ShINING the “SPOtlIGht”
Transcription
ShINING the “SPOtlIGht”
december 2012 • WWW.SCMAGAZINE.COM shining the “Spotlight” on: Social Media Enterprise use of social networks brings convenience and assists in marketing, but it also opens new routes for cyber criminals. including: P10 A vulnerable world It is a relatively simple matter for criminals to gather information from social media sites. P14 Privacy in play There’s a battle brewing about privacy controls that can have consequences for online commerce. P18 Winds of change Social media was useful during Hurricane Sandy, but data may never have been more vulnerable. WEBSITE WWW.SCMAGAZINE.COM • EMAIL [email protected] IS YOUR COMPANY PRACTICING SAFE SOCIAL MEDIA? REGULARS 5 Editorial Welcome to our special Spotlight edition on social media. 14 6 DataBank Some statistics on social media use – and misuse. 8 Update News briefs on how social media affects the workplace. 22 Last Word: Finding privacy on a data-centric web Online data about a user can impact how that person is perceived, says Microsoft’s Brendon Lynch. FEATURES 10 A vulnerable world 18 Criminals can easily gather information from social media sites that can then be used for social engineering and other attacks. 14 Privacy in play? Don’t take chances until you read this…. There’s a battle brewing about privacy controls that can have significant consequences for online commerce. 18 Winds of change With Facebook reaching one billion users, Twitter at over 500 million and LinkedIn at 161 million and growing, trying to stop social media is like trying to stop a speeding train! Social media proved useful in communications during Hurricane Sandy, but enterprise data may also have been vulnerable as a result. The good news? Companies who leverage social media tools are experiencing more efficient marketing, revenue growth and greater brand awareness. The best news? EdgeWave Social Media Security creates safe social media with technology that seamlessly monitors filters and reports on end-user interactions on your network. Our revolutionary approach not only gives you granular, policy-driven control over social media interactions, it does so from within the application itself. Your user gets a transparent experience, and you get integrated, real-time visibility and control that no other solution can match. See EdgeWave Social Media in action and download a free guide, Social Media without the Risks www.edgewave.com/safesocial december 2012 • WWW.ScmAGAZINe.cOm The bad news? Unmanaged social media access exposes you to the risks of brand damage, employee productivity drain and confidential data loss. ShINING the “SPOtlIGht” ON: Social Media Enterprise use of social networks brings convenience and assists in marketing, but it also opens new routes for cyber criminals. In this special Spotlight edition of SC Magazine with a focus on social media, we examine how the use of social networks impact the security of the enterprise. Some argue that it augments productivity and helps marketing efforts, while others contend it places corporate assets in danger. We take a thorough look. INcludING: P10 A vulnerable world It is a relatively simple matter for criminals to gather information from social media sites. P14 Privacy in play There’s a battle brewing about privacy controls that can have consequences for online commerce. P18 Winds of change Social media was useful during Hurricane Sandy, but data may never have been more vulnerable. www.facebook.com/SCMag SC Magazine™ (ISSN No. 1096-7974) is published 12 times a year on a monthly basis by Haymarket Media Inc., 114 West 26th Street, 4th Floor, New York, NY 10001 U.S.A.; phone 646-638-6000; fax 646-638-6110. Periodicals postage paid at New York, NY 10001 and additional mailing offices. POSTMASTER: Send address changes to SC Magazine, P.O. Box 316, Congers, NY 10920-0316. © 2012 by Haymarket Media Inc. All rights reserved. Annual subscription rates: United States: $98; Canada and Mexico: $110; other foreign distribution: $208 (air service). Two-year subscription: United States: $175; Canada and Mexico: $195; other foreign distribution: $375 (air service). Single copy price: United States: $20; Canada, Mexico, other foreign: $30. Website: www.scmagazine.com. www.twitter.com/scmagazine SC Magazine has created a free virtual environment that is open year-round. Each month we host an event focused on a subject that you as an IT security professional face on a regular basis. this MOnth Rich Baich, chief information security officer, Wells Fargo & Co.; former principal, security and privacy, Deloitte and Touche Greg Bell, global information protection and security lead partner, KPMG Paul Kurtz, partner and chief operating officer, Good Harbor Consulting Kris Lovejoy, vice president of IT risk, office of the CIO, IBM Tim Mather, director, information protection, KPMG Christopher Burgess, chief security officer and president, public sector, Atigeo Stephen Northcutt, president, SANS Technology Institute Jaime Chanaga, managing director, CSO Board Consulting Randy Sanovic, former general director, information security, General Motors Rufus Connell, research director information technology, Frost & Sullivan * Howard Schmidt, former cyber security coordinator, White House; former president and chief executive officer, Information Security Forum Dave Cullinane, CEO, Security Starfish; former chief information security officer, eBay Ariel Silverstone, former chief information security officer, Expedia Dec. 11 eSymposium: Hacking Mary Ann Davidson, chief security officer, Oracle Communications giant T-Mobile was just the latest in a series of assaults on corporate websites by cyber gangs whose intention is not necessarily to gain financially from their 11 activity, but to wreak havoc on targets they deem offensive. These vigilante-style attacks are meant to embarass executives by publicizing their secret dealings. However, as wellintentioned as these actions might be, there is still a transgression of laws in the exposure of personal, corporate or military information. What can authorities do to go after those behind these activities, and how can corporations better protect themselves so incidents – such as those that happened at RSA, Twitter, PayPal, Sony, Pfizer, the FBI, a number of police forces, the U.S. military and many other entities – don’t happen to them? We’ll take a deep dive. Dennis Devlin, assistant vice president, information security and compliance services, George Washington University Craig Spiezle, chairman, Online Trust Alliance; former director, online safety technologies, Microsoft Gerhard Eschelbeck, chief technology officer and senior vice president, Sophos W. Hord Tipton, executive director, (ISC)2; former CIO, U.S. Department of the Interior Gene Fredriksen, chief information security officer, Tyco International Amit Yoran, chief executive officer, NetWitness; former director, U.S. Department of Homeland Security’s National Cyber Security Division on demand 15 Vulnerability management Cyber criminals take advantage of vulnerabilities in web and other apps to gain entrance to corporate infrastructures. With breaches now happening on a regular basis using these methods, critical information of all kinds is being exposed. We learn from experts what companies can do to mitigate against these threats. For more info For information on SCWC 24/7 events, please contact Natasha Mulla at [email protected]. For sponsorship opportunities, contact Mike Alessie at mike.alessie@ haymarketmedia.com. Or visit www.scmagazineus.com/scwc247. Editorial SC MAGAZINE EDITORIAL ADVISORY BOARD 2012 What is SCWC 24/7 Maurice Hampton, technical account manager, Qualys Justin Somaini, chief information security officer, Yahoo * emeritus Who’s who at SC Magazine EDITORIAL VP, Editorial Director Illena Armstrong [email protected] executive editor Dan Kaplan [email protected] managing Editor Greg Masters [email protected] digital content coordinator Marcos Colón [email protected] reporter Danielle Walker [email protected] TECHNOLOGY EDITOR Peter Stephenson [email protected] SC LAB MANAGER Mike Stephenson [email protected] DIRECTOR OF SC LAB OPERATIONS John Aitken [email protected] SC LAB EDITORIAL ASSISTANT Judy Traub [email protected] program director, sc congresS Eric Green [email protected] CONTRIBUTORS Stephen Lawton, Deb Radcliff, Karen Epper Hoffman DESIGN AND PRODUCTION ART DIRECTOR Michael Strong [email protected] VP Audience Development & Operations John Crewe [email protected] production manager Krassi Varbanov [email protected] SC events Events director Natasha Mulla [email protected] Senior Events Coordinator Anthony Curry [email protected] Events coordinator Maggie Keller [email protected] 4 • SC SPOTLIGHT • www.scmagazine.com U.S. SALES VP, Sales Director David Steifman (646) 638-6008 [email protected] REGIOnal sales director Mike Shemesh (646) 638-6016 [email protected] West Coast sales director Matthew Allington (415) 346-6460 [email protected] Event Sales director Mike Alessie (646) 638-6002 [email protected] Account manager Dennis Koster (646) 638-6019 [email protected] account Manager Samantha Amoroso [email protected] SALES/EDITORIAL ASSISTANT Roo Howar (646) 638-6104 [email protected] Account Executive, Licensing and Reprints Elton Wong (646) 638-6101 [email protected] EMAIL LIST RENTAL EMAIL SENIOR ACCOUNT MANAGER Frank Cipolla, Edith Roman Associates (845) 731-3832 [email protected] CIRCULATION Audience Development Director Sherry Oommen (646) 638-6003 [email protected] customer data manager Joshua Blair (646) 638-6048 [email protected] Subscription Inquiries Customer service: (800) 558-1703 Email: [email protected] Web: www.scmagazine.com/subscribe MANAGEMENT CEO of Haymarket Media Lee Maniscalco Executive vice president Tony Keefe A special “Spotlight” on social media T witter, Facebook, Tumblr and other social networking sites have been making plenty of headlines lately – both good and bad (But, let’s face it, mostly bad). Just recently, a group engaging in an “antiblogging” campaign attacked various major sites, like CNN, along with the microblogging platform and social media site Tumblr. The assault spread a pretty passionate, yet rather aggressive diatribe blasting “self-indulgent” bloggers, which packed along with it a nasty little worm that enabled the group’s statement to post itself onto victims’ pages, as well as onto the pages of those who visited them. Some 8,000 Tumblr users reportedly were affected – only this time it was just by inflammatory post, rather than compromised accounts and personal information. Meanwhile, it was discovered just this week that users sending and receiving Twitter messages via text message on their mobile phones could fall victim to spoofing attacks. Apparently, a flaw in the system could allow attackers to spoof the user’s account to tweet whatever they wish via text. After reports of the vulnerability, Twitter issued a fix. Still other attacks have persisted through social media, both those that result in havoc on the networking sites themselves, as well as those aimed at particular companies or government agencies that social media sites often facilitate. After all, one gullible end-user can mean a host of problems for organizations and CSOs like you. Then there are all the privacy-related issues surrounding social media. Not only do cyber criminals harness the power of these sites to reach their aims, but government entities across the globe have used them, for example, to spy on unsuspecting individuals or, in many a recent conflict, taken them offline to squelch the communications of protesters. On the flipside, social networking sites aren’t all pain. Of course, we all have experienced various departments using them to help market new product launches or stay in touch with customers. But there’s more. During Superstorm Sandy, folks everywhere turned to social media to get in touch with loved ones. Companies of all sizes used sites to account for staff and keep some form of business continuity. Social networking is part of our everyday interactions. They’re a bane to some and a boon to others. An unavoidable truth is that the many vulnerabilities social networking introduces must be addressed. Cyber criminals obviously love social media sites given the variety of ideas for attacks they have spawned. Individual users of them must ponder their own relationships with social networking sites and the privacy and security issues that plague them. And, for the purposes of this last SC Spotlight of the year, business executives must figure out just how to marry businessrelated social media use with all the risks that they embody, and then decide if social networking is friend or foe. Illena Armstrong is VP, editorial director of SC Magazine. Social networking is part of our everyday interactions.” DataBank SocialMediaGauge Social media stats and demographics 1 2 What do people want from brands on social media? Social media accounts for only 16% of customer engagement today, but is expected to increase to 57% — the second-most used channel, behind only face-to-face interaction — within five years. Percentage of people who use social networks (Source: Marketing Pilgrim) ork w t e k o bo ce Fa Every minute of the day: ln ia c so y An % 6 5 100,000 tweets are sent % 4 5 In ed k in 684,478 pieces of content are shared on Facebook 3% 1 L er itt w T 2 million search queries are conducted on Google % 0 1 % 8 le+ g o Go 48 hours of video are uploaded to YouTube 3,600 photos are shared on Instagram 571 websites are created $272,000 is spent by consumers online Source: AllTwitter Source: Browser Media, Socialnomics, MacWorld Twitter by the numbers Kuwait sent almost 60 million tweets Twitter has more than 500 million 15% of online adults use Twitter represented on Twitter, at 29% of the user base, ahead of those aged 30-49 (14%) and 50-64 (9%) 28% of black online internet users use 14% of online men use Twitter versus registered users, but just 140 million active users (compared to Facebook’s 950 million active users and likely more than two billion registered users) The United States, with 141.8 million accounts, represents 27.4 percent of all Twitter users, finishing ahead of Brazil, Japan, and the U.K. in March Twitter The 18-29 demographic is most 15% of online women 14% of Hispanic internet users are 40% of Twitter accounts have never 12% of white internet users are active 18% of Twitter users tweet once or more a day (Source: AllTwitter) active on Twitter on Twitter 6 • SC SPOTLIGHT • www.scmagazine.com sent a single tweet 30% of the world’s population is now online, and social networking is the most popular and timeconsuming online activity — with users spending more than one-fifth (22%) of their time engaging on social media channels. This means that more than 250 million tweets and 800 million Facebook status updates are now published every single day. (Source: MindJumpers) 3 4 5 6 Brazilians have the highest number of online friends of any country, averaging 481 friends per user, while the Japanese average only 29 friends. (Source: MindJumpers) 56% of Americans have a profile on at least one social networking site. And it’s not just millenials: 55% of those aged 45-54 have at least one social network profile. (Source: Convince & Convert) Social networks and blogs in the United States reach 80% of active internet users and represent the majority of Americans’ time online. (Source: MediaPost) 60% of people who use three or more digital means of research for product purchases learned about a specific brand or retailer from a social networking site. 48% of these consumers responded to a retailer’s offer posted on Facebook or Twitter. (Source: MediaPost) Deals and promotions Rewards programs Exclusive content Feedback on new products 83% 70% 58% 55% Source: AllTwitter Top ten most engaged countries for social networking Israelis use social media nearly twice as much as Americans Average hours per month per person Israel Argentina Russia 10.7 10.4 Turkey 10.2 Chile 9.8 8.7 The Philippines Colombia Peru 11.1 8.5 8.3 7.9 Venezuela 7.7 Canada United States 7.6 Source: Browser Media, Socialnomics, MacWorld SC SPOTLIGHT • www.scmagazine.com • 7 News Update Spam migration Maybe Bill Gates was on to something when he predicted that the scourge of spam would be “solved” by 2006. According to security firm Symantec’s first-quarter threats report, published in April, unwanted email accounted for roughly 75 percent of all messages sent in 2011, sharply down from 89 percent in 2010. Experts attribute the decline to a number of developments, notably growing resistance by spammers to the high cost of sending large batches of unsolicited email, stronger filters and built-in browser protection mechanisms, and smarter consumers who are less likely than ever before to click on an email lure. But don’t raise those Champagne glasses just yet. Spammers haven’t yet forfeited their trade – they’ve simply moved the operation to a more viable and costeffective channel, namely 8 • SC SPOTLIGHT • www.scmagazine.com 75% of the Fortune 100 are on Facebook. social media. By their very nature, social media websites, such as Facebook, provide fraudsters with a platform that is fundamentally built on sharing things – with the hope they spread like wildfire. Troy Hunt, a software architect, recently studied a common Facebook gift card spam that was propagating across news feeds, this one promising users a $400 free voucher at Woolworths, an Australian supermarket chain. Clicking on the link, which is shared by a trusted “friend” who already has fallen for the con, brings users to a site that feigns