Social Networking and its Implications on your Data Security

Transcription

1 Social Networking and its Implications on your Data Security Canadian Chamber of Commerce of the Philippines June 8, 2011 Warren R Bituin Partner -SGV & Co.

2 About the Speaker Warren R. Bituin SGV & Co./Ernst & Young Partner, IT Risk and Assurance Landline: warren.r.bituin@ph.ey.com Professional qualifications Information security management Application risks and controls review IT infrastructure risk and controls assessment Service organization controls reporting Financial audit IT integration Experience in the government, financial services, media, utilities, power, telecommunication, manufacturing, retail and mining industries Background Certified Public Accountant (CPA) Certified Information Systems Auditor (CISA) Certified Information Security Manager (CISM) Certified Information System Security Professional (CISSP) Certified in Risk and Information System Controls (CRISC) ISO Lead Auditor Candidate Management Development Program, Asian Institute of Management Bachelor of Science in Business Administration and Accountancy (BSBAA), University of the Philippines Former President, ISACA Manila Chapter Page 2

3 Presentation Outline Introduction Risks, Security and Privacy Concerns Addressing the Concerns Conclusion Open Forum Page 3

4 Presentation Outline Introduction Risks, Security and Privacy Concerns Addressing the Concerns Conclusion Open Forum Page 4

5 According to ISACA: Studies show a direct correlation between top financial performance and deep social media engagement in enterprises. Of the Fortune Global 100 Companies: 65% - have active Twitter accounts 54% - have Facebook Fan pages 50% - YouTube video channels 33% - corporate blogs Page 5

6 What is Social Media Social media technology involves: the creation and dissemination of content through social networks using the Internet social media tools allow consumers to comment, discuss and even distribute content published. Page 6

7 Business Benefits of Social Media Increase in brand recognition, sales and revenue, search engine optimization, web traffic and customer satisfaction Rapid feedback and insight from customers Information to improve products, customer service and perception Able to monitor market, competition and customers Able to search for and communicate with potential employees Page 7

8 Borderless security New technology means new risk 60% of respondents perceived an increase in the level of risk they face due to the use of social networking, cloud computing and personal devices in the enterprise. Given current trends towards the use of such things as social networking, cloud computing and personal devices in the enterprise, have you seen or perceived a change in the risk environment facing your organization? 37% Yes, increasing level of risk No, decreasing level of risk 60% Relatively constant level of risk 3% Shown: percentage of participants Source: 2010 EY Global Information Security Survey Page 8

9 Presentation Outline Introduction Risks, Security and Privacy Concerns Addressing the Concerns Conclusion Open Forum Page 9

10 Some considerations Business Use Business tool Employee access on corporate network Employee access through companyissued mobile devices Personal Use From home and personal computing devices Page 10

11 1% 1% 1% Social media Few companies have thoroughly examined the social media issue and developed an approach that will balance the business opportunity with the risk exposure Only 10% of respondents indicated that examining new and emerging IT trends was a very important activity for the information security function to perform. How important is information security in supporting the following activities in your organization? Achieving compliance with regulations Protecting reputation and brand Managing privacy and protecting personal information Achieving compliance with corporate policies 45% 42% 56% 53% 33% 36% 26% 29% 18% 12% 13% 15% 4% 2% 4% 3% 5% 2% Managing operational and (or) enterprise risk 34% 43% 18% 4% Protecting intellectual property 31% 30% 25% 10% 4% Improving stakeholder and investor confidence 25% 34% 25% 11% 5% Improving IT and operational efficiencies 21% 40% 27% 10% 2% Managing external vendors 16% 37% 31% 12% 4% Enhancing new service or product launches 14% 30% 34% 15% 7% Facilitating mergers, acquisitions and divestitures 12% 20% 26% 20% 22% Examining new and emerging IT trends 10% 33% 38% 15% 4% Very important Not important Source: 2010 EY Global Information Security Survey Shown: percentage of participants Page 11

12 Risks, Security and Privacy Concerns Corporate Social Media Presence Introduction of malware to the corporate network Brand or corporate hijacking Lack of control over content Unrealistic customer expectations Non-compliance with record management regulations Employee Personal Use of Social Media Communicate work-related information Linking the employee to the company Excessive employee use in the workplace Employee access via company-supplied devices Page 12

13 Corporate Social Media Presence Risks, Security and Privacy Concerns Introduction of viruses and malware to the corporate network Data leak/theft Owned systems (zombies) System downtime Resources required to clean systems Page 13

14 Corporate Social Media Presence Risks, Security and Privacy Concerns Brand or corporate hijacking (~cybersquatting) Customer backlash/adverse legal actions Exposure of customer information Reputational damage Targeted phishing attacks on customers or employees Page 14

15 Corporate Social Media Presence Risks, Security and Privacy Concerns Lack of control over content posted to social media sites Company s loss of control or legal rights to information posted Page 15

16 Corporate Social Media Presence Risks, Security and Privacy Concerns Unrealistic customer expectations of Internet-speed service Customer dissatisfaction due to lack of responsiveness Reputational damage Customer retention issues Page 16

17 Corporate Social Media Presence Risks, Security and Privacy Concerns Non-compliance with record management regulations Regulatory sanctions/fines Adverse legal actions Page 17

18 Employee Personal Use of Social Media Risk, Security and Privacy Concerns Use of personal accounts to communicate workrelated information Privacy violations Reputational damage Loss of competitive advantage Page 18

19 Employee Personal Use of Social Media Risk, Security and Privacy Concerns Employee posting pictures or information that link them to the company Brand damage Reputational damage Page 19

20 Employee Personal Use of Social Media Risk, Security and Privacy Concerns Excessive employee use of social media in the workplace Network utilization issues Productivity loss Increased exposure to viruses and malware due to longer duration of sessions Page 20

