Friday, February 8, 2008

Social Network Security Hazards

Employees often let their guards down on LinkedIn or MySpace.
Here’s how to solve social-networking security threats through policy.
Emily Post’s "Etiquette" made her an authority on proper home, business and political behavior nearly a century ago.
Unfortunately, Post was decades too early to write about norms for social-networking sites like MySpace, Facebook and LinkedIn.
It’s too bad — she would probably supply good advice on what information users should share about themselves and their work online.
The definition of professional behavior on social networks remains wide open.
People will always use them to socialize as well as do business, hopefully with common sense as their guide.
However, two aspects of social-network use do need to be addressed: technical security and user security.
At a technical and functional level, social-networking services don’t do much that’s new — they just enable users to connect with others more quickly and less formally than by email (which itself was once hailed as the latest in speed and informality).
As with other electronic communications, social networks tend to allow users to send file attachments (especially photos) and use peer-to-peer programs for chats and phone calls, but these tools’ properties are well-understood and system administrators can filter them or even block certain URLs if necessary.
From a user-security standpoint, the major problem with social networks is also their strength:
They encourage open interaction among users who may know each other but who could also be very loosely connected.
Under the umbrella of LinkedIn or MySpace, though, the barriers people normally maintain against interacting with near-strangers may be lowered.
Excessive blabbing on social sites can generate unwanted gossip about your company and its plans, while unscrupulous competitors can social-engineer employees into revealing intellectual property.
Your employees’ mere presence on social networks also sends a signal: job titles, experience, friends and family, and contact information can all be combined to where competitors can draw reasonably accurate org charts of your company and its suppliers, partners and clients.

Ways to Handle Risk
Realizing that perceived security gaps could lead individuals and companies to shun their sites, big names like Facebook and LinkedIn allow you to adjust how much information about you — posts,photos, online status and other factors — others may access.
Facebook’s privacy site describes several such controls. Users can reduce what appears in their profile and what information about their online activities is public, such as their use of specific Facebook applications.
Users can also block specific Facebookers from seeing more than a limited profile, or from finding you via search.
Facebook also limits the ability of search-site Web crawlers to harvest user information, saying in its privacy policy, “Facebook limits access to site information by third party search engine ‘crawlers’ (e.g. Google, Yahoo, MSN, Ask). Facebook takes action to block access
by these engines to personal information beyond your name, profile picture, and limited aggregated data about your profile (e.g. number of wall postings).”
LinkedIn is the most business-y social network, and its users seem generally aware of the need to behave professionally. The site provides a wide range of tools for customizing others’ views of you,
such as the ability to change whether people you’re connected to can see just those you both have connections with, or your entire connections list.
Another feature that keeps your cards closer to the vest is the ability to choose whether others can see that you’ve viewed their profile. You can set this feature so that no one knows, so that only your name and headline show, or so that only anonymous profile characteristics such as your title and industry appear.
These types of features increase social networks’ corporate usability.
However, at the end of the day, specific company policies that limit what employees may share online might create the biggest payoffs, like resistance to social engineering, preservation of the company’s and employees’ reputations, and preservation of trade secrets and internal company structure.

No comments: