In a World of Cyber-Espionage, Facebook is Not a Friend of Your Enterprise

Author: Jim Lundy Date: August 15, 2011

Topics: Workplace Research Note Number: 2011-12

Social Software

Issues: What technologies and architectures should enterprises leverage in the workplace?

What are the best practices for leveraging social software to gain a competitive advantage?

Summary: Facebook’s popularity, advertising-based business model, and inconsistent application development and privacy policies make it an ideal target for cyber attacks and corporate espionage. In an age of cyber-espionage, doing nothing is not an option.

[wlm_loginform] [private_Provisor level]

To download the PDF of this research note, click here.

While Facebook is the leader in consumer social networking, with more than 800 million users, it is really in the business of selling ads that target those users based on their activities on the site. Due to its overall popularity, and its business practices that focus on sharing information about users to increase ad sales, Facebook has become one of the best places for cyber criminals to start when they want to attack or steal information from individuals or enterprises. This research note focuses on three ways to manage Facebook in your enterprise.

To Facebook or Not to Facebook

The Facebook network presents a rich, fertile environment for a wide and growing range of malicious activities. Facebook encourages its users to publicly and openly grant each other access to nearly all information about them. Users, in turn, act as though everyone on the network could be trusted and that sources, links and other content offered to them is safe. Although measures can be taken to create a level of information privacy, most users spend their time networking and not managing their security profile or thinking twice about opening a link sent by a “friend.”

As a result, enterprises have security and privacy concerns about Facebook and other consumer oriented social networking sites, and many have decided to ban their use completely. There are valid reasons for doing this, but there are less drastic ways to manage the risks and benefits of Facebook and its ilk. Businesses can choose one of three approaches, based on their priorities and risk profile:

Ban internal use completely
Manage with new firewalls
Approach with control and best practices

Outright Ban

The debate about whether to grant access to Facebook and other similar sites continues for many businesses. Risks come in different flavors, and many enterprises are unwilling to admit that they have already been affected by cyber-attacks or by advanced persistent threats (APTs), and that these are increasing in frequency (see note 1). Today, outright bans of Facebook are still in the minority, but with each high profile data loss, security leak or privacy breach, the number of enterprises willing to consider a ban increases.

The ability to effectively monitor and manage usage is important with regard to both individual productivity and network bandwidth consumption. While use of Facebook can be seen as little different from casual conversations in hallways or personal phone calls, the absence of guidelines and measurements can result in inadvertent as well as intentional abuse. An outright ban may be a useful interim measure until guidelines and policies- and the tools to enforce them – can be put in place.

In highly information-sensitive organizations such as government agencies and financial or healthcare services, using Facebook on corporate PCs is not permitted because of the high stakes in the event of a breach, and the wide and growing range of malicious activities that target Facebook users. As use of personal devices for work becomes more prevalent, this exposure will only become greater. In sensitive environments where malware cannot be tolerated and where risk of data loss and cyber attack is great, banning Facebook may be warranted, at least until secure, managed systems are in place.

Unlimited Use

At the other end of the spectrum is freely allowing access to Facebook. For the majority of enterprises, this is the main approach right now, simply because they have not addressed the issue with specific policies and strategies. These enterprises must immediately develop policy guidelines to define what reasonable activity is and what constitutes appropriate use, along with at least an outline of a strategy for enforcing them.

Facebook has been very effectively monetizing its platform, which now supports many third-party applications that do business with Facebook users. These entities have little supervision from Facebook, and very disparate policies and procedures about data retention and privacy. Such businesses will have pockets of users whose job literally performed on Facebook. Selective access based on job requirements, work profile, security training and task-level supervision is needed for this class of user.

Enterprises need to understand their risk profile in this era of APTs. At a minimum, certain workers in sensitive positions need to be aware of the risks of Facebook as well as other apps that they run on a corporate computer that also has access to sensitive information.

Managed Use – Apply Next Generation Firewall

Between the extremes of unlimited use and outright bans is one of balanced and managed support for using Facebook at work. Beyond relying on management oversight and social media policies to keep thing on track, new sets of tools will provide the ability to selectively support users and control access. Next generation firewalls go deeper into application management than ever before. Tools, such as those available from Palo Alto Networks and McaAfee (see Note 2) allow fine grained control of Facebook, including user access, blocking Facebook capabilities such as chat and even making Facebook read only.

This does represent a significant way to start to take back control of app security in the enterprise. Enterprises should evaluate current firewall providers and check roadmaps to see when this level of capability will be added. If it is not in the plan, an exit strategy should be evaluated. In many industries, due to the level of cyber attacks that are ongoing, it is highly advisable to block Facebook until these firewall app controls can be implemented.

Even with application firewall tools, some extra measures are still needed for PCs and for users. Information that is being shared can be monitored (see Note 3). Also, executives and employees with access to sensitive information (financial data, passwords, source code and the like) should not run Facebook on those systems or should be issued a secure PC and a non secure one.

Aragon Advisory

It is hard to block users from access to their favorite social network, but the health and survival of the company take priority. Given the nature and extent of the threats, a systematic review of enterprise-level data security tools and policies is merited. This review should be accompanied by some practical steps that will deliver real progress quickly, such as:

Develop an overall approach to application security, particularly Facebook.
Make it a priority to deploy advanced firewalls as quickly as possible.
Implement an aggressive training program on Facebook best practices for users with a focus on information security, profile and settings.
Designate specific systems and users (senior managers and others in sensitive units such as finance, legal, and IT operations) that cannot run consumer apps such as Facebook. Create a military-type division into classified and unclassified systems.
In certain high-risk enterprises, a temporary ban on Facebook access may be justified until updated procedures are in place.

Bottom Line

Protecting corporate information was never more critical than now and never as risky. Because cyber criminals are exploiting Facebook to gain access to enterprise information, enterprises need to act. Blocking may be the harshest approach, but newer ways, such as application firewalls, offer access while controlling the risk to the enterprise.

Archived Research. Visit Coverage Areas page for up to date information and coverage.

[/private_Provisor level]