urgency (the free vouchers are almost gone!) and encourages victims to share the offer with their friends on Facebook. Then, they are taken on a wild ride of redirects, finally landing on a survey page that offers the fake possibility of winning an Apple iPhone, iPad or iMac. The spammers get paid a small amount of cash for every person they can trick into completing one of the surveys. Many of these scams take a similar form, but sometimes the miscreants behind them are even more pernicious and may be looking to harvest personal information or serve malware. Once victims catch on to the deception, they often take their angst to the Facebook or Twitter pages of the very companies whose names are being abused by the scammers, causing them reputational harm. “Their Facebook wall [is] littered with very unhappy customers,” Hunt says in a recent SC Magazine podcast. “It’s not a good look for them.” What makes hoaxes like these so effective is unsuspecting users are likely to fall for them because a person they trust already has. “It’s endorsement, right?” Hunt says. “You’re seeing someone who you know, someone who you trust, and they’re recommending something. For the most part, email spam – even the very clever phishing scams that try to look as official as they can, brand themselves, use the company imagery— you can normally dissect those as a scam pretty quickly…So short of someone having their email account hacked and having large volumes of spam mail sent [from] their address book, it was really hard to give this level of endorsement and credibility, but now with social media, it’s just extremely easy to do that.” He advises platforms like Facebook to implement better controls, like heuristics, to identify these threats. Hunt also encourages internet marketing companies to institute a code of conduct so certain affiliates aren’t permitted to do business through them. And finally, for users, if the bait seems too good to be true, it almost always is. – Dan Kaplan Social sprawl As brands continue to recognize the power of using social media to connect with customers and clients and improve their competitive advantage, the number of accounts they own is on a meteoric rise. Many of these accounts may not even be permitted, but are stood up by groups of employees who, for instance, are working on a specific project for the company. According to a report this year from the Altimeter Group, the average enterprise operates 178 corporate-owned social media accounts across properties such as Facebook, Twitter and YouTube. But herein lies a serious risk. Much like the astonishing proliferation of data with which most businesses are dealing, social media sprawl is challenging organizations to institute controls that allow them to manage this unprecedented growth. And in many instances, companies are failing. Take KitchenAid, for example. During one of this year’s presidential debates, an employee, thinking he was using his personal account, delivered an offensive tweet: “Obama’s gma [grandma] even knew it was going 2 b [be] bad! She died 3 days b4 he became president.” KitchenAid rushed to apologize, according to reports, but the damage had already been done. Incidents like this present legitimate reputational harm to a brand. The problem in combating them is that most companies lack visibility, and the ability to monitor content is a tedious task, especially when done manually, says Devin Redmond, cofounder of start-up Social iQ Networks, which helps organizations manage their social media infrastructure. And, a lack of control over social media can render injury to a brand’s good name through many ways other than inappropriate tweets, including the exposure of proprietary information, or if an account is compromised by a hacker to spew malware or spam. Account sprawl also brings with it significant compliance exposure, considering some of the data that – Burston-Marstellar appears on a company’s social media channels may be regulated – or necessary for legal discovery reasons. According to another study from Altimeter, only 60 percent of companies either coach their employees about social media policies, or do so only upon hiring. The report suggests that companies must implement more effective strategies, specifically assessing, prioritizing and evaluating social media risk. A recent Forrester Research report supports these conclusions. The study contends that technical controls can be used to meet some of these risk management requirements – for example, an existing data leakage prevention tool may be able to be customized for use for social media. “While this may not be a sustainable model, you may be surprised what you can accomplish through ‘archaic,’ but free methods, such as performing ad-hoc web searches at daily or weekly intervals to identify information leaks or breaches of policy,” the report says. “This approach certainly won’t catch everything, but it will at least provide a glimpse into the number and types of issues your organization faces. It might also help you justify budget for vendor tools.” – Dan Kaplan Looking in the mirror Some companies are including social media awareness training as part of their overall end-user security education programs. But one might be surprised to learn that Facebook workers are undergoing similar treatment. According to a recent story on news website Mashable, each October, the social networking behemoth runs an event called “Hacktober” during which engineers bombard employees with bogus cyber attacks, like phishing scams, to ensure they won’t click on a rogue link or attachment, which could invite malware into the organization. The company purposely avoids traditional teaching methods, like PowerPoint presentations, to stay in line with Facebook’s hip culture. And, it seems, the event has been a triumph, with a majority of users detecting the threats. Each time they do, they win a prize, like a shirt or bandana. Employees who fail to discern an attack are required to take additional training. “We launched a worm to simulate some of the spam campaigns we see on Facebook and other sites, and this was our grand finale,” Ryan McGeehan, a director on the security team, told Mashable. “Within minutes, we were overwhelmed with reports from employees and it was a wild success.” – Dan Kaplan SC SPOTLIGHT • www.scmagazine.com • 9 Social media a vulnerable world Hackers, for good reason, have turned their attention to social media sites. But companies don’t need to wave the white flag, reports Alan Earls. W hen filmmakers put together The Social Network – a movie based on the story of Facebook’s early years – their chosen subtitle was, “You don’t get to 500 million friends without making a few enemies.” Today, in an ironic twist, as the number of Facebook users soars past the one billion mark, the social networking site is collecting “enemies” in droves – attracted by its limitless cache of personal data and what many say are inadequate security provisions, especially for individual users. Indeed, according to many industry observers, hackers and others with malicious intent now see social media as the most fertile place to practice their wiles. 10 • SC SPOTLIGHT • www.scmagazine.com “From a malicious perspective, social media is the best thing that has ever happened,” says Caitlin Johanson, a former hacker and now customer support and training manager at Core Security, a Bostonbased maker of predictive security intelligence solutions. “People have turned a blind eye to the implications of social media in terms of privacy, and the sites have done little to encourage users to secure their accounts and information.” As a consequence, she says, it is a relatively simple matter for criminals to gather information that can be used for social engineering and other more sophisticated forms of attacks. And it is now happening on an industrial scale. Johanson says botnets can be programmed to scour social media sites for keyword combinations that can “spit out profiles” of individuals primed for exploitation. Likewise, botnets can comb through metadata and “every single part of the internet” to find complementary information to further assist in exploits. In fact, there are hundreds of ongoing discussions and threads in hacker chat rooms and forums focused on this topic, says Rob Rachwald, director of security strategy for Imperva, a Redwood Shores, Calif.