In a recent post for ReadWriteWeb (3 Ways Social Media Can Put Enterprises at Risk), I outlined a few IT security “blind spots” that many companies are currently trying to address when dealing with social media applications. As last week's blog post on our Application Usage and Risk Report findings pointed out, I am convinced that social media is here to stay in the enterprise. To expand upon the points I made in that article, I’d like to add a few additional details to expound on my opinions around approaching these “blind spots”.
On basic user education: It helps, but we’ve seen time and again that hackers can always count on user behavior to provide the openings they need to penetrate network defenses.
On SSL, being a double-edged sword: On the one hand, as an end user, SSL encryption is often the only thing protecting your connection to web applications and services, which is particularly important if you’re using a public or poorly-secured Wi-Fi network. Several high-profile social media account hacks, advocacy by consumer-protection groups and the introduction of freely-available packet sniffing tools (such as Firesheep) drove home the importance of encryption for all kinds of web services. However, on the other hand, ongoing problems with certificate authorities themselves only emphasize the point that just because traffic is encrypted doesn’t mean that it’s safe. In addition, SSL can actually increase the risks to your organization because this same encryption hides your users’ traffic from all the (expensive) hardware and software in which your company has invested to protect users on the company network – unless they’re using a next generation firewall. Here’s where IT can take the lead role by ensuring that their network defenses have deep visibility into all network traffic, including SSL.
On mobile devices, particularly application security: IT can issue user guidance on remote access for popular consumer devices and, obviously, a VPN will likely be the most secure connection that employees can use. Products such as GlobalProtect go a step beyond this, delivering protection and performance so that employees will actually use them. Also, although user education will never be something that security professionals can rely upon to obstruct risk, in the end it still helps in edge cases where mature solutions are still emerging. For instance, given the prevalence of insecure mobile applications for consumer collaboration that may crossover with work activities, IT can issue recommendations on which applications their employees use for accessing work email and similar communications. This may help minimize the overall risk to their personal accounts on Facebook and other social sites. The more secure the information is on “non-work” websites, the less likely that those accounts will be used in phishing attacks or the like to attack employees in your organization.
By utilizing the above strategies and combining them with rock-solid network security and other security technologies where appropriate, you can make sure your company is able to maintain productivity at the speed that your business demands it.