Cover

Social networks: boon or bane?

Social networks are more than just platforms to connect you with your friends. With security issues being taken care of, they are gradually becoming productivity tools rather than being security threats for organizations, writes Varun Aggarwal

Popular social networks such as Facebook, LinkedIn and MySpace have become lucrative targets for security attacks, as they are identity goldmines and a considerable amount of monetary benefits could be garnered by exploiting identity information of users. According to a research study compiled by the US National Cyber Security Alliance (NCSA), more than 74% of users divulge personal information, including email addresses and birthdays on their profiles. Most often than not, the page containing the identity details of a user is accessible to anyone who is a friend of the user. Any person could just sign up and get hold of identity information by tricking the user and adding him/her as a friend.

Achyuthanandan S, Research Analyst, ICT Practice, Technical Insights, Frost & Sullivan opined, “Identity information stolen from social networks could be used by hackers to obtain financial gains by selling the information to marketing companies and by other means. For instance, a combination of a user’s social security number, birthday, and name could provide enough ammunition for criminals to steal financial records and statements of the user. Evidently, social networks are any social engineer’s goldmine and this has made them an attractive target for identity theft.”

Another issue that is particularly relevant to corporate security is malware. “For a number of years, email has been the most popular medium utilized by hackers for spreading malware. But now, social networks have overtaken email as the most preferred platform for launching security attacks targeted at spreading malware. The entry of malware into enterprise PCs and the enterprise network could jeopardize the underlying computing and security infrastructure of a company. In particular, if data-stealing malware penetrate into enterprise networks, companies could end up losing intellectual property and confidential business data,” added Achyuthanandan. According to a recent study conducted by US-based security vendor ScanSafe, it is estimated that one out of every 600 Facebook profiles is infected with some form of malware or spam. Different techniques that could be used for spreading malware through social networks include Spam, cross-site scripting (XSS), cross-site request forgery (CSRF), click-jacking, phishing, and impersonation attacks. The last major threat to enterprise security via social networks is data leakage.

According to S V Ramana, CIO, Tulip Telecom, corporate groups on the social networking sites can be subject to identity fraud and defamation. A malicious user may use such groups to damage corporate image/reputation. “This increases the risk of introducing various worms/virus/trojans in the internal network. Historically, social networking sites have been used to launch browser-based attacks. These sites are very frequently used for social engineering purposes and hence loss of confidential information. This also poses a legal risk to the organization. As per the IT Act the organization shall be held liable for facilitating a malicious activity from its network,” added Ramana.Training the staff

That was about the risks that social networks hold. However, do all Indian organizations treat social networks as a threat? The answer is—not all. Moreover, even the ones, which treat social networks as a threat to their organization, often do not have proper training for their employees on the hazards. The good news is that this is changing.

Recent trends indicate that companies, especially the ones that do not restrict social networks use during work hours, are taking serious interest in ensuring that employees are aware of the security threats prevalent in social networks. Enterprise security officers have realized that employees are the weakest link in the security ecosystem and steps are being taken to ensure that employees are aware of what is at stake if security is compromised. The general opinion among enterprise security administrators is that, more than rules and regulations, employee guidance and education are of paramount importance.

Achyuthanandan explained, “Usually, the goal of security training programs is to ensure that the employees are completely aware of the different types of security threats prevalent in social networks and the Internet as a whole. Typically, enterprises educate employees about the need for security and security awareness and proceed to train them about the security perils in social networks through e-learning modules and training sessions. In addition to that, enterprises also educate employees about the security policies and regulations of the company and mandate employees to sign security policy and acceptable-use policy documents. Besides, enterprises are also encouraging employees to undertake third-party security certification exams.”

Tulip makes sure that its employees are well versed with the possible threats on the social networks. Explaining the training methodology, Raman said, “We conduct employee awareness sessions about social networking and the various types of available social engineering methods are explained to employees.”

To make sure that all the employees are aware of the threats at the social networks, Shoppers Stop makes its employees go through its Accepted Use Policy. Arun Gupta, Customer Care Associate and Group Chief Technology Officer, Shoppers Stop said, “The Acceptable Use Policy (AUP) for usage of IT infrastructure, including the Internet and networking sites, clearly depicts the dos and don’ts by our associates. The AUP is a document that is signed by every employee at the time of joining the organization. It highlights the terms and conditions of use of IT equipment provided by the company and used by employees, contractors or temps in standalone mode, connected to the LAN or WAN using any medium, accessing company applications and data. This was created to help our associates be aware of the boundaries in which they operate, what is acceptable behavior and activities that are out of bounds. It also authorizes us to audit any machine or traffic over the network.”

Social networking for enhanced productivity

Just like any other technology, even social networks come with their share of security issues. Having said that, there is a lot that these networks can do in order to increase productivity of a company, present a positive image in the market and counter any false reports circulating over the Internet.