-based security firm that recently published a study on the social media threat. His company’s study examined the chatter on a wide range of forums, one of SC SPOTLIGHT • www.scmagazine.com • 11 Social media which has a quarter-million members, as well as on sites targeting more narrow geographic or language groups. But the conclusion, he says, is inescapable: Social media – particularly Facebook, with its huge user base – has reached critical mass, and hackers aim to exploit its latent power. Variations on a theme Rachwald says he has seen two different “hack” focuses. On the consumer side, some intruders work to manipu- then power other exploits – financial crimes and thefts of intellectual property, for example. And, again, botnets and analytic tools are making the process ever easier for criminals, Rachwald says. Others see a growing problem, too. “Just as there is a lot of hacking activity directed toward financial and retail websites, there is a growing level of criminally motivated communications being directed at social networking sites,” says Jerry Irvine, CIO of Prescient Solutions, a Chicago-based IT The goal is obtaining information in bulk...” — Jerry Irvine, Prescient Solutions late Facebook rankings as a means of attracting even more “friends,” and then spread malware to them by, for example, encouraging visitors to click on a link or a photo. To further this kind of activity, other cyber criminals offer “bulk” Facebook accounts – some “real” and others bogus. The other focus is on services that provide tools that can help individuals (particularly hackers) break into specific accounts. Rachwald says there are numerous variations on this theme, including “e-whoring,” which involves stealing suggestive images from social media sites and then recycling them in various kinds of pornographic schemes that can generate money. Many of the same risks apply within corporations that allow employees to use social media, he says. “After Bin Laden was killed, there were hacker schemes to post and distribute fake photos of him through social media sites,” Rachwald says. “But the photos were actually vehicles for malware and could compromise corporate computers.” Social networks are also a powerful tool for identifying corporate information and, especially, job functions and structures in companies, which can consultancy that focuses on data privacy and security issues. In fact, according to Irvine, hacking of even the largest of financial institutions, retail sites or other company websites cannot provide the amount of user data that social sites represent singly or in combination. Additionally, he says, while corporate entities have entire departments dedicated toward designing, maintaining and monitoring the security of their systems, social media networks are “managed” by their individual users who, for the most part, pay little attention to the security of their information. As a result, it is easier and more rewarding for miscreants to attack these platforms. And, the problem is getting worse. Initially, says Irvine, malicious activity was more limited to individual accounts. Today, however, there are toolkits available for hacking, phishing and smishing (a form of phishing using text messages) designed specifically to help malicious individuals obtain large numbers of user IDs and passwords. “The goal for the most part is obtaining information in bulk, parsing it to determine authentication parameters for other websites and applications – financial institutions, credit cards and 12 • SC SPOTLIGHT • www.scmagazine.com more – and then even complete identity theft,” he says. Bait and switch The simplest of the many scenarios used to leverage social media sites is having an application that will send phishing emails or smishing texts to unsuspecting users claiming to be an authorized person or department of the social networking company, and then requesting the user provide their login information. “Some of these tools may even use cross-site scripting to capture authentication parameters prior to forwarding the user into their actual site so that the link appears more legitimate,” says Irvine. More elaborate solutions use illgotten IDs and passwords to breach an account and send “friends” malicious applications, plug-ins and URLs to grab more personally identifiable information (PII) off of the friends’ PCs, laptops and mobile devices, he says. While none of the malicious activities employed against social sites are entirely new, the important difference compared to previous hacks, Irvine says, is twofold: They are happening much more often and they affect a greater numbers of users per incident. In fact, says Irvine, “If you are a member of a social networking site, you have most likely been attacked and may not even know it.” Alan Webber, a principal analyst and managing partner with Altimeter Group, a research firm based in San Mateo, Calif., says social media is evolving into the number one threat to corporations. And, he says, even though it can be an exercise in frustration when some employees don’t comply with corporate policies, user education about vulnerabilities and risks is just as important as having traditional IT security measures in place. “A lot of 20-somethings think this is all no big deal, but they are starting to learn otherwise,” he says. However, Rachwald sees hope in technology. “Companies could simply try to block employees from using social media, but there are many reasons why social media is important for business today,” he says. One potential, in his view, is more pervasive and sophisticated monitoring, which should be able to catch many of the harvesting and information-theft activities by the bad guys. Security: An impossible dream? For businesses, protection from the misuse of social networking sites is very difficult at best, says Irvine. First, companies have little if any control over the content users place within their individual account. Additionally, there are many state laws prohibiting employers from viewing or using information contained within these social networking accounts for any employment reasons (i.e., hiring, termination, performance reviews and more). In some situations – such as when there is a suspicion of corporate espionage – employers cannot even view information on social media sites without involvement of law enforcement. Additionally, technologies that scan, monitor and alert on social networking use are “not fully baked.” Irvine says there are solutions that can do keyword searches and services, which will scan individual social platforms for fees. However, he says he has not come across a completely automated solution that can scan, monitor and alert 24x7x365 across multiple platforms to detect positive or negative comments, inappropriate use and malicious activity or intent. Large companies may use multiple platforms, services and internal web content filtering to monitor employees’ social network access while using corporate devices, or while they are on corporate premises. On the other hand, small to midsize businesses, for the most part, are limited to either allowing access – and hoping for the best – or blocking usage, says Irvine. Additionally, they may have a “social network appropriate usage” policy and some level of training, but the lack of authority or ability to control content placed on social environments limits their abilities to protect themselves. Possible, maybe Even with all the challenges posed by social media, this is no time to roll over and play dead. Andrew Walls, a research vice president at the Grass Valley, Calif. office of research firm Gartner, says offshoring and technology have enable attackers to find success targeting social media sites. For example, he says, hackers have developed ways to “forward” CAPTCHA challenges – typically a request to rekey the images of a distorted word or character combination – to porn sites where visitors are required to repeatedly “solve” them in order to maintain access. It is a tidy and economical, if 64% col filtering solutions can be configured to monitor, filter, block and report on specific sites and content. Finally, he says, traditional anti-virus and malicious application detection solutions can offer protection from users being infected by malicious attachments, applications, plug-ins and URLs. Webber says corporations also need to build a “solid listening platform” so they can understand what people are saying about a company – from a brand management perspective, as well as regarding whether an attack is in progress. “The fact of the matter is that your competitors are probably being attacked, too, so what you learn by monitoring them also can help you,” he says. Along with specific tools and techniques, Webber says companies should of Facebook users have clicked on a Facebook ad bizarre, means of bypassing an important element in site protection. Fortunately, Walls says, more sophisticated security products are coming to market for platform providers, as well as for individuals who focus on areas such as credit monitoring and reputation management. Collectively these might help hold the line against hackers. Irvine, too, says there are steps companies can take to become more secure. For instance, he says, data leakage