Mitigation, not prohibition, is best response to social media’s security risks

David Etue is vice president of products and markets at Fidelis Security Systems.

Although an all-out prohibition might seem to be the simplest way to deal with the security risks of social media, it is not necessarily the wisest approach.

The technology does introduce numerous risks, including the possibility that an employee might speak on an agency’s behalf without approval or even post sensitive or classified information inappropriately. Also, ill-intentioned actors might pose as social network friends to obtain such information — what’s known as social engineering. And as many people have learned, social networks can be a source of malicious code.

However, the benefits of the technology are becoming more apparent every day. Agencies are finding that social networks facilitate both personal networking and massive citizen outreach. They provide good venues for getting feedback from constituents (via Facebook and Ning, for example), locating subject-matter experts (via LinkedIn and others), and for communicating with communities large and small (e.g., Twitter and wikis).

By the end of 2009, more than 27 federal agencies had service agreements with Facebook. It's clear that government organizations see value in these platforms.

Given that value, agencies should not resort to blocking all access to social networking or only allowing access by a small number of public affairs experts. The good news is that it is possible to mitigate the risks through a combination of policy, training and technology.

Here are four steps to consider:

1) Ensure existing employee codes-of-conduct policies cover social networking. A good start is to update your agency’s computer-use policy to indicate whether it is acceptable to use social networking only for work or for work and personal activities. However, agencies also need a broader policy covering what activities an employee (or contractor) can do on behalf of the agency. If existing policies are updated to include scenarios related to social networking, the agency must get the word out and incorporate the new policies into its employee training.

2) Train end-users on the benefits, risks, policies and agency goals for social networking. It is important to communicate to employees and contractors the agency’s goals for social media — and what their role will be. Much as you would work with an executive to prepare for a press briefing or congressional testimony, you should explain the goals of social networking, who has the authority to speak on the agency’s behalf, what actions and activities are appropriate, and whom to contact with questions and issues.

3) Create official profiles for the agency, sub-agency and key executives on the major social networking sites. This should be done even if those profiles will not be used, and they can be marked as such. This will help head off the creation of fake accounts used for impersonation.

4) Implement technical controls that address how social networking can be used and what content can be posted. Policies must be enforced, and appropriate technology is one important way to achieve that. To be effective, any technology must understand the context of data as well as its content.

Social networking is here to stay. Like commercial businesses, government agencies can and should find ways to maximize its utility. A sound security policy is central to that effort.