Electronic social networking has taken the world by storm over the last five years. Sites such as MySpace, Facebook and Twitter have grown from relative obscurity to become business giants, forming the basis of modern communication and social interaction. Whilst social networking offers many advantages, especially with marketing one’s business and developing a relationship with customers, it also holds significant dangers.
From a security point of view, online social networking represents untold dangers through information being leaked, stolen or misappropriated by careless or malicious users. In this issue’s cover story, we examine the potential dangers of electronic social networking in the security space.
A social network is a social structure made up of individuals (or organisations) called ‘nodes’, which are connected by one or more specific types of interdependency, such as friendship, kinship, common interest, financial exchange, dislike and sexual relationships, or relationships of beliefs, knowledge or prestige.
In the late 1800s, French sociologist Émile Durkheim distinguished between a traditional society – that which prevails if individual differences are minimised – and the modern society – that which develops out of cooperation between differentiated individuals with independent roles. Today these ‘nodes’ exist in cyberspace and have become big business.
LinkedIn, a recent arrival in the social networking ‘node’ game that targets business professionals, was released onto the New York Stock Exchange at an Initial Public Offer of US$45 per share. It closed that day at US$104 per share, an increase of 132 per cent, which values the business at a staggering US$9 billion, giving it an impressive global stock-ranking of 17 on its first day of trading.
Most 16- to 35-year-olds in the western world will argue that if you do not have a social networking page then you are simply not connected to world affairs. However, given that traditional information distribution avenues still exist – such as radio, television, newspapers and the like – this is an attitude that is very much reflective of Gen Y and the internet generation’s views of modern communications. Social networking is predicated upon the proliferation of interpersonal communication – the ability to see at a glance what groups of friends and colleagues may do doing, thinking or feeling at any given moment. There can be no doubt that social networking represents an important development in mass social communication. Whether or not it is a positive development depends largely on the purpose for which the social network is being used, the individuals using it and the information being shared.
Business Impact
Business advisors now advocate strongly that organisations must get into the social networking phenomenon by having a business social network page or risk missing out on business opportunities and market exposure. With the advent of smartphones, social networking is now portable and mobile, capable of being accessed anywhere at any time. This opens up the debate about workplace productivity. Restricting access to social media pages from work computers will not necessarily solve productivity issues any more, as most employees resort to use of their personal smartphones in an effort to stay connected. The concern is no longer that smokers will take more breaks and produce less; nowadays businesses must monitor employees spending hours every day on their social media pages via their mobile devices.
Social Impact
This availability and proliferation of high-quality recording devices and the ease with which individuals can upload information into the public domain presents some interesting challenges for security – especially given that a picture can tell a thousand words but not always the right words. Five seconds of footage taken out of context can create serious problems. Imagine an incident in which a patron at a club pulls a knife and tries to stab a security operative. The security operative responds by striking and restraining the offender and the incident is filmed by a member of the public. However, only the section of footage showing the security striking the offender is uploaded, with the knife not visible in the film. What you have is a video that is instantly available of a security officer, wearing your company uniform and seemingly beating up an innocent patron. The damage to the firm can be instantaneous and horrendous.
In The Workplace
The Victorian Security Institute recently conducted a member’s workshop on the emerging issue of social media and its impact on the workplace. What is clear from the research provided by expert industrial relations lawyer Nick Duggal from Tresscox Lawyers, is that electronic social media communications about any work activity or person – even if not done at work – is deemed an extension of the workplace and thus is subject to the same laws pertaining to workplace bullying, harassment, discrimination, privacy and so on.
Many examples are now emerging in which employees have engaged in social networking conversations about their workplace or work colleagues, thus breaching anti-bullying, harassment and discrimination laws, resulting in many cases of their legitimate dismissal from employment.
What many people fail to understand, and we are only now starting to see, is that in specific situations, courts deem online environments to be an extension of the workplace. A situation in which two employees are engaged in harassing or bullying a third employee via social media, even after hours, can still constitute a case of workplace bullying. In fact, Brodie’s law – recently passed legislation in Victoria – adds workplace and cyber-bullying to the State’s Crimes Act. Similarly, incidents that take place in one’s personal life and that can be seen to have a direct and negative impact upon a business can also be used as cause for action by employers in the termination of employees. For example, one Mr. Dekort, a full-time bar attendant, had his employment terminated in January 2010 after calling in sick for duty on New Years Eve but his employer (who was also a Facebook friend) observed photos on his Facebook page taken that same night at a New Years Eve party.
For the security industry there are can be other consequences that require understanding and action. Imagine a situation in which two security officers working at a cash-in-transit firm, and are also friends on a social networking site. Whilst online, conversation about their day at work might include some office politics, who they think is ‘licking the boss’s boots’ and what is happening on their rounds. A third party with whom they are also friends now has information about how they conduct their rounds including the who, what, when, why and how. Is their cash-run now safe from a carefully planned attack? This may seem far fetched but we only have to look at real-world examples of such issues to see how easily it can happen.
In July of 2009, John Sawers, the man who was due to take over as the head of Britain’s Secret Intelligence Service, MI6, was exposed in a significant security breach when his wife published intimate holiday photos and intimate family details on her Facebook page. Details published on the site reportedly included where they lived and worked, information about where they like to holiday and details of close friends. Amazingly, Mrs Sawer’s page had virtually no privacy restrictions, leaving the information available to nearly 200 million users.
