Clash of Security and Social Network Marketing

Tuesday, March 16, 2010

Crystal Craven


Information Security Gurus and Marketing Professionals are often at odds with each other in the business realm. Marketing used to primarily be a print and face to face business function. Thanks to the over-haul of standard marketing strategies, marketing has grown new roots on the web and has found itself buried deep within social networking sites like LinkedIn, Facebook and Twitter. The need for businesses to have an online foot print is critical to reach the masses in today's competitive environment, but the potential loss of client data and security threats to your network are daunting.

Ann Carroll, the Director of Marketing for Hancock Askew & Co., LLP Certified Public Accountants in Savannah, Georgia puts her marketing needs like this, "Social networking is the newest frontier in marketing. If companies are not already active in social media, they are already behind the curve. There is a certain demographic that wants to communicate through this medium, and we'll lose them if we don't participate." When the request for access to these sites stems from an authentic business need, where do companies draw the line between marketing savvy and data security? How do we, the Paranoid InfoSec folks, establish reasonable rules and boundaries? It seems that everyone within a company; managers and subordinates, alike, have multiple social networking accounts. What prevention methods will be used to ensure our company or client's data isn't compromised? Who is going to monitor our company's Facebook account for appropriate business content while assuring client anonymity?

Michael Brooks, Publisher and Creator of the South Magazine states, "It is a not a case of whether we will use them (social media sites); it is how extensively we will and how much time we will invest into each. We look forward to these social medias developing further in order to make this type of outreach more of a science."

With my network's security in mind, my initial thought was to shut it all down, block the popular social networking sites while on our domain. An easy fix with our firewall, presenting a nice little warning to our users, something to the effect of, "Not on our clock!". Why allow users to put our network at a higher risk of exposure to phishing attempts, spam and drive-bys from various extracurricular website activities? What happens when your users are home, on their personal computers, posting what they had for breakfast and griping about the daily grind at the office?

My suggestion is this: together with your management, assess what level of risk they are willing to accept when using social media as a marketing tool. Establish a firm-wide policy on social networking. Outline the consequences of non-compliance and then enforce it. This will not be a one size fits all scenario. Be aware that staff at all levels are diving head first into these sites with little knowledge of the threats that await them. Educate your users; even your most well-seasoned executive probably has a Facebook account that is completely exposed. Encourage users to error on the side of caution when posting personal information and data that might reveal confidential client or company information. Employers should clearly identify what information is to be kept undisclosed or confidential.

Finding the acceptable level of risk that still allows participation in the burgeoning growth of social networking in the business realm is the key to a symbiotic relationship between your Paranoid Information Security Staff and your Go Get ‘Em Marketers.

Possibly Related Articles:
Enterprise Security
Twitter Facebook Social Media Marketing
Post Rating I Like this!
Jason Williams I agree that a one-size-fits-all strategy is not what is needed. I think a key to securing social media is to understand that not everyone in the company needs to access it. Access should be based on roles. The marketing types may need it to do their jobs, but I have a hard time seeing the finance department needing it. It's a gross oversimplification to apply one-size access rules to websites. We certainly don't do this with in-house databases and other systems? We assign access based on need. This strategy would work with websites too.
Crystal Craven Jason – Role based access to social networking sites is great in many environments.

