The postings on this site solely reflect the personal views of each author and do not necessarily represent the views, positions, strategies or opinions of IBM or IBM management. IBM reserves the right to remove content deemed inappropriate.
The risk of social? It all depends
Colleen Burns 120000C4RP firstname.lastname@example.org | | Tags:  security social_business sarah_carter social actiance
0 Comments | 9,672 Visits
The risk of social depends on who you are and what you’re doing
I certainly know that the stakeholders involved in many of the organizations that I work with include the following departments and roles, in no particular order:
Let me start this series with the roles of IT and Security, which while distinctly different, I’m going to group together in the interest of time. These departments are concerned with two primary categories of risk – inbound and outbound threats to the organization. We’ll start with the inbound risk.
We are all exceedingly well trained in the area of email risk. You are in the minority if you’re the individual that first of all sees the vast majority of email spam, and in an even smaller minority if you actually 1) reply to the emails from the individual purporting to have billions of dollars salted away in <insert exotic sounding foreign country> with a requirement to move some percentage of that to you in return for your assistance; 2) click on the link in the email that promises you riches/beauty/possessions beyond your wildest dreams. We, as users, are well trained; because folks, the email security industry has been training and protecting us for more than 10 years now. That’s right, it was 1999 when the Melissa virus hit and the I love you virus followed quickly on her heels. Since then an industry was created, grew up and matured and protected us from ourselves.
It’s no wonder then that the malware and virus writers turned their attention to another medium. And that medium is social. Their attention has been turned because of the trusted nature of social. We’re connected – we’re friends on Facebook, connected on LinkedIn, I track your updates through my social business platform. So, therefore, I naturally trust the content that you share, because I trust you the individual. This inherent trust that is at the heart of social, is the basis for the risk related to inbound threats – malware writers take advantage of this inherent trust and send payloads through social media – often using that tried and trusted method of email to fool the user into clicking the link, going to the “site”, you’ve seen them all – “Facebook reminder - John Smith wants to be friends with you, click here to accept”.
If you’re a Twitter user, then you’ll no doubt have seen direct messages, purporting to be from your followers, advocating through often clever commentary to click on a link, which ends with all of YOUR followers being spammed with the same content (thanks to my colleague @DaveOates, for agreeing to be outed as someone who fell for this recently).
A third area of concern for the IT and Security professional is somewhat linked to outbound threats and risk, however I’ve separated it out, as this content, this information is put there by us as users, usually as part of our set up when we create our social personas. That’s right, it’s our profile information and I’m now moving onto Personally Identifiable Information. Let me set the scene.
Privacy settings are the last thing that we never look at on our social profiles. And of course I complete all the demographic and biographical information that <insert name of social site> requests me to – my full name, date of birthday, where I live, oh and then what relationship I have with my significant other and my children. Privacy settings are also the last area that I ever change, in part because in general it’s pretty difficult to find out where to change things, and who the heck ever has the time to do that? Besides, isn’t social all about sharing? Sure. It’s all about sharing, but be cautious in that sharing, because unless you are cautious about that sharing, then you might be sharing it with all one billion other Facebook users, or depending upon how Google is indexing sites most recently, then anyone who’s connected to the Internet.
Take a look at your Facebook friends for instance, and see just how many of them are sharing their full date of birth, the family members, their home details, or children’s photos. Now hope that they’ve set their privacy settings so that you are only seeing those because you’re a friend. Many folks don’t realize that their settings are open to the world, and I do not have to be connected to you in order to see this information.
This personally identifiable information, that is open in a lot of cases to the world, is a key risk for many security departments and professionals, simply because of the information it provides to the wider world.
Sarah Carter joined the workforce as a taxi driver at 17 (a story in itself). After university and a spell with IBM, a year in Canada, she moved to the UK IT security & data archiving market joining a UK security and storage integrator. Sarah was integral in taking the company through an IPO on the alternative investment market, promoted to the board she worked in the team that acquired others and then sold the business. After 4 years with Actiance in the Europe and Asia team, Sarah relocated to HQ in California. Sarah is now General Manager of Actiance’s Social Business – she and her team work with the regulators – from FINRA in the USA, to the FSA in the UK. She also works with Actiance clients on best practice social media and collaboration strategies and regularly speaks on the topic on both continents.