address the risk of unauthorized/fraudulent use of its brand on social media sites or other disparaging postings that could have a negative impact on the enterprise?
– While scanning for such material can be an onerous task, it is important the enterprise have a strategy to address this risk. There are vendors that will provide this service, and this is generally the best option for enterprises that deem such monitoring a necessary activity.
– This risk exists regardless of the enterprise’s active use of social media.



Leave a Reply

You must be logged in to post a comment.