Got Cha – Your firm seems to be very similar to my environment. Role based access would limit the staff who are expected to market themselves while performing many other duties.
Thomas Day Hmmmm. I am not so sure I like the role-based approach. I happen to work in finance and, frankly, find social networking sites to be extremely useful. For example, using Twitter to get feeds from certain blogs that provide current market intelligence; having more than one FB account (x1 personal and x1 professional) that, using an alias, I can posit certain ideas or views of the market and, based on my network, get a rather "viral" sort of response that allows me to weigh and measure decisions, outlooks, forecasts, simulations, scenarios, and other matters in a fairly effective and rapid fashion. I guess the point I would make is that "networks" and the theory thereof), no matter what name you give them, are powerful tools. Infosec administrators can certainly get paranoid, and there is some cause and pause that should be given; however, the proverbial train has left the station. The secret to security may not be trying to define roles, taxonomies, or other such artifices, and granting privileges based on rigid notions of "right and wrong", but to create an environment of empowerment, training, and awareness. This environment, of course, needs to be coupled with proper corporate and IT governance; however, rather than being "big brother" and controlling capabilities based on narrow notions of utility, industry and businesses should be seeking how to harness evolutionary the power of the "collective" rather than, perhaps, censoring that which will - over time - provide much more to the good than to the bad.
James Stevens I would have to agree that the role of person or department would determine what type of access they would need to these sites. I would also state that a business case is relevant as well as this being something that would require management approvals within the company.

Like anything new, there is resistance, but as the new concept is adopted, more people being to jump on board. The key for any business is the timing of the jump, wait to long you miss the boat, jump too soon and you will go through the growing pains.

Another challenge is for the websites themselves and being able to manage how their service or product can help their customers while also helping to minimize the risk to their customer as well.

Ted LeRoy Clear policies are a must regarding business related use of social networking sites. If the legal department reviews all other advertising before it is allowed to be published, for example, shouldn't the same policy be upheld for social networking 'advertising'?

YouTube 'advertising' is becoming popular too. Again, if other methods of releasing video had to be screened by management, so should YouTube.

Part of the shift to social media and away from mass media is due to changes in how companies interact with consumers in an Internet age.

In his book "The Chaos Scenario", Bob Garfield cites some trends that indicate massive changes in the way advertising will work as the traditional mass-media/advertising model breaks down and is replaced, like it or not, by more direct interaction with customers.

The changes are coming. We have to adapt.
James Weaver With the Federal Bureau of Investigation (FBI) and Computer Security Institute (CSI) 2006 Computer Crime and Security Survey stating that over 50 percent of the 313 organizations surveyed had experienced unauthorized access to company data in the previous year, it is easy for professionals to understand why this issue is so important. Getting your management to understand the security risks isn’t always that easy whether the risk is due to social networking or ease of customer and staff access.
I implicitly agree that it is critical to assess risks with management, set firm-wide policy, outline consequences of non-compliance, enforce that policy and educate users. It is understood but not detailed that in today’s world, consequences of non-compliance can be difficult to enforce and especially without documented education and policy agreement (litigation requirement). And even with ironed out consequences, signing agreements and regular training helps serve as a reminder.
I don’t agree that InfoSec folks are paranoid as someone needs to be in charge of data security and it fits easily into IT. I agree with Jason in that something like Facebook, Twitter, etc that someone needs to be assigned a role of making the call about material content about what is being posted from the business itself. Your article is timely and a great read.
Fred Williams My company fosters an open environment where they encourage social media for all types of employees. Since I am a developer, I use blogs as a way to communicate ideas and problems that other developers can read and post. Now, they are limits - I don't believe employees should spend all day on Facebook. Monitor the activity and if you find certain employees spending that amount of time, let them know to stop. I just don't like the feeling of a prison when it comes to Internet usage.
Fred Williams oops - I meant "... THERE are limits..."
Kelly Monroe I’m a consultant working with Palo Alto Networks, a network security company that helps enterprises manage social networking apps on the corporate network. IT departments are stuck between a rock and a hard place. They know that end-users and the business units will revolt if these apps are outright blocked. At the same time, they know these apps carry risks and can’t leave them unchecked. It requires a good balance between enablement and security. There is a good whitepaper on the subject of blocking social networking apps, “To Block or Not. Is that the question?”
It has lots of insightful and useful information about identifying and controlling Enterprise 2.0 apps (Facebook, Twitter, Skype, AIM, SharePoint, etc.)
Let me know what you think!
Share it with your IT Dept.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.