prevention and information rights management (DLP/IRM) solutions can help to provide improved protection for proprietary and confidential data. Specific functions of DLP/IRM applications that could help minimize security risks of social networking applications include limiting the ability of data to be copied, modified, transferred to another location, emailed or printed. Additionally, web content and proto- also “triangulate,” using risk management tools to identify and focus on areas of greatest vulnerability. However, Johanson adds that “there is still no patch for stupidity.” Organizations should continue to educate users, though that still may not be good enough to protect against the most sophisticated of threats. That’s where tools come in to play – backing up processes and helping to predict where problems will occur, so to identify them before they become full-blown crises. Finally, Angel Grant, principal product manager at RSA Security, says companies need to revisit access controls and make sure they are appropriately aligned with social media threats. “Believe it or not, many companies forget about taking away access to a company social media site when an employee leaves a company, and that can be a gaping security gap,” she says. n SC SPOTLIGHT • www.scmagazine.com • 13 Do not track Privacy in play? There’s a battle brewing about privacy controls that can have significant consequences for online commerce, reports Jim Romeo. R ecently, a man entered a Target Store in Minneapolis with a coupon that had been sent to his teenage daughter for cribs and baby clothes. He was offended the promotion had landed in his family’s mailbox. Owing to its savvy statistical methods in gathering data on its consumers, Target knew something about this man’s daughter that even he did not yet know: She was pregnant. Shop at Target, online or in-store, and customers will discover the retail chain’s uncanny ability to present custom promotions designed to appeal to personal buying habits. In today’s competitive online environment, the ability of online enterprises to capture information about consumers – from their preferred coffee brand to their curiosity about oil painting or a newfound interest in cribs and strollers – has brought the issue of consumer privacy to the forefront. The question is: How concerned are consumers that much of their private information is fair game? This new paradigm of consumer intelligence gathering may have been a factor in prompting the Obama administration in February to unveil a “Consumer Privacy Bill of Rights” to serve as a foundation or “comprehensive blueprint to improve consumers’ privacy protections and ensure that the internet remains an engine for innovation and economic growth.” But, while privacy controls are a topic about which many consumers have expressed some concern, few know much about how they work. Researchers 14 • SC SPOTLIGHT • www.scmagazine.com at the University of California, Berkeley School of Law, presenting at the Amsterdam Privacy Conference in October, released findings indicating that of 1,203 adult internet users surveyed, a mere 13 percent of respondents had some knowledge of privacy controls, while a whopping 87 percent hadn’t even heard of them. But, when asked about their utility, respondents were in favor of disallowing online enterprises from collecting information about them. One of the researchers’ questions asked: “If a ‘do not track’ option were available to you when browsing the internet, which of the following things would you most want it to do?” Sixty percent of respondents replied “prevent websites from collecting information about you.” “We’ve already seen major sites, like Facebook and Twitter, come under fire for their lack of security features,” says Mark Orlando, director of cyber operations for Lake Mary, Fla.-based Foreground Security. “However, we need to remember that user data is what enables these companies to monetize their services through advertising, marketing and the like, so there is little incentive for companies to add privacy controls unless users demand it or stop using the service.” Of course these sites continue to grow in popularity, so it seems for now users are content to trade in security and privacy for the features and functionality they’re getting by using the services, he says. “Until that changes, or until the business model changes, we shouldn’t expect to see many improvements in the privacy restrictions and controls offered by these sites.” Twitter has improved its privacy controls. So has Mozilla Firefox, which offers a ‘do not track’ (DNT) feature. Bob Bunge, associate professor at the College of Engineering and Information Sciences of DeVry University in Seattle, says that as DNT becomes widely adopted, the real winners will be incumbent tech companies – like Microsoft, Facebook, Google, Amazon and eBay – which have huge opt-in customer databases. “The real technical drivers of ‘do not track’ are the competing web browser companies,” he says. “Microsoft, in particular, has announced that Do Not Track will be the default setting in [Internet Explorer] 10.” This has set off a firestorm of criticism from the advertising industry and online retailers. However, Bunge says companies that rely on understanding their customers’ browsing habits in order to generate revenue will find other ways to do so, such as through data mining. On the other hand, Facebook is on record as supporting DNT, Bunge says, adding that such Big Data repositories allow companies to track customers through data mining, so a locked-down browser will not affect them as much. Stephen Cobb, security evangelist for Privacy & LinkedIn: “Old people issue”? LinkedIn is all about professional networking. For those who maintain a profile, the information one shares with others may be sensitive, but the site does have privacy control options in its settings to select and edit data depending on the degree of sensitivity. Reid Hoffman, the billionaire founder of LinkedIn, called privacy an “old people issue.” Hanzi Durzy, a spokesperson for the company, helped explain LinkedIn’s philosophy on privacy. SC: Can you give us an overview of LinkedIn’s privacy policy and how it came to be? Has it changed much over the last year or two? Hanzi Durzy: LinkedIn’s privacy policy is designed to reflect the evolving ways in which our members are using the platform and exchanging their insights and data. The principle that guides all of our decisions, including ones regarding privacy and data protection, is to put our members first. As the world’s largest professional network, LinkedIn takes the privacy of our members’ data seriously. We believe that more than 187 million professionals who have joined LinkedIn want to be seen and heard by people that they may not know personally. We also believe that those professionals should be able to easily manage the information they share and how they share it. So, our privacy and data protection product philosophy is based on three ideas: clarity, consistency and control. SC: What is LinkedIn’s philosophy with regard to ‘do not track’ privacy controls? HD: We understand the desire to provide people with choice about how their internet browsing history is used. LinkedIn is also very aware of the need to provide its members with innovative products. Achieving the right balance in this equation is crucial, and in doing so, we will strive to stay true to our focus on our members and maintain consistency, clarity and providing easy-to-use controls to our members to manage their experience on LinkedIn. SC: Is LinkedIn a believer in such a policy and have plans to implement tighter tracking controls in the future? Why or why not? HD: We have no immediate plans to implement DNT, given the fact that there still is no consensus on what the DNT signal should exactly mean. SC SPOTLIGHT • www.scmagazine.com • 15 Do not track ESET, a global security vendor with U.S. headquarters in San Diego, says there seems to be much praise for these developments in privacy circles, but they are something of a yawn in consumer circles. This is not surprising to him because, he says, the average internet user is not really aware of how much tracking goes on. “If you take Mozilla’s numbers, less than nine percent of desktop users of Firefox have adopted DNT, and less than 20 percent of Firefox mobile users,” says Cobb. “Those numbers may change as more people understand the data-gathering process going on behind tracking. However, if you turn off tracking, you will start to lose some of the features and functionality offered by other big social media players – notably Facebook, Google, LinkedIn and Instagram – for whom tracking is part of the business model.” He says he sees Facebook continuing to evolve its privacy control mechanisms and interface, although it is still