Managing Social Media for Network Security - Page 2

 By Brian Proffitt
Page 2 of 2   |  Back to Page 1
Print Article

Social networking security policies: Should you ban?

As a networking manager, it's not your responsibility to keep employees safe from harm on their own time. But there are some policies you can consider implementing that will decrease the size of your network's attack surface and--if implemented with a fair dose of training--will also keep your co-workers safe on their own machines.

One policy that bears exploring is the straightforward banning of social media activity on your network. That may indeed be necessary, if your organization's Internet policy already discourages personal use of company assets. It's a little hard to police that kind of policy on email, since you can't really tell what messages are personal or business without treading into privacy waters. But unless the user is with sales or marketing, it's a pretty reasonable assumption that they aren't on Facebook or Foursquare for business reasons.

Of course, this won't make you popular, and it doesn't address the larger problem of social media: it's still very easy to phish for information across social media networks. Phishing attacks are rampant on all forms of communication, but they are especially troublesome on social media because it's not that hard to fool someone. If open source guru Simon Phipps tweets me a link from @webmink, will I notice that it's really from @webmink2 before I click the link to a fake login page? Hopefully yes, but if I'm not paying attention, I could just as easily be fooled.

Education and password management

Most experts agree that a two-pronged solution is needed to control the size of the social media attack surface in your organization.

The first is purely an educational tactic: deliver the message to users that if they are using social media, they must never assume that a link or software download is actually from a friend--even if it's from their friend's account. They need to challenge such receipts and confirm that the package was indeed intended to be delivered.

The second approach is to enforce better password management. This is partly educational, since you will need to convince users that it's in their best interests to have different passwords for each network and service they visit anyway. But you have some control over this, as well: Implement a password policy that will enforce a password change every month. Even if the user has used like passwords across multiple sites, it is very unlikely that will continue to be the case after a month or two of resetting passwords on your network. They may still have a problem with a single password for multiple sites, but your network won't be one of them.

On the broader problem of social media as a corporate attack surface, make sure you impress upon the people in your organization who do use social media to do their jobs that care should be taking in sharing information about the company or its employees. Social media is a great tool to reach customers, but it's not just your customers who are listening to what your company has to say. Think about risk in every corporate statement, even a tweet.

Brian Proffitt is a technology expert who writes for a number of publications. Formerly the Community Manager for Linux.com and the Linux Foundation, he is the author of 20 consumer technology books, including the most recent Take Your iPad to Work. Follow him on Twitter at @TheTechScribe.

This article was originally published on Feb 4, 2011
Get the Latest Scoop with Networking Update Newsletter