Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Information Security's Real Threat: Oversharing

With great power comes great responsibility.

It's a safe bet Voltaire wasn't thinking of Facebook when he wrote those words, but it's a useful warning for businesses now enjoying the growing clout of social media. Reaching thousands of customers by dashing off a quick sentence and hitting 'Share' is both great and powerful -- but too much sharing without enough risk management can be bad for business.

In a move to ease regulations on financing for startups and small businesses, on July 10 the SEC ruled that qualified firms seeking private investments are allowed to advertise publicly for the first time. This follows an April 2 SEC announcementthat companies can now use the Internet and social media to announce key information under specific conditions, an action banned previously out of concern that not all shareholders had equal access to digital channels like Twitter or Facebook.

Loosening restrictions on the use of social media to communicate company information is a plus for smaller businesses. It can cost virtually nothing to use Facebook or Twitter. But don't overlook the hidden costs: the risk of public, messy missteps. Whether your account is breached using your password or through the social network's own security gaps, or an employee posts something inappropriate, resolving the issue sucks up time and can damage your corporate brand.

[ Protecting your customers' personal data is paramount. Here's one approach that works. How One SMB Manages Customer Identity Data. ]

First, here's the quick answer to controlling your IT security on social networks: You can't. Social media by definition is outsourced, so you're at the mercy of these providers' information security practices.

The best way to reduce the chance of getting hacked is to make sure that employees in charge of corporate social media accounts use complex passwords, and then control physical access to these passwords. It sounds painfully obvious, yet the three most common passwords in 2012were "password," "123456" and "12345678."

Social media is just the latest flavor of a longstanding struggle that bedevils growing companies: How do you balance protecting corporate information with getting things done? Information security is particularly tough for SMBs, which often go from one crisis to the next because they don't have a systematic approach to IT business risk and information security.

There are two main areas to think about: compliance and business risk. Compliance applies not only to government regulations, but also to things like contracts with customers and suppliers and to your own internal policies, such as what you do with the data you collect online. And IT, marketing and sales must share the same understanding of how data is collected and used. It is critical to remember that being compliant doesn't mean you are safe. Checking off boxes has not helped all those PCI-compliant companies that continue to experience data breaches.

Here are three practical steps for resource-strapped SMBs to manage compliance more effectively:

-- Use a systematic approach to understand all the compliance issues that matter to you. In ISACA's COBIT framework, for example, compliance is an attribute that is present throughout IT processes.

-- Look for ways that a single information security compliance policy will help you meet multiple requirements.

-- Apply automation tools as an easy way to reduce compliance costs.

But being compliant says little about managing IT-related risk to business objectives. Managing information security is a subset of managing IT-related business risk. It tends to get more attention because the consequences can be crippling.

But the encouraging news is that there are plenty of precedents for solid IT risk management practices that can inform a company's approach to information security. These three steps can help growing companies put good information security management into action:

-- Start with a conversation between business and IT. This will ensure that IT and security experts understand the business environment as well as the IT threat environment. For example, is the company planning to open a new facility or expand into a new legal jurisdiction?

-- Practice IT governance. Take advantage of free flexible frameworks such as COBITand tailor them to your situation. For small businesses, first steps tend to focus on perimeter security such as firewalls, penetration testing and access control.

-- Don't think of managing information security as just a technology play or a periodic controls audit. Make it a systematic process and you'll save on resources -- both staff and costs.

Information has never been so plentiful or easy to access. That's great news for SMBs, which can harness technologies like cloud and analytics and geolocation to engage customers online and compete with much larger companies. But companies that think they are too small to need information governance, or too nimble to be held back by information security safeguards are taking a big risk. Flexible frameworks provide more agility in making better business decisions.

Brian Barnier is principal analyst and advisor with ValueBridge Advisors and a risk advisor with nonprofit association ISACA, advising clients on finance, risk, legal, audit and IT issues. He is also the author of The Operational Risk Handbook for Financial Companies.