a long way from easy to use. “Again, if userbehavior tracking is part of your business model, that makes it hard to deliver simple user controls that don’t break that business model,” he says. Meanwhile, Michael Sprague, co-found- 90% make it simple for users to understand and use privacy settings. At Scrambls, we advocate that users should be able to design their own privacy settings and use them across the web.” In any case, social networks make frequent changes to their privacy controls, Sprague adds. “Often, these changes are driven by business requirements, rather than addressing the needs of the consumer. For example, a privacy change will allow a new type of advertisement to be displayed, targeting users based on their personal information. It is rare to see a company taking an active stance to increase the privacy of its users.” Further, Sprague says Twitter has taken an impressive leadership position in attempting to defend the privacy of its users. He points to a recent case in September where tweets sent by an Occupy Wall Street protester were ordered unsealed. Twitter did not want to reveal the tweets, but a Manhattan Criminal Court judge ruled that they were to be turned as evidence. “The implications of that decision are deeply troubling for anyone sharing personal content on social networks,” says Sprague. And, he also expresses concern about how the the bring-your-own device of companies with 100 or more employees use social media in their marketing mix. – eMarketer er of Scrambls, an open source technology that provide controls for online posts in social media applications, says DNT privacy controls have been well received. He also points out how many people are still unaware of how much information social media companies collect about them and the ways in which this data can be used. “The case of Target figuring out that a girl was pregnant before her father did is an excellent example,” he says. “Facebook, LinkedIn and others should trend is affecting personal privacy. “It has already become common practice to bring your personal devices to work: smartphones, tablets, notebooks and more,” says Sprague. “Now what we’re doing is bringing our different identities into the work environment, with different levels of access associated with them.” The interesting question to consider, he says, is when and why one will have access to online information in the future. “It will be absolutely essential to have the ability to 16 • SC SPOTLIGHT • www.scmagazine.com develop access policies based on context, and to have the ability to make dynamic changes to these policies,” he says. The prognosis, say many privacy experts, is that privacy policies with regard to online posting and access will likely become more critical, where a new watchword will govern: caution. “Businesses should remind users that everyone is a potential target,” says Foreground Security’s Orlando. “You don’t have to be a high-ranking executive or have access to sensitive corporate information. Sometimes it’s strictly a numbers game for the bad guys, where they want to accumulate as much data as possible regardless of who their targets happen to be.” The lesson: Don’t give them anything with which to work, Orlando says. A good rule of thumb is to remain as vague and boring as possible when posting to these sites, and don’t post anything one wouldn’t be comfortable posting on a sign on one’s front lawn, he says. “Don’t vent about difficult projects or difficult people at work. Don’t advertise dates and destinations for trips you’re taking. Always assume that there are no privacy protections for what you’re sharing, even if you think it’s only going to your small network of friends.” ESET’s Cobb says the biggest challenge is to build a business model that enables transparency to your intentions toward user data. For example, he sees Twitter as figuring out how to build revenue streams without tracking because of the demographic it attracts – and part of the allure for customers is the service’s position to tracking. Looking forward three to five years, he believes the public may reach the privacy cliff – where people have to choose between free content supported by an advertising system that requires acceptance of tracking, or paid content that is delivered without any tracking. “This stark, binary choice is more likely, in my opinion, than the evolution of widely embraced granular privacy controls,” says Cobb. n It’s a big IT security world out there... But, it doesn’t have to be so daunting. Not with the launch of SC MarketScope. This new site, brought to you by SC Magazine, is the place for purchasing IT security products and services. SC MarketScope is the first stop for key decision-makers. Features include: 1. Vendor overviews 2. Reviews of products/services 3. Expert advice and opinion from IT security contributors and columnists (exclusive to SC MarketScope) 4. Lead generation We’re live! Visit us at www.scmarketscope.com For more information, please contact Samantha Amoroso sales campaign manager, SC Magazine [email protected] 646-638-6021 Disaster recovery winds of change Social media proved useful in communications during Hurricane Sandy, but enterprise data may also have been vulnerable as a result, reports Stephen Lawton. W hen Hurricane Sandy blew in to the coastal New York and New Jersey, it also churned up information security contingency plans that had never been so challenged by an act of nature. With the loss of data centers and cell phone towers, and interruptions of the local and regional communications infrastructure, companies still needed ways to keep in contact with employees, customers and vendors. As a result, social media sites became hubs of connection and correspondence. Outside of those who lost internet and cellular connections, social media sites saw increased activity. According to Twitter, more than 20 million tweets were sent at the height of the storm. Twitter based its number on tracking the terms “sandy,” “hurricane,” “#sandy,” and “#hurricane.” As well, Facebook uses a metric called Talk Meter, which measures topic mentions on a scale of one to 10. On the day the storm hit, just a week 18 • SC SPOTLIGHT • www.scmagazine.com prior to the run-up to the presidential election, Facebook said it reached a level of 7.12, compared with “Obama” (3.86) and “Romney” (3.5). While these mentions were overwhelmingly news about the storm and how affected individuals were coping, businesses also made use of social media. But the emergency should not be cause to skirt security issues that are always present with enterprise use of social media. “Using Twitter, Facebook and other social media sites is fine as long as workers use common sense,” says Blair Pleasant, president and principal analyst at COMMfusion, a Santa Rosa, Calif.-based technology consultancy that focuses on unified communications. “My motto about using social media is, ‘Don’t be stupid.’ Understand that this is a public forum and don’t release any confidential information.” Some companies have developed social media guidelines and tools so that workers understand what is and isn’t OK to say in these public forums, she says. Because of the inherent insecure nature of sites like Twitter or Facebook, social media should be used during disasters to relay information about safety, provide status updates – “We’re OK, but have no electricity” – or provide information about where to get supplies, Pleasant says. “You can let customers know that you lost power or communications, and maybe give them alternative ways to contact you, but don’t conduct real business over public social media sites.” Rather than focusing on consumeroriented social media sites, which offer minimal security options, Pleasant instead recommends that IT organizations use enterprise-grade social media services and products – such as IBM Connections, Cisco’s WebEx Social, Yammer and Jive. “These let workers get the benefits of social software, but in a secure, private environment,” she says. The primary reason to go this route, she says, is because social engineering continues to be a challenge for many companies. From a corporate and business perspective, workers might give away proprietary information, including “soft” intelligence, such as identities of employees or locations of premises, which could assist social engineer- vulnerabilities: Exposure Blair Pleasant, president and principal analyst at technology consultancy COMMfusion, cites several security vulnerabilities related to social media. These include: • Information leakage – loss of confidential information; • Network and data security – viruses, spyware, malware spread through accessing links, applets; • Compliance – Storing and sharing data and content as required by law or regulations; A good social media policy won’t erase all of the