Diptarup Chakraborti, Principal Research Analyst, Gartner said, “If you go back in time, instant messengers, communicators (unified communications) were a strict no- no and a taboo, both in India as well as abroad. Now, companies have realized that these tools add to productivity, enable collaboration and reduce cost. Therefore, many organizations now allow some level of instant messaging. That’s a change of mindset that we’ve seen. Initially, organizations thought that using IM or collaborators, employees would just chat and won’t work and then they thought since everyone was connected online, this would choke the bandwidth. However, both these points were proven incorrect. Now, since they realize that these tools enable productivity, they allow it.”

“Similarly, when it comes to social networking, today we talk about security issues, we talk about anonymous blogs and postings that could leak out confidential company information. However, security issues come with every technology, and I think over time, the security issue would be tackled and I don’t see any overwhelming security issues in social networks. There would always be some black sheep in the organization who can take undue advantage of the benefits given to them. With the developments taking place so fast, security won’t be an issue at all by next year. Social networking enables customer service. It enables marketing and also becomes a peer-to-peer discussion forum apart from becoming a recruitment forum,” Chakraborti added.

You can have a discussion forum on Facebook, Orkut, LinkedIn, etc., where you can have experts from organizations coming and talking about a particular topic. For example, when Microsoft and Yahoo deal was taking place, Microsoft had blogs and discussion forums running on sites like Facebook where the topic was discussed very actively. Some of the participants were actually senior management people from Microsoft who were giving their side of the story and since it is very informal, it has a lot of credibility to it.

If you have some negative publicity that’s crawling through the Internet, you can use social networking to sort it out much faster. Companies have started tracking what is being written about them on the social networks. They are also contributing to the social networks to correct any incorrect information being discussed in the forums in a credible manner.

Ramana opined, “At Tulip we are making various social platforms available to all employees to choose. We currently have a social group on LinkedIn which caters for formal discussions, whereas the corporate blog acts as an information and discussion forum. Currently, we are also working towards engaging our customers through dedicated social platform.”

Similarly, vCustomer uses social networking platforms like Twitter and Facebook to help their clients support their customers in a better way. They have created APIs for all popular social networks, which extract relevant information being circulated over the social networks about some area-specific outage, etc., and send that information to the client so that they’re up-to-date without calling the vendor for every small little query. Sanjay Kumar, Founder & CEO, vCustomer explained, “We have created a framework for customers to support other customers. If one customer sends a ‘twit’ that he has an outage, all the other customers in the vicinity would get this info.”

Gupta averred, “Social networking sites are gaining popularity amongst the Internet savvy employees. We also use the Internet as a medium to connect with our partners and conduct business with our customers. Most of the popular sites are presumably free from malware and other unsavory code that may harm an enterprise’s systems. The risk of employees posting sensitive information on these sites requires attention and education.” The company is also working on a company blog, which is an attempt to provide its associates an avenue to share their thoughts and information. “We propose to link this to a Wikipedia-like platform to help capture the rich knowledge existing within the enterprise while encouraging associates to use the medium to create collective wisdom. We are about three-four months from deployment,” Gupta added.

Many organizations do not allow their employees to blog and if caught doing so, there are actions taken against them. To prevent this situation and allowing the employees’ to share their views freely, many organizations have started internal blogs. However, experts believe that this may not help in preventing employees from participating in public blogs. Achyuthan-andan opined, “The presence of company blogs, wikis or other knowledge-sharing platforms would not reduce the cases of inadvertent data leakage. The primary motive behind blogging is to share information or opinion on an issue to a large audience, and hence, employees would still be more eager to post their thoughts on public blogs regardless of the availability of a private company blog, whose audience is limited. Besides, employee bloggers may prefer to retain anonymity, which may not be possible in a company blog, and may also not find it acceptable to have their content moderated by the company.” Consequently, a company-moderated blog would not necessarily prevent data leakage in an enterprise, and employees will continue to prefer public blogs, whose unmoderated environment, scope for anonymity and support for multiple profiles offer greater appeal.

Ramana added, “It is almost impossible to keep a check on the flow of qualitative expression or information being shared by employees on an internal as well as external social platform. Moreover, if moderated then they tend to kill the essence of the social network. Therefore, most of the time these data leakages are of qualitative nature, whereas any physical data leakages can be tracked and controlled.”

CIOs should look at how social networking can drive marketing. It is the most potent tool for marketing today. “It has much more credibility than spam, etc. It is a very strong tool for employment, employee welfare. Therefore, they should look at how HR can benefit from it. For example, in Second Life (a popular virtual world), you can go to an online store, you can look at the product in 3D, you can order the product and it will be shipped out to you. It is almost like an in-house experience,” Chakraborti said.

“Take for example, ChiragDin. They sell more shirts online than what they sell offline. Shirts are something, which most people didn’t even think of buying online a few years ago. ChiragDin is a pioneer in using social networking to drive their brand. Then why can’t other companies do the same?” Chakraborti exclaimed.

Engineering students today are the future CIOs and they cannot live without social networking and they will demand it when they join these organizations.

“Get over the fear about social networking just like we got over the fear of instant messaging. It is a must have. The faster we adopt it, the more progressively we’ll be looked at,” Chakraborti concluded.

varun.aggarwal@expressindia.com