And HBGary Federal, one of the biggest and most powerful security software organisations in the US, was intending to name and shame a hackers’ collective known as Anonymous, who had been targeting MasterCard, Visa, and perceived enemies of WikiLeaks, when, in 2010, HBGary’s CEO Aaron Barr himself became a target of the hackers. Anonymous used information gained from Barr’s own Facebook page to obtain personal information, which helped them access and corrupt his own website, steal his emails, delete the company’s backup data, trash his Twitter account and wipe his iPad remotely.
An endless number of examples can be given of how unsuspecting interet chit-chat could seriously undermine the security arrangements of a site or business.
Other simmilar examples can be found across a wide variety of organisations:
- In 2011, Hewlett Packard dismissed an executive who accidentally revealed details of its cloud-computing plans when making updates to his LinkedIn profile
- A cellphone handset maker dismissed an employee who revealed details on his LinkedIn profile page about a new and much-anticipated phone they had been covertly developing
- Microsoft recently dismissed an over-enthusiastic employee after he excitedly leaked details about Windows 8 via a blog site.
Whilst these employees may not have had malicious intent, this information was still commercially very sensitive and may have significantly impacted on their market share price, product launch dates and marketing plans.
Legal Impact
An English soccer star recently took out an injunction against the British media to stop them publicly discussing his affair with a reality-TV star. However this didn’t stop tens of thousands of internet users flouting the super-injunction – a stringent and controversial British legal measure that prevents media outlets from identifying him – by revealing his name on Twitter and Facebook.
Can that injunction also apply to private social media users? This has now become an international debate about British laws being enforced on foreign territory. The social media pages have gone crazy with the topic of free speech, many with the attitude that authorities will have no luck in trying to prosecute over 100,000 bloggers around the world.
Does this then make a mockery of injunction laws if unwanted media cannot be stoped due to decentralisation of media control? The responsibility now sits with all social media users, not just with the editor of a broadcaster or publisher.
The recent sex scandal in Victoria involving members of the St Kilda Football Club, AFL players’ manager Ricky Nixon and a 17-year-old girl, who posted nude and compromising photos on her social media site, is another example of where unmanaged media content can have devastating consequences.
Brand And Reputation
Risk Magazine recently featured an article reporting that “brand, image and reputation” have ranked as the top concerns in Aon’s Australasian Risk Benchmarking Survey in the last four years. This concern has risen significantly in 2011 due to the increased use of social media.
News is accessed easily on mobile devices and the internet, driving consumers’ hunger for more content and a quickening of the news cycle. News, however, is costly to gather and transmit, whereas opinions are cheap and are transmitted easily via myriad social networking sites. And this is where the damage can start.
Everyone has an opinion about a company, its brand and its products and services. Social media allows people to broadcast these opinions around the world in an instant. If their opinions are not favorable, they can have a significant impreveal the value of that business’ brand and potentially it’s share price. Alternatively, what happens if a security company has its own forum or blog on which it allows users to express comments and opinions, and those users then express derogatory or defamatory opinions or views about competitor products or services? Who is responsible? Who is legally liable? It is entirely foreseeable that the company hosting the site could be sued as a result of the information on the site. And while it may eventually be found not guilty, merely having to defend the allegation in the first instance can often be a costly and
time-consuming affair.
In light of such issues, many of which remain undiscovered and unexplored in a legal context, it is clear that the security industry needs to undergo a paradigm shift with regard to social media. It is unrealistic to think that this phenomenon will go away or that it can be controlled. The industry may need to consider the following.
With the proliferation of camera phones and social media, security training needs to take into account the potential for security personnel to be filmed in compromising positions. This needs to be emphasised in the classroom and physical training needs to be adapted. One potential solution may be to teach security personnel to vocalise, very loudly, compliance demands. For example, a security officer confronting someone with a knife would need to call out in a loud and clear voice, “Drop the knife,” over and over again. While this is already taught in many classrooms, the requirement takes on new importance in light of potential issues surrounding video.
Company operating procedures need to be rewritten to incorporate a code of conduct specific to the use of social networking and the dissemination of information via social networks. Employment contracts need to be rewritten for all employees to incorporate clauses about breaches of Company policy and the use of social media.
New policies and procedures also need to include guidelines about the storage of sensitive information, including text messages, and on personal devices such as laptops, tablet computers and smartphones. Companies need to build and run a repeated regime of education focusing on the potential dangers of social networking for those involved in security. This should involve regular, structured workshops covering the important issues outlined in the companies’ policies and procedures manuals.
Any new policies developed should not only cover the use of social networking but also other security issues such as the use of passwords. It is naive to think that one can stop or completely prevent the use of such sites. Guidelines must therefore acknowledge that passwords are used to protect a user’s pages, and that those passwords are different to those used to protect company networks or computers. That way, if an employee’s social networking page is compromised, it will not lead to further, more damaging breaches within the organisation.
These are but a few, basic recommendations. Social networking has and will continue to change the way we live, work and interact. The best course of action, therefore, is to be proactive in mitigating potential issues before they become a problem – as opposed to reacting to them after they have happened.