risk...” —Alan Webber, Altimeter Group ing attacks against the company. “In an economy where information is the lifeblood of an organization, preserving the confidentiality, integrity and availability of information is vital,” she says. “Virus and malware protection is still important, but data loss prevention is fast becoming an indispensable component of an organization’s technology protection.” In order to overcome these potential vulnerabilities, she recommends a combination of approaches, including technology, policies, guidelines, controls, enforcement and education. Authentic communication Pleasant’s concerns are echoed by Nicholas Percoco, senior vice president of security vendor Trustwave’s SpiderLabs, a research team that performs penetration testing, develops security tools and issues public advisories about vulnerabilities it finds in various products and technologies. He says that when non-traditional forms of communications are employed during events • Exposure to legal liabilities and financial penalties – data con- tained on social media accounts may be regulated or necessary for discovery; • • • Client or patient identity and privacy – potential violations of various privacy laws; Damage to business value – company brand and reputation; Data exfiltration – stopping corporate data from leaving the company’s network is the primary challenge. like Sandy, such as distributing information over social media networks, two major security issues come to the fore. First, he says, recipients of the messages need to know that the messages are authentic. Second, recipients must know where to go to obtain valid information from the company. It is easy to create a Twitter or Facebook account that looks official, but can dupe readers, Percoco says. For example, a potential attacker could create an account that has a company name and the word “alert” after it. Employees might not realize that this is a fake account and that posted information could be misleading, causing those who follow it to take actions that could create security risks. Companies need to create written policies and explain them to employees, customers or anyone else who might need to see a message from the company, Percoco says. Too, a company’s policies need to outline where authenticated information can be found and who is authorized to distribute that information. Alan Webber, principal analyst specializing in digital risk management for the San Mateo, Calif.-based Altimeter Group, posted a blog just days before the storm, advising companies to institute a social media policy. While the timing was coincidental, Webber says in an interview that Sandy underscored his belief that companies need to include social media planning as part of an overall disaster plan. While social media can open some new vulnerabilities, it is not unlike email or other traditional forms of communications and, therefore, the risk that social media creates can be mitigated. Companies need to use social media as a communications tool that includes acceptable-use SC SPOTLIGHT • www.scmagazine.com • 19 Disaster recovery policies and proper training, just as they would with phones or laptops. “A good social media policy won’t erase all of the risk of having a social media presence,” he says, “but it will outline what is considered acceptable, and if and when things go wrong, a process for addressing the issue.” Brian Honan, CEO of BH Consulting, agrees. “Companies should decide beforehand on how they plan to use social media in the event of an emergency,” says Honan, who is also CEO of the Irish Reporting and Information Security Service, Ireland’s first CERT (Computer Emergency Response Team). These protocols, he adds, should be built into the company’s social media strategy. “In the event of a disaster, companies need to be aware that a number of stakeholders may be looking for updates on what is happening,” he says. “People – such as staff, family members of staff, customers, suppliers, partners and the media – may be looking to see how the company has been affected.” As such, the company should look to post relevant news, but ensure that news does not unduly alarm those looking for information, he says. Companies should also be aware that due to the public nature of social media, they should not post too many details about the effects the disaster has had on their premises, particularly their physical security, as criminals may be looking for such information. Another challenge companies face when using social media is ensuring that stakeholders are getting authentic information, as criminals will exploit disasters to launch phishing and social engineering scams. Employees need 23% to be trained and aware of the social networks and the type of messages the company will be sending over these networks, Honan says. “In a time of crisis, staff will be looking for information on what they should do – for example, whether or not they should turn up for work,” he says. “This could be an opportunity for criminals to use the disaster as a means to attack the company by using phishing messages within social media platforms.” In addition, a number of fraudsters have been known to set up fake accounts in the names of companies and post false information that could damage the reputation of the company or even influence stock market prices. Additionally, Honan says that these bogus accounts could be used to send messages to staff that contain links to websites infected with malware that would enlist their computers and/or smartphones to either steal financial data, intellectual property or gain a foothold within the company’s network to exploit at a later time. “Employees also need to verify that accounts claiming to represent their employer are actually real,” he says. The data center During Sandy, flooding throughout the greater New York area caused widespread power outages, including to data centers, SpiderLabs’ Percoco says. When power at the data centers failed, backup power generators would have been used to keep systems up long enough for IT departments to shut them down safely. However, when all power was lost to the data centers, not only did the servers go dark, but so did the physical security barriers guarding the of Fortune 500 companies maintain an active blog. – V3 Integrated Marketing 20 • SC SPOTLIGHT • www.scmagazine.com facility, such as cameras, cardkey locks and other electronics. In such cases, he says, a company could be breached by attackers who could enter the data center and pull hard disks directly out of servers. In cases where the attacker would not want the victim to know they were compromised, they could simply clone hard disks and then return them to their original servers. While such attacks on physical assets are possible, they are less likely today than they were in the past, says Altimeter Group’s Webber. It is more likely today that attackers will use social engineering techniques to introduce malware onto corporate systems than to burglarize a data center. Ideally, Percoco says, companies in potential disaster zones will have a failover disaster recovery facility that can take the load in case the primary data center is damaged or destroyed. But, if the failover facility is cloud-based, companies still need to have plans in place for servers that are not cloudbased. These need to handle confidential company data, such as trade secrets or client lists, which data security policies state must be on secure servers. Comparing the scope of Sandy to the nation’s to another devastating event of recent times, Hurricane Katrina, Pleasant says, “New York City has more data centers than New Orleans, not to mention it’s the center of the financial world, so obviously there was more damage to the business world.” Honan agrees, adding that companies should look at the risks and assess them based on their business requirements. For example, an e-commerce site would have more dependency on its data center than a company that is only hosting a “brochure ware” website, he says. Once the company identifies the risks, it should look at ways to address them, including having backups and an alternate data center. Companies also need to consider having “real-time synchronization of data and automatic fail-over to another data center,” Honan adds. “This would also require building that functionality into their environment and applications, which could prove quite expensive.” Be prepared At Montefiore Medical Center in the Bronx, roughly 100 miles north from where Sandy hit the shore in New Jersey, CIO Jack Wolf said he was prepared for the storm. The hospital conducts annual tests of its disaster recovery plan, and three times a year evaluates additional backup systems. While the facility does not currently have a disaster recovery plan that specifically identifies social