Follow GFI:
Find us on Facebook Follow us on Twitter Find us on Linkedin Subscribe to our RSS Feed Find us on YouTube Find us on Google+
 

Top 10 Security Precautions when using Social Networking Sites

on June 23, 2010

It is impossible and illegal to stop employees from using social networking sites 24/7 and even if it were legal it wouldn’t be a good idea as it could easily alienate your employees. The best course of action is to educate your employees. Below is a list of the top 10 security precautions an employee should keep in mind when using social networks.

  1. Never use the same passwords that you use at work on a social networking site.
  2. Limit usage of social networking sites to personal use only. Do not write about work issues. Always assume everyone in the world will be able to see what you’re writing even if the site limits your post to your friends exclusively.
  3. Try to avoid mentioning where you work; so that if you mention something you thought innocent (but that might be valuable information for hackers) they will not know who to target.
  4. Be wary  of what you’re posting, if you use your pet’s name as a password anywhere do not post about it on your social networking sites naming it.
  5. Do not log on to your social network page from public computers such as internet cafés where someone might have installed a key logger and would later get access to your credentials.
  6. Do not automatically trust that posts are from who they claim they are; if your workmate sends you a private message asking for some confidential information first verify that he/she did really send you that message as their account might have been compromised.
  7. Do not send confidential information through a social networking site even if someone who has legitimate access to that information asks you to. See point number 2.
  8. Beware of what links you click and what software you download and install. Do not trust links/software sent by your friends implicitly as they themselves might not be aware it includes malware or their account might have been compromised.
  9. Always be sceptical and wary. If someone asks to be friends on a social networking site and the profile appears to match a work mate, check personally with that person before accepting him as he could be an imposter. Also be sceptical of any offers or prizes you might have been told you won, they might actually be phishing attacks.
  10. Ensure your computer is up to date and has good antivirus protection; social networking sites are frequent targets of malware attacks.

If you have any more tips which are not mentioned above feel free to share them by leaving a comment below.

 
Comments
Kelly June 29, 201010:53 pm

As an IT consultant I am fully aware that IT management is struggling with whether social media is productive or obstructive for companies and their employees. Software is being developed and policy and restrictions are being decided everyday by IT managers. The security of company networks are at stake but the potential for innovation using social media is a large enough carrot for the discussion of how to properly utilize the medium continues. Palo Alto networks came up with a whitepaper, http://bit.ly/d2NZRp, which will explore the issues surrounding social media in the workplace. It is important to not only understand the immediate benefits of doing business how one lives, but the threat it presents to a company’s greater ROI and productivity when it comes to the server’s safety and security.

Emmanuel Carabott July 1, 20105:37 pm

Hi Kelly,

I am not saying that businesses should avoid social networks completely and neither am I saying that employees should be blocked from accessing them. As you correctly say there are a number of possible advantages in businesses embracing social networks. What I am saying is that with everything else social networks bring their own issues to the table. What might be bad for a company is that the dangers social network pose do not potentially stop at the work place or during working hours. An employee at home can be an even greater danger for the company than at work.

As such I do suggest that companies spend time educating their employees on what to do and not to do, and on basic security practices when using social networking sites or interacting with other people as well.

Sue Walsh July 29, 20107:44 am

In light of the recent news that over 100 million Facebook profiles are now available for download on BitTorrent, I’d like to add never ever have your profile set to public. Lock it down so that only your friends can see your info.

I also advise thinking carefully before adding your boss to your friends list. The net is full of stories about people who added their boss to their friends list, forgot, and got busted (and in some cases fired!) when they posted a status bashing their workplace!

Karrie Albert July 29, 20109:49 pm

Another suggestion:

Don’t install applications such as those that claim to make you find out who’s checking your profile as Facebook doesn’t support that feature and will not allow a 3rd party app to do so. It might just pose a risk to your system. Next thing you know, your account “posts” status updates that you did not create.

Facebook is becoming a hacker heaven. If you use such social sites, steps should be taken to ensure your system and even your identity is protected.

Carmel Amelia July 29, 20109:53 pm

“When you have resourceful (and smart) employees, it’s almost impossible to deny them access to any site. Our IT person at work tried to block all access to restricted sites (social networking sites included)but someone always finds a way to work around it and the next week, everyone are able to (secretly) access Facebook and Twitter again.

