Three steps to assessing and managing social media risks
MANUFACTURING INSIGHTS |
Social media has gained a tremendous amount of buzz in recent years for its potential to accelerate a company's marketing and brand-building efforts. For that reason, many firms became early adopters of corporate Facebook, LinkedIn and other social media accounts, which opened a host of interactive portals through which they could converse with customers, investors and prospective employees.
However, manufacturing leaders are not rushing to the platform to catch the social media train. In fact, a 2011 GlobalSpec study on social media use in the industrial sector shows that only one in four manufacturers has a corporate Facebook account, and only about 15 percent use LinkedIn as a corporate marketing tool. That lags well behind social media adoption in the broader small and midsized business sector, according to a recent MerchantCircle survey of senior leaders.
The relatively slow rate of social media adoption by manufacturers does offer a silver lining. It allows executives to watch the experiences of companies in other market sectors, allowing for a robust discussion of the security and risk-management issues social media can generate. Following is a high-level list of key social media risks that involve employees, along with basic tactics to mitigate potential threats.
Potential risk: Company reputation. A strength of social networking—the opportunity to engage in conversations with key audiences—can also be a potential pitfall. For instance, assume your company operates a Facebook page, and that a number of your employees have "friended" the account. If those workers post online comments or images that are malicious, inaccurate or just plain silly, the public association of such material with that Facebook site can directly affect your company's reputation. This also applies to personal social media pages, where reputational damage can occur if negative material referencing the company is posted by an employee or an online connection.
What to do: Awareness training is a critical part of any social media program. If your manufacturing business is preparing to ramp up its social media presence, consider developing a mandatory training module for all workers (including senior leaders). This session should cover key brand and reputation messages and examples of acceptable and unacceptable content. Training should also reinforce the idea that employees will be held accountable for what they say and post regarding the company, whether on company-sanctioned or personal social media sites.
Potential risk: Employees and "social engineering." According to a recent Forrester Research survey, 82 percent of large U.S. organizations report being "very concerned" or "concerned" about data leakage related to social media. A frequent point of entry for hackers is "social engineering," in which a bad actor will use an innocent or plausible social media communication as a guise to extract confidential information or gain access to a network. Here's an example: A follower of a company's Twitter account posts a message offering a free TV in exchange for taking a survey. When company employees follow the survey link, they're prompted to enter their username, employee ID and password to launch it, thus providing easy access to the company's systems. This scenario underscores the power of social engineering, in which the lure of a promised reward can often override an employee's good judgment.
While the success rate for such random identity theft events has fallen in recent years, due largely to increased publicity about Internet scams and better internal IT security management, more focused attacks are on the rise. As corporate social media sites have become more prolific, hackers are now scanning available profiles of senior executives, IT leaders, finance officers and other high-value targets. This allows the hacker to craft a very polished, credible communication. The goal of that communication is to trick a leader into a critical disclosure, such as access to financial systems, corporate networks or databases containing intellectual property. Sadly, the success rate for these carefully targeted attacks commonly runs greater than 60 percent.
What to do: Remember, all it takes is one successful social engineering attack for sensitive information to be disclosed—or for malware to enter your IT systems. In addition to aggressive monitoring of all corporate social media platforms, which can reduce spam and phishing attempts, make it an official policy for employees to report questionable or "too good to be true" social media messages to your company's IT security team. While random attacks are declining in effectiveness and generally can be well-managed by existing IT security measures, targeted attacks require a different approach. Effective measures combine non-technical measures, such as security awareness training for employees, with technical solutions, such as limiting the rights of users on IT systems. The latter step can reduce the likelihood of a successful attack against the user via web browser or other applications.
Potential risk: Technology limitations. In essence, social media has dramatically increased the "surface area" of a manufacturer's exposure to the outside world. Think of your company's cyber security like a house: Before social media, there were a limited number of online doors between the outside world and your company's internal systems. Those doors could be well-protected with standard barriers such as spam filters, firewalls and web proxies. The barriers minimized threats from malware and third-party attacks, since they limited where users could go in the online world. Today, however, social media has created an almost infinite number of access points to the house, which cannot be easily defended by technological means.
As an example, assume an employee with a company laptop receives a message with an attachment from a "friend" on Facebook. The employee trusts this person because of prior interactions, but is unaware the individual is a hacker who has been nurturing the relationship in order to launch an attack. When the user opens the attachment, it allows malware to infect the system, giving the attacker access to the company's network. While this attachment would likely have been identified and blocked by traditional spam filters in the corporate email system, a social media platform is much more difficult to monitor. Similar attacks can occur when hackers send messages containing URLs for web pages that contain malicious code, which will infect systems when the web page is viewed.
As this type of functionality is built into various platforms, it forces manufacturers into an "all or nothing" choice—either preventing employees from accessing these sites, or allowing access and attempting to limit the risk via other technical methods. For the latter, anti-virus software often becomes the last line of defense. However, as recent attacks against companies like Google and RSA have shown, hackers have become quite proficient at producing new variants of malware that will not be identified by standard anti-virus software.
What to do: While the 2011 GlobalSpec survey revealed that up to 70 percent of industrial company employees could not log onto personal social media sites from work, the number of organizations that do allow access increases each year. Mobile devices such as laptops continuously move in and out of the corporate environment—meaning they have frequent threat exposure. To counter these risks, companies must go beyond static, reactive, "firewall-oriented" security controls in favor of a proactive approach. This includes a combination of enhanced security monitoring, extensive network segregation and isolation, network based malware devices and rapid incident response.
With the undeniable growth of social media, there is only one sure thing in cyber security: Assume your company's preventative security controls will fail at some point. Instead of focusing only on defense, the goal of your organization should be to detect and correct the issue before significant damage is done to your IT environment.