media, it was able to use Facebook, Twitter and Yammer extensively on an ad-hoc basis during Sandy. Wolf says an important directive he sent to employees was to make sure they did not disclose protected health information (PHI) of patients over nonsecure communications (PHI is covered under the Health Insurance Portability and Accountability Act, or HIPAA). While some employees communicated via texting, Twitter and Facebook to coordinate transportation to and from the hospital, “direct patient care was limited to voice communications,” he says. Because of the danger of a third party intercepting a message or installing malware on systems, he discouraged the use of internet cafés and Wi-Fi hot spots for connecting to hospital databases, viewing patient data or accessing other information. A Yammer account was set up and used extensively for communicating with employees, he says. This proved to be a viable hub for communications because it was easy for the employees to use. While Montefiore did not lose power, other facilities in the area did. As a result, it was able to assist other hospitals in the region, Wolf says. One of the key lessons learned from Sandy was the need for the medical center to incorporate social media into its emergency response policies and procedures, Wolf says. While the use of social media worked well during the 340m tweets per day are sent. – Digital Buzz Blog Sandy crisis, every IT disaster recovery component needs to be documented and tested, and the employees trained in their proper use. Sandy tested the IT department’s ability to use social media during a disaster, but Wolf says it is better to have a vetted policy in place. He also says he will look into new methods for remote clinicians to access hospital records when traditional virtual private networks (VPNs) are not available. Wolf was pleasantly surprised at how quickly the employees and IT staff were able to set up a social media command center and use it successfully. Unanticipated challenges, such as the loss of power across such a wide swath of New York, meant that employees who were not at the hospital had to improvise in charging their cell phones and other internetconnected devices. The loss of cell towers also complicated network access. Overall, social media got relatively high marks during Hurricane Sandy. However, data security breaches are insidious, and it is still far too early to tell if the storm led to any significant compromises. But even if informationloss incidents are discovered over time, it may be too difficult to determine if they were related directly to the storm or to the use of social media. n Social media: Policy Alan Webber, principal analyst for the Altimeter Group, says there are three reasons to have a social media policy: Establish an acceptable pattern of behavior. Social media policies should first establish what acceptable patterns of behavior (or PoBs) are for employees, and even customers on social media. These acceptable PoBs can be as broad as saying ‘Do no harm’ to being highly restrictive around content, platforms, who gets to participate and how social communications are cleared. Some of the companies best at this include cases that give employees and others some context around the acceptable PoBs. Protect the company and the employees. Secondly, social media policies should defend both the company and employee. By outlining what is acceptable, the company can then identify who and what the company will and won’t allow, and if an employee should step past that line or outside that pattern, the company is somewhat protected legally. At the same time, the policy should protect employees. That way, if they are following the policy and something goes wrong, they are covered. But check that with legal counsel. Provide an enforcement framework. If and when something goes wrong, the policy should provide a process to address the issue. For example, if someone continues to post inappropriate content on the corporate Facebook page, then there is a level-handed process in place to address the issue. SC SPOTLIGHT • www.scmagazine.com • 21 LastWord Finding privacy on a data-centric web Online data about a user can impact how that person is perceived, says Microsoft’s Brendon Lynch. A s the digital world continues to evolve, social networking will remain an essential component. Services like Xbox LIVE, Facebook and Twitter attract millions of members and weave seamlessly into everyday life – from our smartphones to web search. As we share this information, we generate massive amounts of data. In fact, 90 percent of the data available in the world today was created in the last two years. Considering the amount of information we share and store online, some might ask: Does privacy still matter? Privacy remains tremendously relevant, especially in the social media-infused, data-rich world in which we live. Consumers expect strong protections, as they are increasingly aware of the digital “trails” they leave behind online. The Pew Research Center recently found that more than half of Americans who use mobile apps have uninstalled or avoided certain apps due to concerns about the way personal information is shared or collected. Interestingly, young people cared about this just as much as older people.� The fact that the next generation of consumers is growing up on social networks and constantly interacting with their mobile computing devices is redefining privacy. They want to share more information, but still want to maintain control over how much they share, who they share it with and how it is used. They don’t want their data to be later used or shared in ways they did not expect or that do not provide value to them. People want to share information, but they want the organizations that hold their information to use it responsibly and to protect it. That said, privacy on social networks is a two-way street: Users are expected to responsibly manage their own information. Every single piece of data that 22 • SC SPOTLIGHT • www.scmagazine.com exists online about a user can impact how that individual is perceived by family and friends, an employer, a mortgage lender – anyone. Unfortunately, many of us are unaware of the cumulative “portrait” created by the aggregate of this online data. A Microsoft survey found that while 91 percent of people at some point have done something to manage their overall online profile, only 67 percent feel in control of their online reputation, while fewer still – 44 percent of adults – actively think about the long-term consequences of their online activities. There are many simple ways you can better protect our online reputations. For The next generation of consumers... don’t want their data to be used or shared in ways they did not expect.” instance, on social networking sites, personal blogs and other places where you maintain personal data, use privacy settings to help manage who can see your profile or photos, how people can search for you, who can comment and how to block unwanted access. According to our research, 49 percent of adults do not use privacy settings on social networking sites. Think about what you post (particularly personal photos and videos), with whom you share information, and how this content reflects on your reputation. Let others know what you do and do not want shared, and ask them to remove anything you don’t want disclosed. Our research showed that only 38 percent of adults and 39 percent of children (ages 8 to 17) actively think about the long-term impact their online activities might have on someone else’s reputation. There will need to be more focus on the use of information in the future to help ensure better privacy protection for everyone. It’s essential to maintain an open dialogue about this subject to keep privacy headed in the right direction while we reap the benefits that technology advances and increased data sharing will provide. Brendon Lynch is the chief privacy officer at Microsoft. Don’t be anti-social. Follow us. Our websites, scmagazine.com and scmarketscope.com, combined receive more than 1,000,000 monthly impressions and 80,000 monthly unique visitors. Readers have come to expect timely news, in-depth feature stories, virtual events and industry opinions, and we fully enlist social media to bring our award-winning editorial content to as extensive an audience as possible. Through blog posts, tweets and specialized newsletters, we keep you connected to the pulse of the security industry. Visit us today at www.scmagazine.com or at Sponsor The EdgeWave portfolio of web, email and data protection technologies delivers comprehensive protection with unrivalled ease of deployment and the lowest TCO on the market. The company’s award winning product lines include iPrism Web Security, Social Media Security and the ePrism Email Security Suite.