To Tweet, or Not to Tweet, That is the Question...

Sunday, August 19, 2012

Christopher Laing


Using social media and the internet effectively and appropriately can bring huge business benefits to small to medium enterprises – these benefits can include improved communications with customers, clients, and suppliers, almost immediate access to data and information, and via social media, it also offers the potential to find new business opportunities. 

However, as with all technologies there are also potential problems – giving your employees access to your broadband connection (with possible download speeds greater than their home connection), may disrupt your business activities.

In the majority of cases this disruption will be relatively minor – employees surfing social network sites, or using your service provider to send personal emails.  In other cases, this disruption can be severe, and may have dire consequences for your businesses' financial well-being and reputation. 

Examples of employee activities that threaten your business are the downloading and opening of social media attachments and Internet files that contain malicious software, and the electronic delivery/distribution of business sensitive information without encryption. 

This may done either accidentally, or deliberately by a disgruntled employee – however whatever the cause, these activities pose a serious threat to the security and reputation of your business. 

How do you protect your highly confidential data?

An employee of a local service provider while browsing their social media site inadvertently downloaded and installed some malicious software.  This malicious software exploited an unpatched vulnerability in the PC's operating system, which allowed an attacker to remotely access the company's system, and steal confidential customer data.  The company only realised that there might be a problem when a number of their customers began to complain of 'cold calling' activities from one of the company's competitors.

Do you have an Internet and Social Media Acceptable Use Policy?

Acceptable use policies detail what you would consider to be acceptable and appropriate use of company Internet resources by your employees.  Such policies are normally attached to the standard terms of employment, and they ensure that all employees are aware of their Internet and social media responsibilities – in particular the use of company Internet resources for personal use.

The wording of such policies are up to you as their employer, and there are plenty of examples, but in general they normally cover the sending or storage of 'tweets' that are obscene, racist, sexist, defamatory, or in breach of copyright. A policy may deal with the opening of attachments, and the sending of confidential data, it could also cover accessing inappropriate websites, and the downloading of obscene, racist and sexist material. 

The policy should also outline the consequences of not following the terms and conditions of the policy – in particular, that any breaches of the policy, may result in some form of disciplinary action, and ultimately they may be dismissed.  The policy should also cover employees that use company equipment off-site, i.e., when working at home, or when working in a clients' office.

You may decide that monitoring of your employee's social media and internet usage may be appropriate – in such cases the acceptable use policy must state the circumstances (when, how, why, who by, what are the implications) under which such monitoring will be undertaken. 

This approach is complex, difficult, and fraught with legal ramifications if something goes wrong, and should only be undertaken in consultation with legal and specialist digital security professionals.

Possibly Related Articles:
Enterprise Security
Information Security
Enterprise Security Social Engineering Vulnerabilities Social Media Employees Malicious Code Attachments Policies and Procedures online safety
Post Rating I Like this!
Jackie Singh I think the question of whether people should be allowed to access social media/other personal resources from their workplace while using employer resources should be pretty clear.

AFAIK "Availability" within the CIA triad doesn't actually translate to "Availability to resources that have nothing to do with my job".

Overly harsh? :)
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.