For many companies, social media has become a vital tool that supports many business processes. Social media interactions, both internally and externally, can be used to build the brand, improve the company’s reputation and customer loyalty, hire talented staff, mobilise the collective knowledge of employees, shorten the development cycle, and improve the responsiveness of technical support processes.
HR managers look for job candidates on LinkedIn and XING, R&D teams publish their development guides on corporate Wikis, and technical support personnel use instant messengers to discuss in real-time critical issues with the product. Even CRM, by its very nature is based on a set of social communications profiled to the specific needs of the business.
The incredible progress of consumer electronics has led to the consumerisation of corporate IT and has given rise to the phenomenon of “bring your own computer” (BYOC). This is another reason why social media communications are unavoidable in the enterprise. It’s nearly impossible to stop people from posting to blogs, chatting, and looking at their favourite social networking sites from their own personal laptops and smartphones when using them for business purposes.
However, along with the benefits social media brings to businesses, it also introduces several problems. As confirmed by a recent survey on social media risks by the Ponemon Institute, in addition to reduced employee productivity and network bandwidth, as well as exposure to inappropriate content, the use of social media in the enterprise has increased two information security threats – virus or malware infections, and leakage of confidential information.
The infections occur when employees download files and data to the computers they use for business purposes. Data leaks happen when employees accidentally or deliberately send valuable corporate data to destinations outside of the organisation’s network borders.
While it’s clear that anti-virus software can effectively mitigate the malware risk, the threat of data leakage is not very well addressed, and the specific social media-related leak scenarios are not properly understood. The question that many Chief Information Security Officers are currently concerned with is how to fight this threat.
First of all, a well-developed acceptable use policy for social media is a prerequisite for successfully securing social media in a corporate environment. However, mistakes, curiosity, negligence and misconduct are an unavoidable part of human nature, and consequently even the best social media policy will often be disobeyed.
This is why, in addition to organisational measures, CISOs need to choose and deploy a security solution that can effectively prevent sensitive corporate data from leaking out of employee endpoint computers through their personal and business social media communications. The challenge is doing this without entirely blocking social media sites and services, as this could impair staff productivity and affect staff morale.
This kind of solution requires the ability to differentiate between personal, corporate, public and confidential information in social media exchanges, so it must be data-centric and content-aware. Besides, as legitimate social communications (i.e. those in accordance with the social media policy) must not be affected, the solution has to make its decisions and enforce them immediately, which implies the use of real-time content analysis methods. Among many existing IT security technologies, the only one that truly satisfies this set of requirements is data leak prevention (DLP).
Today, there are many DLP solutions available on the market, and which one would be more efficient for securing social media in a particular organisation mainly depends on the following criteria.
Firstly, a balance should be achieved between the set of social media services the organisation needs to control and the breadth of social media coverage provided by a DLP solution. Generally, the more services controlled by the solution the better, but at the very least the most popular social networks and instant messengers should be covered including Google+, Facebook, Twitter, LinkedIn, XING, LiveJournal, as well as Skype, ICQ/AOL, Windows Live Messenger, Jabber, IRC and Yahoo! Messenger.
The second equally important criterion is how much control the DLP solution offers over various data leak channels, based on the way the organisation uses social media. For example, social communications by employees from their office desktops, including exchanges within the organisation and with the Internet, can be fully content-controlled by DLP gateways residing on the corporate network perimeter.
At the same time, due to the ubiquity of modern wireless networks, the use of mobile endpoints such as laptops and increasingly, smartphones and tablets, creates a worst-case scenario for social media security in organisations. This is because an employee’s personal or corporate-owned endpoint, even when used inside the office, can easily bypass not only its perimeter security but the entire corporate network by connecting to mobile 3G networks or even nearby external Wi-Fi access points. This equally applies to their remote use, whether on a business trip, visiting customers, or working from home.
The inability of network-resident security solutions to control mobile endpoint communications means organisations have to enforce controls over social media directly on the protected mobile computers by using software DLP agents. Running on the endpoint, the DLP agent analyses and filters the content of all social media exchanges according to the corporate security policy – regardless of where and how the endpoint is connected to the Internet or to the corporate network.
However, with Android and iOS-based smartphones and tablets, the situation around social media control today is not as good as with Windows or Mac laptops. This is because porting DLP agents to Android and iOS is currently impossible without jailbreaking (or rooting) the operating system, which is an unacceptable method for the corporate IT security. However, over the next couple of years, several innovative cloud-based security solutions are expected to become available on the market that will protect corporate data from leaking through social media communications on smartphones and tablets.
When evaluating how well a DLP solution covers your social media channels, it should not be forgotten that most popular social media networks, such as Google+, Facebook, Twitter and instant messengers, use standard (e.g. HTTPS, FTPS) or proprietary (e.g. Skype) encryption to secure network communications between the endpoint and the social website or peer endpoint.
It is crucial that endpoint DLP agents can intercept these communications in a way to extract the transferred data in plain form and filter its content. In some cases, this interception can only be implemented at the endpoint, as opposed to the DLP gateway. An example of this is when Skype’s encrypted instant messages have to be content-controlled.
Another key feature for ensuring all social media channels are covered is the DLP agent’s ability to control network communications that are redirected through HTTP and SOCKS proxies. Often, such proxying is used by end users or configured automatically, and if the endpoint DLP agent cannot intercept and analyse proxied communications, this creates an uncontrolled data leakage channel to and from the endpoint, significantly increasing the risks of data leakage and malware infiltration.
When both the breadth of social media coverage and the completeness of DLP channel controls are properly addressed, the chosen DLP solution will reliably prevent data leaks through social communications. In addition, by using data type filtering to block executable code from being downloaded through social media exchanges, DLP solutions can also reduce the risk of malware infiltration.