Enterprise data security has since long outgrown and evolved beyond the mere functions of antivirus, firewall and intrusion detection. Endpoint security and network security are also no longer all encompassing paradigms. And the rapid adoption of social media at various layers has simply exploded the boundaries that need to be monitored for potentially countless breaches.

While the first leg of Internet’s growth into enterprise networks itself added a number of holes into the security fabric, the 2.0 phase has been unnerving to say the least.

The traditional security paradigms are just ineffective to this address enterprise security in this era. No controls seem to work.
And the debate whether to open up to the social media or not has long been put to rest. It has been accepted that business benefits of social media far outweigh their perils.

That, however, does not make those perils look less threatening. In fact, it just makes the IT manager’s work more challenging.  Besides, the almost sudden opening up of boundaries has led to a state of action without responsibility.

And this has happened when enterprises are still at a stage where security policies are not an integral part of their security strategies. Even in cases where policies have been implemented they are not adequately adhered to or employees are able to understand and appreciate their benefits.

This has encouraged enterprises to look at security less from a ‘control’ standpoint and take a more inclusive approach. The way security policies are written and observed is changing too. There is more emphasis on educating users at various levels and making them aware to the heightened need for protecting information and IT assets in the enterprise.

But why social media?
Social media is an increasingly important channel for marketing and branding, among other things. As such, corporate professionals are keen to use it to their advantage.

A bad post about a brand on a Facebook channel will probably do more harm to the company than in another media, partly because it can potentially be read by more number of consumers and also because it can be posted to target those very readers who are also likely consumers of the brand.  

It therefore becomes important for brand managers and marketers to remain updated about such posts and take corrective actions and duly address the concerns of the complainant.

More importantly, one needs to proactively reach out to the existing and potential customers on a regular basis, as part of a focused brand building exercise.

Social media has become a channel to reckon with. The live streaming of IPL3 is a live testimony to the importance it has gained.     

Tackling social media threats
Access to a social media site poses risks that are manifold, and yet not so obvious, to the user. For, example, if you access a regular site and download an infected file, the antivirus will warn you or even better, the firewall will block the site itself.

In case of a social media, where the user has opened an account and has added a certain set of people to the friends list and joined a few relevant groups, the threat comes in different forms and from various quarters.

It can come in the form of an infected link from a friend, who would be merely passing it on without knowing. But more importantly, the threat could lie in the users’ profiles created and posted by users themselves.

Cybercriminals are on the prowl to harvest detailed personal information posted by users on social networking sites. Social media profiles often provide a very rich haul of information to hackers, who can analyse these to guess user passwords. In particular, if the users are not very password-savvy and have used names of their cities, spouses, date-of-birth and celebrities they like as passwords, their SNS profiles will easily give away the clues.

Worse, often users keep the same password for the public as well as enterprise logins. So if hackers crack users SNS logins, they effectively crack their enterprise logins as well.

It is therefore important that users are adequately educated on these aspects so as not to put themselves or their organisations at the mercy of cybercriminals.

However, provisioning for measures to address social media threats in the policy document is one step. The next step will be to create user awareness by way of formal sessions as well as information communication channels.

Awareness up two-fold, victims six-fold
While consumer awareness of phishing attacks has doubled between 2007 and 2009, the number of consumers who reported falling prey to this attack also increased six times during the same period.

According to the EMC security division RSA’s 2010 Global Online Consumer Security survey that polled more than 4,500 consumers on their awareness of online threats, while thousands of people join social networking websites each day, nearly two in three (65%) of respondents who belong to these online communities indicated that they are less likely to interact or share information due to their growing security concerns.

Social networking websites have become a hotbed for online criminals because of their global reach and the participation by hundreds of millions of active users from all walks of life. This makes these communities prime targets for exploitation by criminals who seek to steal personal information through socially engineered attacks. Reflective of this trend, the survey exposed that four out of five (81%) people using social networking websites displayed concern with the safety of their personal information online.

In a similar RSA survey in 2007, one in three (38%) consumers reported they were aware of the threat of a phishing attack—and this figure has doubled in two years when three out of four (76%) consumers became aware.

Despite increased awareness, there have been a growing number of online users that have fallen victim to a phishing attack. In the 2007 RSA survey, only one in twenty (5%) consumers cited they had fallen victim to a phishing scam; this rate increased six-times in 2009 to represent three in ten (29%) consumers.

This increase can be attributed to more advanced communications tactics and greater sophistication such as improved writing and web design skills on the part of the fraudsters. Phishing attacks have also evolved in an attempt to exploit users in different ways and through a broader variety of methods including offshoots known as ‘vishing,’ ‘smishing’ and ‘spear phishing.’

The sheer volume of phishing attacks launched in recent months is also contributing to these trends. The RSA Anti-Fraud Command Centre reported the highest-yet detected rates of phishing attacks between August and October 2009, as well as a 17% increase in the total number of attacks between 2008 and 2009. Also, 50% consumers agreed that their identities should be better protected than a simple username and password on social networking.