Does social networking breach the walls of your network security? As social media permeate the business world, the need to defend against data leakage and malware grows more urgent.
Maybe your company already does "social business," recognizing that blogs, Twitter, and YouTube are vital to its sales and brand.
Most likely, your employees do social networking.
When employees tweet, blog, and post, who do they give information to? Much of the data they place on social sites is posted publicly. Other data goes public virally. The information is always retained by the site sponsor, for days or years. It may also be tracked by government agencies. Data does leak, and secrets are given away.
What do employees get from social media? Sometimes it's more than a relationship built on the comments, photos, or videos they share. Too often, they get malware: viruses, phishing, smishing, worms such as Koobface, and other malicious code.
Social network websites are a top target of cybercriminals because the sites are so lucrative. They present huge numbers of users, and the users are prone to trust and respond to the content—accepting invitations, entering account or other private information, and clicking on links. Criminals exploit this trust to automatically steal data, money, or computing resources.
A Protection Primer
Like web security overall, social media security is complex and always evolving. You can inform yourself with resources such as http://tools.cisco.com/security/center/home.x and http://socialmediasecurity.com/, and by monitoring the privacy policies of social media sites. For starters, here are some recommendations for how a small business can defend itself.
1. Ensure That Users Frequently Update Their Applications
2. Build Security into Your Network
Apply protection designed specifically for the way you do business; your value-added reseller (VAR) partner can help you determine the best tools and configurations. The ideal tools simplify the use of multilayer security technologies that offer protection both within and beyond your network perimeter; here are some that are priced for small businesses:
- Security appliances such as the Cisco SA 500 Series Security Appliances combine a firewall and more comprehensive security in one simple-to-manage box. For example, they can integrate Cisco cloud-based email and web security as well as intrusion prevention system (IPS) software. For businesses that require more granular control or regulatory compliance, Cisco ASA 5500 Series Adaptive Security Appliances can analyze and report traffic down to the packet level.
- IPS software can automatically detect and block certain types of network connections or traffic, such as peer-to-peer and instant messaging (IM). And if external attackers sneak past your firewall, the IPS can prevent them from gaining further access or control.
- Hosted services offer protection transparently "through the cloud." For example, Cisco ProtectLink Gateway works at your network's Internet entry point to assess the reputation of each website that employees visit, block undesired websites, and dynamically filter content and email. Cisco ProtectLink Endpoint focuses on safeguarding PCs from malware, and can prevent PCs without updated security from accessing the Internet.
- Routers such as Cisco Small Business Routers have a basic firewall built in; most also support the Cisco ProtectLink Gateway service.
3. Block or Limit Employee Access to Sites
Most employees expect their workplace to provide Internet service. Yet their personal social networking can eat up productivity and bandwidth.
One defense is to ban usage altogether. A more realistic approach is to control what types of sites can be accessed, and when. For example, you could use Cisco ProtectLink Gateway to confine social network site access to lunchtime.
4. Educate Employees and Create a Use Policy
Security's wildcard is human behavior. To defend against data leakage and malware, establish a company policy and educate employees on their responsibilities. The key messages for social networking sites are:
- Customize; never default. Reset the default privacy settings on your accounts to control who can see what, how your information can be searched, and which applications you'll enable (news feeds? links to ads?).
- Be an elusive target. Create a unique password for each site, make each password strong, and change it every 90 to 120 days. Consider using a password management solution.
- Post content judiciously. Don't share anything that you wouldn't want seen by any member of the public, including a competitor, investor, or potential employer. Combat identity theft: Never offer private information to anyone via social networking.