COMMENTARY

Mitigation, not prohibition, is best response to social media’s security risks

David Etue is vice president of products and markets at Fidelis Security Systems.

Although an all-out prohibition might seem to be the simplest way to deal with the security risks of social media, it is not necessarily the wisest approach.

The technology does introduce numerous risks, including the possibility that an employee might speak on an agency’s behalf without approval or even post sensitive or classified information inappropriately. Also, ill-intentioned actors might pose as social network friends to obtain such information — what’s known as social engineering. And as many people have learned, social networks can be a source of malicious code.

However, the benefits of the technology are becoming more apparent every day. Agencies are finding that social networks facilitate both personal networking and massive citizen outreach. They provide good venues for getting feedback from constituents (via Facebook and Ning, for example), locating subject-matter experts (via LinkedIn and others), and for communicating with communities large and small (e.g., Twitter and wikis).

By the end of 2009, more than 27 federal agencies had service agreements with Facebook. It's clear that government organizations see value in these platforms.

Given that value, agencies should not resort to blocking all access to social networking or only allowing access by a small number of public affairs experts. The good news is that it is possible to mitigate the risks through a combination of policy, training and technology.

Here are four steps to consider:

1) Ensure existing employee codes-of-conduct policies cover social networking. A good start is to update your agency’s computer-use policy to indicate whether it is acceptable to use social networking only for work or for work and personal activities. However, agencies also need a broader policy covering what activities an employee (or contractor) can do on behalf of the agency. If existing policies are updated to include scenarios related to social networking, the agency must get the word out and incorporate the new policies into its employee training.

2) Train end-users on the benefits, risks, policies and agency goals for social networking. It is important to communicate to employees and contractors the agency’s goals for social media — and what their role will be. Much as you would work with an executive to prepare for a press briefing or congressional testimony, you should explain the goals of social networking, who has the authority to speak on the agency’s behalf, what actions and activities are appropriate, and whom to contact with questions and issues.

3) Create official profiles for the agency, sub-agency and key executives on the major social networking sites. This should be done even if those profiles will not be used, and they can be marked as such. This will help head off the creation of fake accounts used for impersonation.

4) Implement technical controls that address how social networking can be used and what content can be posted. Policies must be enforced, and appropriate technology is one important way to achieve that. To be effective, any technology must understand the context of data as well as its content.

Social networking is here to stay. Like commercial businesses, government agencies can and should find ways to maximize its utility. A sound security policy is central to that effort.

About the Author

David Etue is the VP of corporate development strategy at SafeNet. He brings experience and perspective from a number of security roles including security program leadership, management consulting, product management and technical implementation.


Featured

  • People
    Federal CIO Suzette Kent

    Federal CIO Kent to exit in July

    During her tenure, Suzette Kent pushed on policies including Trusted Internet Connection, identity management and the creation of the Chief Data Officers Council

  • Defense
    Essye Miller, Director at Defense Information Management, speaks during the Breaking the Gender Barrier panel at the Air Space, Cyber Conference in National Harbor, Md., Sept. 19, 2017. (U.S. Air Force photo/Staff Sgt. Chad Trujillo)

    Essye Miller: The exit interview

    Essye Miller, DOD's outgoing principal deputy CIO, talks about COVID, the state of the tech workforce and the hard conversations DOD has to have to prepare personnel for the future.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.