Hello, this is Randy Trzeciak, Technical Team Lead of Research in the CERT Insider Threat Center, with the eighteenth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats.
The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the enterprise to mitigate (prevent, detect, and respond to) insider threats, as well as case studies of organizations that failed to do so. The eighteenth of the 19 best practices follows.
Practice 18: Be especially vigilant regarding social media.
Insiders using social media sites or applications can intentionally or unintentionally pose a threat to an organization’s information systems and data. It is essential that organizations develop policies that clearly state what is considered acceptable use of social media and that clearly describe the responsibilities the employee has to protect the organization’s critical assets.
These policies must not only be created, but must also be clearly communicated and consistently enforced across the organization to ensure compliance. Finally, training should be provided to educate employees, business partners, and contractors on the risks inherent in the use of social media. They should also be trained on how to protect themselves and the organization while at work and at home.
Social media allows people to easily share information about themselves and their organizations. Information about everything from birthdays and family members to business affiliations and hobbies can all be obtained from a user’s social media profile. This information makes employees who use social media vulnerable to possible social engineering. Malicious individuals can use this information to develop spear phishing email attacks against an organization by crafting narrowly targeted, malicious emails that seem authentic.
In addition, there are cases in which employees have intentionally posted information about the company or their customers. While employers must remain vigilant of such activity, they must also be aware of current and upcoming laws and regulations addressing social media. Some states have laws prohibiting employers from requiring candidates or employees to divulge social media user IDs and passwords.
For organizations under the jurisdiction of the National Labor Relations Board, reports have been issued, providing examples of both good and unenforceable organizational social media policies.
Finally, organizations should ensure that they make ownership of organizational social media accounts clear, as there has been litigation of this issue.
Challenges to addressing the use of social media in organizations include the following:
- Organizations may find it difficult to control and monitor what employees post on social media sites.
- Organizations should have a data classification policy that establishes the protections that must be afforded to data of different sensitivity levels.
- Organizations must involve legal counsel while developing and enforcing the social media usage policy.
Refer to the complete fourth edition of the Common Sense Guide to Mitigating Insider Threats for a comprehensive understanding of the issues and recommendations mentioned.
Check back in a few days to read about best practice 19, Close the doors to unauthorized data exfiltration, or subscribe to a feed of CERT Program blogs to be alerted when a new post is available.
If you have questions or want to share experiences you've had with insider threats, send email to firstname.lastname@example.org.