Organizations often allow the use of social media on their networks, but RSAC is buzzing about the risks.
Does your organization allow employees to access social media at the office? Many do, whether for strictly personal use, communication, collaboration, or marketing. There is a fair body of both anecdotal and research-based evidence that suggests opening up social channels at work keeps employees happier and more productive. Frankly, with the ubiquity of smartphones, employees are using social networks whether your policies prevent it or not.
Employer policies aside, though, social media is, at it’s core, a vector for malware and socially engineered attacks. How many links get shared innocently enough only to find that they bring users to compromised websites? Even if employees are using social channels in the most professional ways possible, their friends and contacts outside the organization are under no such obligation. Fortinet’s Jonas Tichenor and Richard Henderson recently discussed the issue at RSA, highlighting how even seemingly secure networks can be compromised.
As Richard points out,
“You can find things getting through your network through Twitter or through Facebook or through any other social media account because someone in your feed or in your friends list has posted a link to malware...click it and next thing you know, you’re infected.”
And those phones that employees use to access social media, regardless of policy? They frequently access corporate wireless networks, bringing along whatever bits of malware might be hiding in apps downloaded via social channels.
None of this means that businesses need to start blocking social networks or end their BYOD programs. Social and mobile make the world go round and they aren’t going anywhere. Instead, this represents one more impetus for changing the way we approach security. We can’t count on users to never make mistakes or click a dodgy link. We also can’t reasonably expect employees to completely separate work from play or business from pleasure...not in 2015.
If there was a hashtag for #layeredapproachtosecurity, now would be the time to use it. Even cutting through the vendor stories here at RSA, there is an underlying theme on both the show floor and in the keynotes of multifaceted security. Richard Henderson outlines many of these layers and facets in the interview, but the most important message is that relying on a robust security infrastructure, with a full complement of endpoint and network protections, is a much surer bet than relying on employees to be totally secure in their social clicks, taps, and swipes.