Social networks: boon or bane?
Social networks are more than just platforms to connect you
with your friends. With security issues being taken care of, they are gradually
becoming productivity tools rather than being security threats for organizations,
writes Varun Aggarwal
social networks such as Facebook, LinkedIn and MySpace have become lucrative
targets for security attacks, as they are identity goldmines and a considerable
amount of monetary benefits could be garnered by exploiting identity information
of users. According to a research study compiled by the US National Cyber Security
Alliance (NCSA), more than 74% of users divulge personal information, including
email addresses and birthdays on their profiles. Most often than not, the page
containing the identity details of a user is accessible to anyone who is a friend
of the user. Any person could just sign up and get hold of identity information
by tricking the user and adding him/her as a friend.
Achyuthanandan S, Research Analyst, ICT Practice, Technical
Insights, Frost & Sullivan opined, Identity information stolen from
social networks could be used by hackers to obtain financial gains by selling
the information to marketing companies and by other means. For instance, a combination
of a users social security number, birthday, and name could provide enough
ammunition for criminals to steal financial records and statements of the user.
Evidently, social networks are any social engineers goldmine and this
has made them an attractive target for identity theft.
Another issue that is particularly relevant to corporate security
is malware. For a number of years, email has been the most popular medium
utilized by hackers for spreading malware. But now, social networks have overtaken
email as the most preferred platform for launching security attacks targeted
at spreading malware. The entry of malware into enterprise PCs and the enterprise
network could jeopardize the underlying computing and security infrastructure
of a company. In particular, if data-stealing malware penetrate into enterprise
networks, companies could end up losing intellectual property and confidential
business data, added Achyuthanandan. According to a recent study conducted
by US-based security vendor ScanSafe, it is estimated that one out of every
600 Facebook profiles is infected with some form of malware or spam. Different
techniques that could be used for spreading malware through social networks
include Spam, cross-site scripting (XSS), cross-site request forgery (CSRF),
click-jacking, phishing, and impersonation attacks. The last major threat to
enterprise security via social networks is data leakage.
According to S V Ramana, CIO, Tulip Telecom, corporate groups
on the social networking sites can be subject to identity fraud and defamation.
A malicious user may use such groups to damage corporate image/reputation. This
increases the risk of introducing various worms/virus/trojans in the internal
network. Historically, social networking sites have been used to launch browser-based
attacks. These sites are very frequently used for social engineering purposes
and hence loss of confidential information. This also poses a legal risk to
the organization. As per the IT Act the organization shall be held liable for
facilitating a malicious activity from its network, added Ramana.Training
Acceptable Use Policy (AUP) for usage of IT infrastructure, including
the Internet and networking sites, clearly depicts the dos and donts
by our associates. The AUP is a document that is signed by every employee
at the time of joining the organization"
- Arun Gupta
Customer Care Associate and Group Chief Technology Officer, Shoppers Stop
you go back in time, instant messengers, communicators (unified communications)
were a strict no-no and a taboo, both in India as well as abroad. Now,
companies have realized that these tools add to productivity, enable
collaboration and reduce cost"
- Diptarup Chakraborti
Principal Research Analyst, Gartner
social networking sites have been used to launch browser-based attacks.
These sites are very frequently used for social engineering purposes and
hence loss of confidential information"
- S V Ramana
CIO, Tulip Telecom
That was about the risks that social networks hold. However,
do all Indian organizations treat social networks as a threat? The answer isnot
all. Moreover, even the ones, which treat social networks as a threat to their
organization, often do not have proper training for their employees on the hazards.
The good news is that this is changing.
Recent trends indicate that companies, especially the ones
that do not restrict social networks use during work hours, are taking serious
interest in ensuring that employees are aware of the security threats prevalent
in social networks. Enterprise security officers have realized that employees
are the weakest link in the security ecosystem and steps are being taken to
ensure that employees are aware of what is at stake if security is compromised.
The general opinion among enterprise security administrators is that, more than
rules and regulations, employee guidance and education are of paramount importance.
Achyuthanandan explained, Usually, the goal of security training programs
is to ensure that the employees are completely aware of the different types
of security threats prevalent in social networks and the Internet as a whole.
Typically, enterprises educate employees about the need for security and security
awareness and proceed to train them about the security perils in social networks
through e-learning modules and training sessions. In addition to that, enterprises
also educate employees about the security policies and regulations of the company
and mandate employees to sign security policy and acceptable-use policy documents.
Besides, enterprises are also encouraging employees to undertake third-party
security certification exams.
Tulip makes sure that its employees are well versed with the possible threats
on the social networks. Explaining the training methodology, Raman said, We
conduct employee awareness sessions about social networking and the various
types of available social engineering methods are explained to employees.
To make sure that all the employees are aware of the threats
at the social networks, Shoppers Stop makes its employees go through its Accepted
Use Policy. Arun Gupta, Customer Care Associate and Group Chief Technology Officer,
Shoppers Stop said, The Acceptable Use Policy (AUP) for usage of IT infrastructure,
including the Internet and networking sites, clearly depicts the dos and donts
by our associates. The AUP is a document that is signed by every employee at
the time of joining the organization. It highlights the terms and conditions
of use of IT equipment provided by the company and used by employees, contractors
or temps in standalone mode, connected to the LAN or WAN using any medium, accessing
company applications and data. This was created to help our associates be aware
of the boundaries in which they operate, what is acceptable behavior and activities
that are out of bounds. It also authorizes us to audit any machine or traffic
over the network.
Social networking for enhanced productivity
Just like any other technology, even social networks come with their share of
security issues. Having said that, there is a lot that these networks can do
in order to increase productivity of a company, present a positive image in
the market and counter any false reports circulating over the Internet.
Diptarup Chakraborti, Principal Research Analyst, Gartner said, If you
go back in time, instant messengers, communicators (unified communications)
were a strict no- no and a taboo, both in India as well as abroad. Now, companies
have realized that these tools add to productivity, enable collaboration and
reduce cost. Therefore, many organizations now allow some level of instant messaging.
Thats a change of mindset that weve seen. Initially, organizations
thought that using IM or collaborators, employees would just chat and wont
work and then they thought since everyone was connected online, this would choke
the bandwidth. However, both these points were proven incorrect. Now, since
they realize that these tools enable productivity, they allow it.
Similarly, when it comes to social networking, today
we talk about security issues, we talk about anonymous blogs and postings that
could leak out confidential company information. However, security issues come
with every technology, and I think over time, the security issue would be tackled
and I dont see any overwhelming security issues in social networks. There
would always be some black sheep in the organization who can take undue advantage
of the benefits given to them. With the developments taking place so fast, security
wont be an issue at all by next year. Social networking enables customer
service. It enables marketing and also becomes a peer-to-peer discussion forum
apart from becoming a recruitment forum, Chakraborti added.
|The different types of social networking applications
that are popular among corporate employees could be classified as:
- Public social networksFacebook,
Orkut, MySpace, LinkedIn and others
- Micro blogging platformsTwitter,
- Instant Messaging platformsGoogle
Mail chat, Yahoo Messenger, Web-based IMs, Facebook IM and others
- Blogs and WikisWordPress, Google
Blogger, SocialText, Wikipedia and internal wikis/company blogs
- Social bookmarking and TaggingStumbleUpon,
Digg, Delicious, Reddit
- Discussion boards and forums
In addition to the aforementioned
applications/platforms, enterprises are also gradually embracing social
networking and Web 2.0 applications that are specifically designed for
corporate use. Web 2.0 applications for the enterprise such as collaboration
platforms, productivity tools, company blogs, wikis, and others, are
gaining a lot of interest from IT enterprises since last year. Enterprises
are beginning to view these applications as a platform to spur employee
productivity, foster innovation along with research and development,
facilitate seamless collaboration and communication between employees,
and most importantly, increase business efficiency. This has led to
the emergence of a new trend known as Enterprise 2.0.
Source: Frost & Sullivan
You can have a discussion forum on Facebook, Orkut, LinkedIn, etc., where you
can have experts from organizations coming and talking about a particular topic.
