Posted November 20, 2013
We’ve received some great feedback and questions from our recent webinar on “The Impact of Social Media on Information Security,” and wanted to share responses to them with a broader audience. In this webinar, we discussed how social media websites and other user-generated content platforms can easily enable employees to leak sensitive information and data and some advice for security professionals on how they can deal with this. If you missed this event, you can view the on-demand version on our website.
How Do We Handle Problematic Employee Posts?
The first question was regarding how organizations can deal with malevolent, threatening, or irresponsible employee postings on social media. If a company finds out about a problematic post either directly or via a third-party service such as Cyveillance, can they discipline employees?
The short answer is that it depends on the seriousness of the issue, your social media policy, and where your company is based. In the majority of cases, simply bringing the issue to the employee’s attention and asking them to remove the offending content can resolve both the immediate concern and discourage the employee from posting sensitive content in the future.
However, in egregious cases, the ability to discipline employees may be tied to the company’s social media policy. In cases where companies have clear social media policies that can demonstrate that the employee is in violation, some companies have been able to take disciplinary action against employees. We recommend consulting your legal counsel for applicable laws, which vary by both country and state, as they may limit how and to what severity you may pursue disciplinary action.
Should Enterprises Use iCloud?
Another question was from an organization that was evaluating the use of iCloud in the workplace, and how this might impact data security. They wanted to know what the general consensus of using this technology was, especially if they had a liberal BYOD policy and users could synch devices and data with other accounts.
For legal, business, and security reasons, Cyveillance does not recommend using iCloud as part of enterprise business infrastructure. Both legal obligations and contracts with business partners can place restrictions on data within your organization. Reliance on cloud services for storing data can cause violations of these obligations by both obstructing your ability to initially identify all instances of data in question as well as by copying, deleting, or otherwise modifying data after holds have been instituted. In short, reliance on cloud services can diminish your ability to be compliant with your legal and business obligations.
On the security side, cloud storage poses its own set of challenges. Once iCloud has been set up, it does not require two-factor authentication. Second, when iCloud synchs data across both personal and work accounts, it can be hard to control access to that data. This poses challenges for both managing access to data, as well as ensuring the security of all devices that connect to iCloud. Another consideration is if and how various cloud services may make employees more vulnerable to zero-day threats.
Certainly, more organizations than ever are using cloud services. According to a study from Verizon, enterprises boosted their use of cloud storage by 90 percent, over the 18 months ending June 2013. However, as recent breaches demonstrate, these services carry their own risks and responding to security incidents will likely be much more complex.
Have There Been Military and Government Leaks Via Social Media?
One attendee who asked if we had any examples of intentional or unintended leaks that came from military or high-level government staff posting to social media sites.
There are numerous examples of leaks, some of which have been very serious, as a result of military and government staff posting to social media websites. After all, the military is a large organization with a young workforce, and most have mobile devices and social media accounts. Even posts that might seem innocuous could be ripe for exploitation in the wrong hands. For example, a civilian stationed abroad invited people to join him for a game of basketball at a particular embassy. He publicly posted that if people who wanted to join him showed up wearing athletic clothes, the security guards wouldn’t stop them. It doesn’t take much imagination to see how this information could have resulted in a serious security breach for the embassy.
For more insights on this topic, we invite you to download our white paper.