Is there a fool-proof way to deny access to specific sites?

Emmanuel Carabott July 30, 201012:33 pm

I completely agree with Karrie; it is essential to be careful with what one installs on social networking sites as well. There are reports of malware installing trojans on your computer through Facebook.

@Carmel

There are ways to ensure these security checks aren’t circumvented, obviously you can never be sure it will be 100% effective but it can get quite close. It always depends on your setup and what you want to allow and deny. Generally having one Internet gateway and controlling access through that works best. If you want maximum security you could use a white list approach allowing the firewall at the gateway to only allow access on port 80 and only to those sites you want to allow. Additionally another option is to monitor what people visit and when somebody circumvents the technology he can still be disciplined for breaking the policy. Employees need to learn that the block is there to enforce the policy and going around it does not make the action right, it makes things worse.

Damon B August 11, 20102:06 pm

“Never use the same passwords that you use at work on a social networking site.”

I found this quite apt seeing that it’s the top of the list. After doing a survey on the security practices of one of our client’s employees, we’ve discovered that 9 out of 10 of them use the same passwords for their work, their e-mail and their social networking sites. It’s identity theft waiting to happen, and though it was only one company we looked at, we wouldn’t be surprised if this was a trend in a lot of other corporations.

Matthew Cheng August 11, 20102:16 pm

@Karrie Albert

I think the same can be said about Twitter. With a lot of third party websites allowing a whole array of different services, a lot of Twitter users are jumping on the bandwagon, giving these sites unrestricted access to their accounts. And if these suspicious sites can retrieve your password information and link it to your other social networking profiles, you just willingly gave out full-access to your entire online identity by clicking “Accept.”

Elizabeth Sams August 11, 20102:39 pm

As utterly ridiculous as number 4 sounds, I’ve actually come across a co-worker who had been proven guilty of something like this. Granted she doesn’t have any IT background whatsoever, and is one of the most lax individuals when it comes to internet security, we managed to open up her different social networking profiles by using her pet’s name mixed with her birth year as the password.

Her love for her dog was quite obvious, and would not let a day go by without telling us his name. It took us about three tries to crack the coder, but we made sure to tell her about it afterwards. I can’t imagine what would’ve happened if someone with more malicious intentions got a hold of that kind of information.

Emmanuel Carabott August 13, 20102:36 pm

Damon B

Indeed a lot of people who aren’t security aware tend to use the same password everywhere. Sometimes because they don’t know better and something it’s because they’re afraid if they choose something new they’re going to forget it and so they use the same old password which they know well.

@ Elizabeth

That is certainly something to be expected. As I mentioned above when one chooses a password, especially when they don’t have an IT Background, they will think about something which they will not forget. This is generally related to what they love the most. It’s actually amazing that she mixed her pet’s name with her birth year as I bet most of the time you would simply get pet names without additional detail as the additional detail would make the password harder to remember. In any case excellent work in getting your co-worker to strengthen her password!

Paul September 20, 20101:32 pm

The 10 precautions listed in the opening argument of this article would have no relevance to an employer who has set down the law before an employee joins. The company pays you to work on a structured network of their choosing. Any violation of that trust is deemed a sack able offense on the spot with some of my clients’. Collect your things and don’t come back. The IT professionals in charge do not have the time to waste with idiots that do not understand the implications of their actions upon the security of the company’s data network. Work is for work, social networking sites are not. Who gives a proverbial if you whine and moan about not having “your” sites available. The company’s data is more important, without it you don’t have a job.
Any IT professional will tell you, they lock down user privileges to what is usable, and nothing more, this includes social sites.
If they don’t, they will be looking for another job.
Time for people to grow up and realize that they at work to work.

Emmanuel Carabott November 24, 20102:26 pm

@Paul,

What you’re saying is true; however, you must consider 2 other scenarios that you have overlooked.

1. What if the employee finds a way around the employer’s technical enforcement and still accesses prohibited sites without the employer finding out?

2. (more likely) What about the employee’s access during his free time outside of work? What if an employee has the bad habit of using the same password everywhere and signs up for some malicious application using the same password which he uses to access the corporate network?

Employees who are not technical can place your network in jeopardy not only when they’re at work but everywhere and at any time. In my opinion neglecting to educate employees because they’re only allowed to access the Internet for strict work related purposes is in itself a security risk.