Data Security: Social Networking and the New Human Security Perimeter

Data Security: Social Networking and the New Human Security Perimeter

Issue 

Since the early days of its development, the Internet has been leveraged as a social platform, and people continue to meet, connect, organize, share and collaborate online in unprecedented fashion. We live in the information age, where a knowledge-based economy demands that workers have access to relevant channels to both foster communication and facilitate collaboration on projects. Thus, it is only natural that web-based social networking applications have become prevalent in the business environment.

Challenges and Opportunities

Social media has been around for less than a decade, yet it is pervasive among the general public and in the workplace. From customer engagement to collaboration, this channel presents real opportunity. It also carries with it significant risks, such as missing out on opportunities to acquire and serve customers if you don’t deploy social technologies, and the embarrassing impact to reputation that can result if you do deploy them. 

While opening access in the workplace to these social networks can create numerous long-term benefits, there are risks involved, including reduced employee productivity and, perhaps more notably, information security breaches. Key security risks include:

  • Potential data leakage of sensitive information
  • Unintentional upload of Trojans or viruses to employee computers
  • Increased targeting of individuals who are associated with your company for social engineering attacks
  • Individuals falling prey to fraudulent scams

The most prominent threats are either technical or social in nature. Technical breaches primarily occur through web application security weaknesses or poor practices by employees uploading or downloading inappropriate content. Social threats relate mainly to social engineering attacks or malicious users gaining information from unsuspecting employees.

A recent industry poll found that 43 percent of companies had experienced a security incident resulting from employees using social media sites.1 Employees increasingly are targeted by social engineering attacks whereby an individual will use personal manipulation, deception and/or influence to obtain sensitive information. This, in turn, enables a more technologically based attack on the network or data.

Our Point of View

The responsibility for security needs to shift from a technologybased focus to the people who comprise an organization. After all, people, through their actions and behaviors, have the most significant role in securing the enterprise. By building a strong communication program and heightening the overall risk consciousness, organizations can help their employees recognize risky behavior and respond to attacks, thus creating a human security perimeter. 

Most organizations are either evaluating or have implemented formalized policies regarding employee participation in social networking sites. Policies should include guidelines on what information can be discussed through these mediums and how to treat content obtained or downloaded from these sites. Policies also should reinforce the message that Internet access is provided for business purposes and should not be abused, thereby permitting disciplinary action if productivity concerns are raised.

Once the development of standards and practices is complete, companies must turn to educating their employees. Employee education and awareness, in tandem with strong technical security controls such as anti-virus, anti-spyware and web filtering technology, will help clarify how to use technology to achieve the expected results while also reducing the likelihood that these risks will impact your business.

How We Help Companies Succeed

Protiviti’s security and privacy team understands the inherent risks our clients face in embracing new technology. Using a combination of skills drawn from information security, data privacy, technology, internal audit, risk, regulatory compliance, communications and marketing, we assist clients in addressing their data security needs in a holistic manner that is easy to understand, pragmatic and in-line with industry best practices.

A key driver of this approach is the internal communication and training group of Protiviti. As a full-service agency, we have worked with companies around the world to address their employee communication challenges and introduce a behavioral approach to change management across an array of mediums, including:

  • Print and interactive awareness campaigns that bring policies and strategies to life
  • Interactive training and in-class support material that engages employees and ensures they understand their roles, responsibilities and accountabilities
  • Web portals that track the results of a training effort and facilitate communication across the enterprise

Protiviti’s Social Business practice employs a systematic audit approach, covering the primary strategic and governancerelated processes needed to develop and manage social communities. These include detailed reviews of access policies and procedures, and an assessment of the technologies and tools deployed in an organization.

For more information or to contact one of our communication or social business experts, please visit www.protiviti.com. 

Example

A global consulting firm wanted to communicate the sensitivity of data losses and foster an employee culture that emphasized data security. To achieve these objectives, a two-pronged approach was developed. 

A broad review of the organization’s security policies led to revisions to the current protocols and a rollout of laptop encryption software to all consultants. Once the policies were in place, our team partnered with management to utilize a blended learning approach that included print awareness, online interactive and face-to-face training to emphasize the consequences and costs of data theft to the company and its reputation. The campaign featured a launch e-mail, posters, face-to-face presentation material and an online interactive training module to provide an in-depth look at data security. The print material was developed in English and translated into Korean and Japanese.

Employee feedback and audit findings at our client indicate increased awareness of laptop and data security and heightened compliance with policies and procedures. Furthermore, there have been no noteworthy incidents of data theft. Given that the estimated cost of losing a laptop computer containing proprietary client information is more than $50,000, the client has seen a significant return on its investment.

Contacts 

Pat Quinn
+1.519.342.2727
Scott Laliberte
+1.267.256.8825
Gregg Barrow
+1.212.708.6332
 

Ready to work with us?