For example, when Microsoft and Yahoo deal was taking place, Microsoft had blogs
and discussion forums running on sites like Facebook where the topic was discussed
very actively. Some of the participants were actually senior management people
from Microsoft who were giving their side of the story and since it is very
informal, it has a lot of credibility to it.
If you have some negative publicity thats crawling through the Internet,
you can use social networking to sort it out much faster. Companies have started
tracking what is being written about them on the social networks. They are also
contributing to the social networks to correct any incorrect information being
discussed in the forums in a credible manner.
Ramana opined, At Tulip we are making various social platforms available
to all employees to choose. We currently have a social group on LinkedIn which
caters for formal discussions, whereas the corporate blog acts as an information
and discussion forum. Currently, we are also working towards engaging our customers
through dedicated social platform.
Similarly, vCustomer uses social networking platforms like Twitter and Facebook
to help their clients support their customers in a better way. They have created
APIs for all popular social networks, which extract relevant information being
circulated over the social networks about some area-specific outage, etc., and
send that information to the client so that theyre up-to-date without
calling the vendor for every small little query. Sanjay Kumar, Founder &
CEO, vCustomer explained, We have created a framework for customers to
support other customers. If one customer sends a twit that he has
an outage, all the other customers in the vicinity would get this info.
Gupta averred, Social networking sites are gaining popularity amongst
the Internet savvy employees. We also use the Internet as a medium to connect
with our partners and conduct business with our customers. Most of the popular
sites are presumably free from malware and other unsavory code that may harm
an enterprises systems. The risk of employees posting sensitive information
on these sites requires attention and education. The company is also working
on a company blog, which is an attempt to provide its associates an avenue to
share their thoughts and information. We propose to link this to a Wikipedia-like
platform to help capture the rich knowledge existing within the enterprise while
encouraging associates to use the medium to create collective wisdom. We are
about three-four months from deployment, Gupta added.
Many organizations do not allow their employees to blog and if caught doing
so, there are actions taken against them. To prevent this situation and allowing
the employees to share their views freely, many organizations have started
internal blogs. However, experts believe that this may not help in preventing
employees from participating in public blogs. Achyuthan-andan opined, The
presence of company blogs, wikis or other knowledge-sharing platforms would
not reduce the cases of inadvertent data leakage. The primary motive behind
blogging is to share information or opinion on an issue to a large audience,
and hence, employees would still be more eager to post their thoughts on public
blogs regardless of the availability of a private company blog, whose audience
is limited. Besides, employee bloggers may prefer to retain anonymity, which
may not be possible in a company blog, and may also not find it acceptable to
have their content moderated by the company. Consequently, a company-moderated
blog would not necessarily prevent data leakage in an enterprise, and employees
will continue to prefer public blogs, whose unmoderated environment, scope for
anonymity and support for multiple profiles offer greater appeal.
Ramana added, It is almost impossible to keep a check
on the flow of qualitative expression or information being shared by employees
on an internal as well as external social platform. Moreover, if moderated then
they tend to kill the essence of the social network. Therefore, most of the
time these data leakages are of qualitative nature, whereas any physical data
leakages can be tracked and controlled.
CIOs should look at how social networking can drive marketing. It is the most
potent tool for marketing today. It has much more credibility than spam,
etc. It is a very strong tool for employment, employee welfare. Therefore, they
should look at how HR can benefit from it. For example, in Second Life (a popular
virtual world), you can go to an online store, you can look at the product in
3D, you can order the product and it will be shipped out to you. It is almost
like an in-house experience, Chakraborti said.
Take for example, ChiragDin. They sell more shirts online than what they
sell offline. Shirts are something, which most people didnt even think
of buying online a few years ago. ChiragDin is a pioneer in using social networking
to drive their brand. Then why cant other companies do the same?
Engineering students today are the future CIOs and they cannot live without
social networking and they will demand it when they join these organizations.
Get over the fear about social networking just like we got over the fear
of instant messaging. It is a must have. The faster we adopt it, the more progressively
well be looked at, Chakraborti concluded.