Information Security Gurus and Marketing Professionals are often at odds with each other in the business realm. Marketing used to primarily be a print and face to face business function. Thanks to the over-haul of standard marketing strategies, marketing has grown new roots on the web and has found itself buried deep within social networking sites like LinkedIn, Facebook and Twitter. The need for businesses to have an online foot print is critical to reach the masses in today's competitive environment, but the potential loss of client data and security threats to your network are daunting.
Ann Carroll, the Director of Marketing for Hancock Askew & Co., LLP Certified Public Accountants in Savannah, Georgia puts her marketing needs like this, "Social networking is the newest frontier in marketing. If companies are not already active in social media, they are already behind the curve. There is a certain demographic that wants to communicate through this medium, and we'll lose them if we don't participate." When the request for access to these sites stems from an authentic business need, where do companies draw the line between marketing savvy and data security? How do we, the Paranoid InfoSec folks, establish reasonable rules and boundaries? It seems that everyone within a company; managers and subordinates, alike, have multiple social networking accounts. What prevention methods will be used to ensure our company or client's data isn't compromised? Who is going to monitor our company's Facebook account for appropriate business content while assuring client anonymity?
Michael Brooks, Publisher and Creator of the South Magazine states, "It is a not a case of whether we will use them (social media sites); it is how extensively we will and how much time we will invest into each. We look forward to these social medias developing further in order to make this type of outreach more of a science."
With my network's security in mind, my initial thought was to shut it all down, block the popular social networking sites while on our domain. An easy fix with our firewall, presenting a nice little warning to our users, something to the effect of, "Not on our clock!". Why allow users to put our network at a higher risk of exposure to phishing attempts, spam and drive-bys from various extracurricular website activities? What happens when your users are home, on their personal computers, posting what they had for breakfast and griping about the daily grind at the office?
My suggestion is this: together with your management, assess what level of risk they are willing to accept when using social media as a marketing tool. Establish a firm-wide policy on social networking. Outline the consequences of non-compliance and then enforce it. This will not be a one size fits all scenario. Be aware that staff at all levels are diving head first into these sites with little knowledge of the threats that await them. Educate your users; even your most well-seasoned executive probably has a Facebook account that is completely exposed. Encourage users to error on the side of caution when posting personal information and data that might reveal confidential client or company information. Employers should clearly identify what information is to be kept undisclosed or confidential.
Finding the acceptable level of risk that still allows participation in the burgeoning growth of social networking in the business realm is the key to a symbiotic relationship between your Paranoid Information Security Staff and your Go Get ‘Em Marketers.