The risk of social? It all depends
Colleen Burns 120000C4RP firstname.lastname@example.org | | Tags:  security social_business sarah_carter social actiance
0 Comments | 5,561 Visits
I’m often asked “What are the risks of implementing social in my business?” Fewer people these days are surprised when my answer begins with “it depends.” And it depends on any number of items. First of all, it depends on who’s asking the question because the risk that you care about depends on your point of view and your role in the organization. Answer that risk question to a Corporate Communications executive, for instance, with “inbound malware and viruses are a big challenge” and they’ll look at you blankly. So, learning to speak the language of social that your audience uses is important.
The second element that it depends upon is what your business is and the nature of how your business operates. The third element is how you’re using social, not just in a planned and organized fashion, but what individuals associated with your business are doing with social, and how you’ll use social when a crisis hits.
In this first of a series of posts on the risks of social, I’m going to focus on the roles involved in social and the stakeholders in your organization – and oftentimes that’s a lot of people (she says, having been in meetings with 35 of those stakeholders in a room). Just thinking about your organization, who might that involve? (answers to @SarahActiance, on a postcard, or simply use the comments at the bottom of this blog entry).
I certainly know that the stakeholders involved in many of the organizations that I work with include the following departments and roles, in no particular order:
Let me start this series with the roles of IT and Security, which while distinctly different, I’m going to group together in the interest of time. These departments are concerned with two primary categories of risk – inbound and outbound threats to the organization. We’ll start with the inbound risk.
We are all exceedingly well trained in the area of email risk. You are in the minority if you’re the individual that first of all sees the vast majority of email spam, and in an even smaller minority if you actually 1) reply to the emails from the individual purporting to have billions of dollars salted away in <insert exotic sounding foreign country> with a requirement to move some percentage of that to you in return for your assistance; 2) click on the link in the email that promises you riches/beauty/possessions beyond your wildest dreams. We, as users, are well trained; because folks, the email security industry has been training and protecting us for more than 10 years now. That’s right, it was 1999 when the Melissa virus hit and the I love you virus followed quickly on her heels. Since then an industry was created, grew up and matured and protected us from ourselves.
It’s no wonder then that the malware and virus writers turned their attention to another medium. And that medium is social. Their attention has been turned because of the trusted nature of social. We’re connected – we’re friends on Facebook, connected on LinkedIn, I track your updates through my social business platform. So, therefore, I naturally trust the content that you share, because I trust you the individual. This inherent trust that is at the heart of social, is the basis for the risk related to inbound threats – malware writers take advantage of this inherent trust and send payloads through social media – often using that tried and trusted method of email to fool the user into clicking the link, going to the “site”, you’ve seen them all – “Facebook reminder - John Smith wants to be friends with you, click here to accept”.
If you’re a Twitter user, then you’ll no doubt have seen direct messages, purporting to be from your followers, advocating through often clever commentary to click on a link, which ends with all of YOUR followers being spammed with the same content (thanks to my colleague @DaveOates, for agreeing to be outed as someone who fell for this recently).
The second area of risk that the IT and Security departments care about is outbound threats. Is someone in the organization leaking confidential or personally identifiable information out through a social mechanism? It could be Social Security numbers, National Insurance numbers, credit card numbers, or general confidential information. Think of a social collaboration environment – executives sharing executive bonus plans and numbers with the wrong group of individuals, it doesn’t have to be information leaking in the wider world. You can start to get a sense of what the challenges might be in our increasingly interconnected world. And of course back in the public social world, we’ve all seen the tweets that shouldn’t make it out there.
Most of the information leakage issues that I see are inadvertent, not malicious – and it comes back to that old adage (actually, I’m not sure it's old, and it’s attributable to yours truly).
“Human beings were put on this earth to create chaos. In a social environment we do that very effectively and very quickly.”
A third area of concern for the IT and Security professional is somewhat linked to outbound threats and risk, however I’ve separated it out, as this content, this information is put there by us as users, usually as part of our set up when we create our social personas. That’s right, it’s our profile information and I’m now moving onto Personally Identifiable Information. Let me set the scene.
Privacy settings are the last thing that we never look at on our social profiles. And of course I complete all the demographic and biographical information that <insert name of social site> requests me to – my full name, date of birthday, where I live, oh and then what relationship I have with my significant other and my children. Privacy settings are also the last area that I ever change, in part because in general it’s pretty difficult to find out where to change things, and who the heck ever has the time to do that? Besides, isn’t social all about sharing? Sure. It’s all about sharing, but be cautious in that sharing, because unless you are cautious about that sharing, then you might be sharing it with all one billion other Facebook users, or depending upon how Google is indexing sites most recently, then anyone who’s connected to the Internet.
Take a look at your Facebook friends for instance, and see just how many of them are sharing their full date of birth, the family members, their home details, or children’s photos. Now hope that they’ve set their privacy settings so that you are only seeing those because you’re a friend. Many folks don’t realize that their settings are open to the world, and I do not have to be connected to you in order to see this information.
This personally identifiable information, that is open in a lot of cases to the world, is a key risk for many security departments and professionals, simply because of the information it provides to the wider world.
Yikes. So before that has you scurrying to delete all your social profiles and get the heck off this berg, here’s some advice based on these risks as to what you can do.
Sarah Carter joined the workforce as a taxi driver at 17 (a story in itself). After university and a spell with IBM, a year in Canada, she moved to the UK IT security & data archiving market joining a UK security and storage integrator. Sarah was integral in taking the company through an IPO on the alternative investment market, promoted to the board she worked in the team that acquired others and then sold the business. After 4 years with Actiance in the Europe and Asia team, Sarah relocated to HQ in California. Sarah is now General Manager of Actiance’s Social Business – she and her team work with the regulators – from FINRA in the USA, to the FSA in the UK. She also works with Actiance clients on best practice social media and collaboration strategies and regularly speaks on the topic on both continents.
Sarah is an IBM Redbooks thought leader