21 Employee Personal Use of Social Media Risk, Security and Privacy Concerns Employee access to social media via company-supplied mobile devices (smartphones, PDAs) Infection of mobile devices Data theft from mobile devices lost Circumvention of enterprise controls Data leakage Page 21

22 Presentation Outline Introduction Risks, Security and Privacy Concerns Addressing the Concerns Conclusion Open Forum Page 22

23 Social media Restricting the use of social media tools in the work environment is an approach that will likely have limited success and may drive additional unwanted behaviors 45% of respondents indicated that they restrict or prohibit the use of instant messaging or e- mail for sensitive data. Which of the following actions has your organization taken to control data leakage of sensitive information? Defined a specific policy for classification and handling of sensitive information 73% Implemented additional security mechanisms for protecting information 65% Utilized internal auditing for testing of controls Implemented content monitoring/filtering tools Defined specific requirements for telecommuting Locked down/restricted use of certain hardware components Restricted or prohibited use of instant messaging or for sensitive data Implemented log review tools Prohibited use of camera devices within sensitive or restricted areas Restricted access to sensitive information to specific time periods 54% 51% 48% 45% 45% 44% Note: multiple 29% responses permitted 18% Shown: percentage of participants Source: 2010 EY Global Information Security Survey Page 23

24 Who will benefit from the use of Social Media tools? Industries Media Telecommunication Retail Consumer Manufacturing Hospitality others? Business Units Marketing Sales Human Resource Customer Service others? Page 24

25 Addressing the concerns Develop Documented Strategy on Use of Social Media Develop Policies on Use of Social Media Conduct Training and Awareness Programs for Employees and Customers Implement Technical Controls Implement Appropriate Business processes Page 25

26 Strategy on use of social media Strategic benefits Benefits > Risks How Risks will be Addressed Technical, process and organizational resources to support initiative Involvement of key stakeholders Page 26

27 Policies on use of social media Business Use Whether it is allowed Process to gain approval for use Scope of topics or information permitted to flow through this channel Disallowed activities (installation of applications, playing games, etc) Escalation process for customer issues Personal Workplace Whether it is allowed Nondisclosure/posting of businessrelated content Discussion of workplace-related topics Inappropriate sites, content or conversations Outside of the workplace Nondisclosure/posting of businessrelated content Standard disclaimers if identifying the employer Dangers of posting too much personal information Page 27

28 Training and awareness programs Employees Conducted on a regular basis Benefits, opportunities, dangers Emphasize specific dangers and methods of social engineering, common exploits and threats to privacy Rules governing acceptable use and behavior while on social media sites. Customers Periodic informational updates to maintain awareness of potential fraud and to establish clear guidelines regarding information to be posted as part of enterprise social media presence Page 28

29 Implement technical controls Policy and standard enforcement Content monitoring and filtering technology to restrict/ limit access or network throughput to social media sites Security controls on mobile devices (e.g., smartphones). If possible, route enterprise smartphones through corporate network filtering technology to restrict/limit access to social media sites. Protection against malware downloads End-user system anti-malware, antivirus Data leak prevention products Operating system security Tracking and archiving of communications via social media Page 29

30 Implement appropriate business processes Processes and staffing to handle traffic that could be created from social media presence Processes and change controls that are aligned with social media policies. Monitoring and follow-up processes for brand protection Page 30

31 Sample Social Media Networking Guidelines Be aware that certain firm policies and procedures, apply to your behavior both off-line and online. Use caution before mentioning team members' or colleagues names in your online postings. Postings online should not disclose a client s identity, the nature of work being performed, or any other confidential client information. Each of us has a responsibility to protect confidential Company data, personal information of Company personnel and our clients, and client and competitor information from disclosure. Do not post anything online that might be considered threatening, unlawful, harassing, hateful, vulgar or otherwise offensive by the recipient, or invasive of another person's privacy. Page 31

32 Sample Social Media Networking Guidelines Different cultures may perceive slang terms differently, sometimes objectionably, therefore, be mindful of using them in your online posting. Protect yourself by being selective of the personal information you post, as it could be used by others for various crimes such as robbery or identity theft. Do not represent yourself as someone with a certain level of authority that you do not have, or provide information you cannot confirm. Use your professional judgment when using social networking sites at the office and at client sites. Respect copyright laws. Be aware that what you publish online does not always have an expiration date; it can last forever. Page 32

33 Sample Social Media Networking Guidelines Make sure you read, understand and comply with the terms and conditions on social networking sites carefully as they may claim ownership of the content you post. Familiarize yourself with how each site s privacy settings work. Default settings may allow a broader group of people than you intended to have access to your information. Use caution before opening up attachments, even from social networking "friends." Page 33

34 Presentation Outline Introduction Risks, Security and Privacy Concerns Addressing the Concerns Conclusion Open Forum Page 34

35 Conclusion Social Media offers great opportunities to interact with customers and business partners in new and exciting ways. However, there are significant risks to those who adopt this technology without a clear strategy that addresses both the benefits and the risks. Provide the online communities and social collaboration tools that the new workforce expects, but do so with a view that aligns enterprise requirements with personal responsibility to protect sensitive business information. Raise security awareness and personal responsibility to levels that have not been achieved before. Inform every member of the organization on the risks and issues related to social media. Page 35

36 Presentation Outline Introduction Risks, Security and Privacy Concerns Addressing the Concerns Conclusion Open Forum Page 36

37 OPEN FORUM Page 37

38 Thank you! Sources: This presentation pack does not necessarily cover everything regarding Social Media risks, security and privacy management. It represents the speaker s personal views and not SGV & Co. or Ernst & Young. If you have any specific questions, please contact the speaker. Page 38