I recently had the pleasure of interviewing Ben Rothke, Senior Security Consultant for BT Global Services, which provides managed networked IT services on a global level for many of the world's large multinational corporations in a number of key markets.
An accomplished security professional, Ben focuses on developing risk management strategies by securing IT assets for domestic Fortune 1000 and FT 2000 companies. His current industry certifications include CISSP, CISM, CISA, CCO, SITA, CGEIT, and CRISC.
Ben specializes in the financial services, energy and aviation sectors and is the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill).
He also writes a monthly security book review for Security Management magazine and is a member of the InformationShield ‘Information Security Policy Expert Panel'.
He is a frequent speaker at industry conferences such as the upcoming RSA 2011 Conference, where he will be speaking on What Happens in Vegas Goes on YouTube: Security and Corporate Social Networks, which is being held at San Francisco's Moscone Center from February 14-18, 2011.
Ben's webinar presentation, titled Information Security and Social Networks, is one of the best overviews of corporate social networking security issues in the industry to date.
Aside from providing highly actionable information for the crafting of social networking policies, the webinar raises many questions about the future of social networking a business tool, and is the basis for the following interview:
Q: Should employers encourage employees to use personal social network accounts for business functions?
Like most answers to general information security questions, the response is it depends.
The military and many R&D firms have a more closed-minded approach to their employees and staff using social networks, for understandable reasons.
Firms like Starbucks and Google have a much different approach, which makes complete sense given their business model.
Business social networks are mainstream, but that does not mean that it is right for every business.
As Natalie Petouhoff of Forrester Research noted "social media isn't a choice anymore - it's a business transformation tool". With that said, firms that have not yet embraced social media need to approach it in a cautious manner; rather than blindly drinking it like Kool-Aid.
Q: How can companies fairly differentiate employee social networking activities from those of the business?
For the most part, it is about awareness and strategy.
Companies must take an even-handed approach. If they come down too hard, they will alienate trusted employees, and may in fact be prohibiting them from exercising their Constitutional right to free speech.
But when those doing the blogging are senior executives, board members, those that can officially speak for the firm, then that requires a different approach.
It all comes down to an effective and clear social networking guidelines. Without those guidelines, data breaches are inevitable.
Also, those guidelines have to include the entire spectrum of social networking; from blogs, wikis, social networks, to virtual worlds and other social media forms.
Q: What about social media outlets like LinkedIn and Plaxo that blur the line between private and professional networking activities?
In fact, since they are more business oriented, greater awareness is required.
On Facebook, someone may ask you what you favorite movie is.
On LinkedIn, they will ask you about corporate direction, R&D, merger activity, etc.
Companies need to know that they shouldn't shun social media for fear of bad end-user behavior. They need to anticipate it and formulate a multilevel approach to policies for effective governance of social media.
Q: If employees are encouraged to set up and utilize social media accounts while "on the clock" - who ultimately owns the social media account?
It depends on how the firm words their social media guidelines and policies.
Clear guidelines and policies, reinforced in awareness training, will remove any ambiguity, and protect the firm's proprietary content and intellectual property.
This is not a trivial issue and this is something that legal and HR has to be heavily involved with.
Firms that don't have such wording in their social networking guidelines may find their legal recourse is limited.
Q: Are social media account "connections" developed on the job then equivalent to the old Rolodex, and should they be considered to be proprietary information of the employer?
Pretty much a day and night difference.
A friend in the real world is someone you picks up from the airport when they wake you up at 2AM.
A Facebook friend is more like someone who you sat next to on a bus once.
As to the information, it can be proprietary, but it may often obviate the benefits of social media.
Anyone can see who the over 1.5 million JetBlue followers are. JetBlue knows that many of their competitors can get that information. But they mitigate the risk by providing superior customer service and value pricing.
Q: When a company defines policies related to data classification, are they inadvertently exposing themselves to additional risk by drawing attention to critical information elements?
If that was the case, then Brinks would take money to banks in a gray minivans.
I have not been involved with or heard of a single company that increased their risk by deploying a formalized data classification program.
Companies that are serious about securing their confidential and proprietary data via classification will have no problem labeling things as confidential.
Q: Can an enterprise with hundreds or even thousands of employees reasonably expect to be able to protect themselves from risks due to the aggregation of critical proprietary information exposed via their employee's social networking activities?
Companies that understand the risks and benefits can do that.
These companies have no qualms about giving hundreds or even thousands of employee's expensive laptops.
But the issue of aggregation is something that should not be ignored. The power of aggregation and data correlation is that seemingly trivial and irrelevant bits of information can get collected to form large information set.
It all comes down to training, awareness, management and monitoring. Companies that are in control of those 4 areas are able to maximize the benefits of social networking, while controlling the risks.
Q: Does the level of resources required to adequately define policies, implement controls, provide training, conduct monitoring and profile assessments of employee social networking activity ultimately outweigh the commercial benefits?
It depends on how important social media is to the firm.
Firms such as Dell, Cisco, JetBlue, General Motors, Hilton, Wells Fargo and many more have embraced social media. They know the risks, and they know the rewards. So for them, it is a no-brainer. That may not be the case for every company.
Q: Anything else you would like to add?
As a follow-up to the previous question, it is important to note that social media is not free.
While there are many aspects of social media that are available without charge, Twitter, Facebook, YouTube and the like; companies need to see social media as an investment. A good investment requires principal. But that principal can create significant dividends.
The following are relevant points to close with.
- Social networks are not a fad
- Firms must create a social networking strategy to reap any benefits
- They must have a realistic understanding of the risks and benefits of social networking
- Finally, from a security perspective, it is critical to understand the unique challenges with social networks and factor them into decision on when and how to proceed
* * *
Infosec Island is proud to be a Silver Media Sponsor for the illustrious RSA Conference 2011, and we are excited to announce we will be giving away five full-access passes to the event (click here for details on eligibility).
Join us at San Francisco's Moscone Center from February 14-18, 2011 for RSA's 20th Anniversary conference.
The RSA Conference continues to play an integral role in keeping security professionals across the globe connected and educated. The focus on cyberthreats grows each day, and RSA Conference is the educational and training environment to prepare you to meet these challenges head-on.
Infosec Island is committed to serving the needs of SMBs and mid-market enterprises across many industries, including education, legal, financial, healthcare, government agencies and the information security community at large.