CybeR seCuRITy keepIng IT AvIvAS MARTHA PHILLIPS AnD BRYAN LITTLEFAIR PROvIDE SEvEn TIPS On HOW TO MITIGATE SOCIAL MEDIA RISk TO An ORGAnISATIOn 1 2 cLIcK nUMBerS TO reAD MOre VKA / shutterstocK R egardless of an organisations type, scale, location, marketplace or number of employees, participating in the social media landscape is now a necessity. Social media interaction, however, introduces unique cyber-security risks to an organisation, and necessitates appropriate control andsecurity principles. How do you ensure you have the right level of governance in place? There are somefundamentals that will help prevent social media from becoming a compounding security exposure for your organisation. The impact that social media has on an organisations risk profile can be understood by looking at both the internal and external threats posed by social media channels. Access within an organisation to channels such as Facebook, Twitter, and YouTube is entirely reliant on trust and appropriate employee behaviour to remain secure. However progressive the company culture, data loss or inappropriate disclosure of sensitive information could be an unintended consequence of allowing unfettered access to these channels. Similarly, the external-threat landscape is rapidly developing and takes the form of social media phishing and malware strategies to obtain data or money, or deliberately cause reputational damage. Bryan Littlefair is Aviva Globals CISO, and Martha Phillips is Senior Risk Manager, Aviva Group CIO Develop a social media policy. Having a policy that is set at the top, understood and supported by teams at all levels, and enforced by the technology and security teams is paramount. In practice, however, there is no single approach to what can be accessed, by whom and for what purpose. 3 45 67 Consider culture v risk. In developing a policy, a balance of risk appetite and desired culture is key. Executives have to make a call about the role of social media within an organisation, its place within company culture, and the particular threat level it poses to employees, customers and the brand. A selective approach is also possible, depending on the channel. The proliferation of high-profile data breaches over the past 12 months has led many organisations to block access to any social media outlet that allows data or file upload, but not instigate an outright ban. Others have just removed access to video-streaming sites such as YouTube because of its impact on the IT network speed and resilience. A clear exceptions register can be put in place for teams that require access to revoked channels for the purposes of their role (for example, brand marketing or HR). Bring employees on the journey. Restricting access to social media channels within the workplace can have the unintended consequence of demotivating teams, particularly if there is a perceived link to productivity. Careful messaging at all levels is needed to ensure that the security driver is well understood; it is a good opportunity to re-engage the organisation on security awareness and behaviours. Monitor behaviour. Monitoring should be in place to cover social media activity by employees. In many jurisdictions, monitoring of all electronic communication is a regulatory or legal requirement. Like email, social media logs can be used as legal evidence. An organisation must be clear on all regulations surrounding consumer privacy and corporate transparency to establish the right level of monitoring, control, and archiving. For New York Stock Exchange-listed companies, this includes Sarbanes-Oxley Act. Again, the degree that employee social media behaviour particularly if it is non-work-related should be monitored is subject to debate. However, using processes and technology to monitor activity level and content will enable an organisation to respond to suspicious or inappropriate interactions (for example, from disgruntled employees) that could prove harmful. keep up to date with social media trends and threats. To mitigate the external social media threat, organisations must be familiar and able to deal with increasingly sophisticated cyber-crime techniques. Most are more contemporary versions of old scams phishing, for example, creates emails, web pages and links that look credible for the purposes of eliciting information, such as sensitive data or account information. Use a combination of security tooling and education to reduce risk. Internet security tools can be deployed to automatically block URLs that have fraudulent characteristics; many vendors and packages are available to suit different organisations. However, some of the biggest social media threats can be most effectively warded off by cyber-savvy employees. Some common techniques for people to be aware of are: n Accuracy of the site URL (prefix https, not http), unexpected redirecting to other sites, and tell-tale spelling errors in emails or web pages all indicate a social mediafake. n Social engineering is a related tactic employed by cyber criminals that involves a carefully orchestrated attempt to manipulate an individual into performing actions or disclosing information with the belief that it is legitimate. An employee could be targeted based on information available about them online LinkedIn for professional history, Facebook for interests and location or contacted via social media by someone posing as a legitimate contact. n Malware, including viruses and Trojans, is distributed via links embedded into social media pages, which when clicked (if appropriate malware protection is not in place) infects the asset. Depending on the creators motivation, the malware can execute code to steal user credentials, control the mouse and keyboard, obtain data, and spread to other users. Such scenarios, and others, can be prevented by educating employees on typical and new scam variants, plus ensuring employee access to secure data and financial systems is heavily controlled to a minimum required access principle. None of these cyber-crime techniques is new, but social media is making it easier to stage an attack within an environment usually reserved for trusting and open interaction. Remember to listen. Social media can play a positive role in protecting an organisation by helping it understand its threat landscape and those that might want to cause harm or disruption. The majority of activists, political groups, and cyber criminals are also active on social media, and by deploying the right digital monitoring and threat-intelligence capability its possible to anticipate a potential attack. Digital monitoring services can also identify the location of all publicly available data or leaked files, so a breach can be quickly responded to. Its not possible to be immune to the risks posed by social media, but tools and risk-mitigation strategies are emerging to allow organisations to reap the benefits of it, while protecting their security-risk profile. Central to retaining control is having a policy and making social media an integral part of employee security awareness campaigns. It is no longer an IT or security-led agenda; everyone has a part to play.