Guest Blog by Sam Raincock
So what is information security? Can anything be 100% secure? Security is about reducing the risks of something happening and managing the outcomes. Hence, information security is about minimising and managing the risks to information. This means that it doesn’t just include how you use your computer to store your files but also how your computer is stored.
Information security management considers the security of your data from your USB memory stick to your building. Information security implementation relies on people at all levels; from building the systems to creating and maintaining the policies even up to those that infiltrating the systems. Hence, you can never provide a state of 100% security.
So what does information security management entail?
Well in my opinion it is progressive changes which result in managed/less risks to a business – it’s in essence about risk management.
This means security for any business is bespoke to that business since it will have its own unique set of risks. If you take a computer programmer working on a small company web site or a person producing a system to model the financial markets then the risks will be very different.
So what is an information security policy?
Information security policies are usually a set of documents which state the policies and procedures that should be followed in order to protect the business’ information. They may include documents such as a “password policy” which states how to use passwords effectively e.g. that re-using your business passwords or choosing passwords which are easily guessable (yes, your birthdate, car reg, baby’s name are guessable) are not permitted.
However, the main problem with security policies is they are often just pieces of paper that once they have been signed off by employees and contractors (if the company even insists on them being signed) they are often forgotten about by all.
In my opinion, information security management is mainly about progressive changes over time, since the risks to a business will change as the business adapts and the threats vary and emerge. Hence, the policies and procedures have to adapt with the business.
I am also of the belief that information security is more about training than the policies (although, these should be there too). If you actually want to implement the procedures in your policies your employees/contractors have to understand and be on-board with them.
What is Social Media?
Social Media is Internet based forms of social interaction. It includes the following:
Forums (like Q&A sessions e.g. Forensic Focus)
Blogs (discussions and article posting e.g. WordPress) Micro-blogging (character limited blog discussions e.g. Twitter) Social networking (interaction with persons from similar groups e.g. Facebook, LinkedIn)
Chat programs (exchanging messages with one or more people e.g. Live Messenger)
Etc.
Simplistically, social media is any information being published on the Internet. It is often used by personal individuals to interact with friends or by businesses as a marketing tool (or a bit of both).
So what’s the problem with Social Media?
People!
It’s important to remember that people often forget that anything on the Internet is potentially public information and when it’s posted it can be available forever (even if they delete it). Most people wouldn’t put pictures of themselves and their intimate details on a poster and place it on a lamppost. However, the Internet is equivalent to just this.
There are various ways in which social media can damage a brand. The main areas include:
The brand’s image on social media caused by other people talking about it in a detrimental way.
The use of social media detrimentally by employees/contractors of the business.
In the remaining part of this article, I will discuss social media risks in the context of business employees.
What are the threats to a business through employee ‘misuse’ of Social Media?
There are various threats to a business, for example:
A staff member discusses recognisable confidential information on their social networking accounts. They may not think of it as recognisable – for example, they discuss how they are putting together a package to launch on Friday. If a competitor knows this person is working on a particular project then they now also know the launch date!
A staff member names their employee on their social networking profiles and makes inappropriate comments or places inappropriate photographs on their profiles.
A staff member gives their distaste of how the company they work for operates/treats its customers.
All of the above are examples of how social media could have a detrimental impact on a brand as well as reveal confidential company or client information which could in turn bring legal risks to a business. There are also issues relating to staff spending work time on social media sites (when the business feels they should be working) and the fact social media means it is easier to send information out of the company.
This sounds serious – we must make sure we get our staff to sign a set of documents about how they should behave when using Social Media? We need a Social Media Policy!
People are people. It’s up to a business to manage them effectively. If you bring in policies to block social network sites then what will your employees do? Well firstly, they are likely to become irritated and then come up with cunning plans – “I’ll use my mobile”. So procedures are great but management and education are the keys. Also going back to my original definition of information security management being about managing risks – is social media the largest risk to your business?
Should all businesses have a Social Media Policy?
I am of the opinion that the answer is no. A business needs to assess all of their risks to information security and deal with them on a need basis. For example, having a well implemented social media policy will reduce their risk in that area but what about the business’ other risks? What about a legal business with confidential information lying around near windows, with poor building security, with limited and shared passwords on their computers and with no idea if they have lost a laptop or USB memory stick because they can not remember what they have given out? Do they need to worry about a social media policy? My view is that they likely have enough risks to address first.
It’s also about costs. If a small business with 10 employees assesses the risk to their business of social networking as being minimal with the potential to cause them £2,000 loss in business. If they have to spend £3,000 on a security consultant to create the policies and provide the training to their staff is it worth it? Of course it isn’t!
So are Social Media Policies useful?
Social media policies can be very useful to a business if they assess it to be a worthwhile and cost effective risk to address. But it’s all in the implementation. My view is that requesting staff to sign a policy that they don’t understand when they don’t appreciate the risks to the business will achieve very little – in fact it could provide the opposite when they start tweeting about the business trying to police against freedom of their speech in their own time. In such a situation, employees may not understand why the policy applies to them – after all they are just tweeting about their own life, what’s the problem with that? It’s nothing to do with their employer?
I believe it is all about education of employees and discussing with them what the risks are so that they understand why the business is implementing policies and procedures. It’s also an on-going process. If you teach someone one month they may need a reminder the next. In fact, my view is that this on-going education process should apply to all security policies and procedures.
Social Media Policies as the new Buzz?
Social media (and policies about its use) are certainly in fashion. People from all types of businesses are considering and tweeting about social media and its policies and procedures and how businesses should be addressing them. However, my view is that it is vital to not get carried away. The largest risk to information in most business in my view is social engineering (manipulating/asking people to provide the required information). How many businesses really consider and test this and provide education to their employees? How many with social media policies have social engineering ones?
Social engineering is perhaps an article in its own right and is my new buzz …..
Sam Raincock, BSc, MSc, CCE, MBCS, CEng MIETSam Raincock Consultancy
Sam Raincock is an IT Security Consultant specialising in providing expert witness services in IT and Telecommunications as well as Information Security Management implementation, assessments and auditing.
sam@raincock.co.uk
01429 820131
http://twitter.com/SamRaincock
