Networking

12:59 PM
Brian Barnier
Brian Barnier
Commentary
Connect Directly
Facebook
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Information Security's Real Threat: Oversharing

Too much sharing and too little risk and security management are bad for business, especially among SMBs.

With great power comes great responsibility.

It's a safe bet Voltaire wasn't thinking of Facebook when he wrote those words, but it's a useful warning for businesses now enjoying the growing clout of social media. Reaching thousands of customers by dashing off a quick sentence and hitting 'Share' is both great and powerful -- but too much sharing without enough risk management can be bad for business.

In a move to ease regulations on financing for startups and small businesses, on July 10 the SEC ruled that qualified firms seeking private investments are allowed to advertise publicly for the first time. This follows an April 2 SEC announcementthat companies can now use the Internet and social media to announce key information under specific conditions, an action banned previously out of concern that not all shareholders had equal access to digital channels like Twitter or Facebook.

Loosening restrictions on the use of social media to communicate company information is a plus for smaller businesses. It can cost virtually nothing to use Facebook or Twitter. But don't overlook the hidden costs: the risk of public, messy missteps. Whether your account is breached using your password or through the social network's own security gaps, or an employee posts something inappropriate, resolving the issue sucks up time and can damage your corporate brand.

[ Protecting your customers' personal data is paramount. Here's one approach that works. How One SMB Manages Customer Identity Data. ]

First, here's the quick answer to controlling your IT security on social networks: You can't. Social media by definition is outsourced, so you're at the mercy of these providers' information security practices.

The best way to reduce the chance of getting hacked is to make sure that employees in charge of corporate social media accounts use complex passwords, and then control physical access to these passwords. It sounds painfully obvious, yet the three most common passwords in 2012were "password," "123456" and "12345678."

Social media is just the latest flavor of a longstanding struggle that bedevils growing companies: How do you balance protecting corporate information with getting things done? Information security is particularly tough for SMBs, which often go from one crisis to the next because they don't have a systematic approach to IT business risk and information security.

There are two main areas to think about: compliance and business risk. Compliance applies not only to government regulations, but also to things like contracts with customers and suppliers and to your own internal policies, such as what you do with the data you collect online. And IT, marketing and sales must share the same understanding of how data is collected and used. It is critical to remember that being compliant doesn't mean you are safe. Checking off boxes has not helped all those PCI-compliant companies that continue to experience data breaches.

Here are three practical steps for resource-strapped SMBs to manage compliance more effectively:

-- Use a systematic approach to understand all the compliance issues that matter to you. In ISACA's COBIT framework, for example, compliance is an attribute that is present throughout IT processes.

-- Look for ways that a single information security compliance policy will help you meet multiple requirements.

-- Apply automation tools as an easy way to reduce compliance costs.

But being compliant says little about managing IT-related risk to business objectives. Managing information security is a subset of managing IT-related business risk. It tends to get more attention because the consequences can be crippling.

But the encouraging news is that there are plenty of precedents for solid IT risk management practices that can inform a company's approach to information security. These three steps can help growing companies put good information security management into action:

-- Start with a conversation between business and IT. This will ensure that IT and security experts understand the business environment as well as the IT threat environment. For example, is the company planning to open a new facility or expand into a new legal jurisdiction?

-- Practice IT governance. Take advantage of free flexible frameworks such as COBITand tailor them to your situation. For small businesses, first steps tend to focus on perimeter security such as firewalls, penetration testing and access control.

-- Don't think of managing information security as just a technology play or a periodic controls audit. Make it a systematic process and you'll save on resources -- both staff and costs.

Information has never been so plentiful or easy to access. That's great news for SMBs, which can harness technologies like cloud and analytics and geolocation to engage customers online and compete with much larger companies. But companies that think they are too small to need information governance, or too nimble to be held back by information security safeguards are taking a big risk. Flexible frameworks provide more agility in making better business decisions.

Brian Barnier is principal analyst and advisor with ValueBridge Advisors and a risk advisor with nonprofit association ISACA, advising clients on finance, risk, legal, audit and IT issues. He is also the author of The Operational Risk Handbook for Financial Companies.

 

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
8/29/2013 | 7:05:51 PM
re: Information Security's Real Threat: Oversharing
The best way to prevent irresponsible sharing is to teach employees how to share responsibly in social media and internal collaboration systems.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Strategist
8/29/2013 | 9:53:03 PM
re: Information Security's Real Threat: Oversharing
This sounds like sensible advice, but how feasible is it for SMBs, particularly on the smaller end of the scale, to start getting into frameworks? Especially if they don't have a dedicated security team, but instead have a few IT folks who do everything?
bbarnier
50%
50%
bbarnier,
User Rank: Apprentice
8/29/2013 | 10:20:41 PM
re: Information Security's Real Threat: Oversharing
Hello, thanks for your comment; good observation. It sometimes helps to compare Info sec in an SMB to a neighborhood pizza parlor or local car repair shop. Following good process improves customer satisfaction and reduces cost for business and customer prices. A similar idea applies to "tiny box" retailers where each small store is highly similar. This is often one of the ways "little guys" compete with big guys who get tied up in process knots. While most processes in a framework are needed, it is helpful to realize the SMB is ALREADY doing all these -- just informally and prone to gaps that lead to ugly surprises. The key is tailoring to the SMB. Enjoy the pizza!
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Apprentice
8/30/2013 | 12:48:34 AM
re: Information Security's Real Threat: Oversharing
Chromebooks are worth looking into for SMBs. They're less vulnerable to malware then traditional PCs. You still have to worry about social engineering attacks however.
WKash
50%
50%
WKash,
User Rank: Apprentice
8/30/2013 | 6:08:23 PM
re: Information Security's Real Threat: Oversharing
This article offers some smart tips, and a great reminder: It is critical to remember that being compliant doesn't mean you are safe.
bbarnier
50%
50%
bbarnier,
User Rank: Apprentice
9/4/2013 | 3:01:31 AM
re: Information Security's Real Threat: Oversharing
Hello, thanks. Glad you found it helpful. Yep, long list of compliant companies that got in trouble.
Chuck Brooks
50%
50%
Chuck Brooks,
User Rank: Apprentice
10/29/2013 | 12:25:21 AM
re: Information Security's Real Threat: Oversharing
Social media and also file sharing is becoming an important part of business development and outreach for many companies. Proper security protocols combined with a good marketing strategy can help mitigate threats.
Cartoon
Hot Topics
7
VMware NSX Banks On Security
Marcia Savage, Managing Editor, Network Computing,  8/28/2014
5
How To Survive In Networking
Susan Fogarty, Editor in Chief,  8/28/2014
4
Real-World SDN, Lesson 2: Conquer The Enemy Within
Symon Perriman, Senior Technical Evangelist, Microsoft,  8/25/2014
White Papers
Register for Network Computing Newsletters
Current Issue
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Video
Slideshows
Twitter Feed