Social Media and Corporate Guidance

One of the common themes I took away from the 2009 Blackhat Briefings was the inherent security risks associated with using social media and networking sites. (These concerns have also received some coverage in trade pubs; see, for example a recent Computerworld article: https://tinyurl.com/mc7yb8) Using social media applications is not just a personal computing trend; they have also become integrated into our corporate cultures. Many organizations are using these sites for corporate marketing, file sharing, communications, and recruiting. In the past, the corporate policy of most organizations was not to post resumes online, use your corporate email account as your username to access a website, or post pictures from the company holiday party on a website (at least the potentially incriminating ones). Now, corporations are eager to get the word out about how great it is to work there, or connect with employees, or find out what events they will be attending, even posting opinionated blog entries such as this one. While these applications can open great new doors, they need some associated corporate guidance. I say guidance because a more explicit security policy regarding usage of Twitter, LinkedIn, or Facebook is likely to be unenforceable. Employees may refrain from using corporate accounts for these applications, but if they like them, they will find ways to use them. Here are some basic guidance points that you may consider in your next security-awareness email.

1. When using social media sites, be sure to use different passwords for different sites, and never use your corporate password. These sites have varying password reset controls; don’t let a breach of one account impact all your accounts.
2. Remember, in the case of company documents, if it’s not meant for the company’s public website, it probably isn’t meant to be shared on some-one else’s–-even if they told you it is secure. Watch out for sites like Google docs or yammer.com that create a perception of privacy and security. Let your security team determine acceptable sites.
3. There are a couple of key items that you should never post publicly, such as your birth-date, social security number, or employee ID. If the site requires such data, consider making something up or ensuring it’s not displayed in a public profile.
4. There are certain items that companies don’t technically classify as confidential, yet keeping them a secret and off the social networking sites is a good thing. This could includes rumors, planned purchases, technology used, and projects you’re working on. Posting your job history may be OK, but for current activities, just keep it generic.