Walking the tightrope: social media and data protection in the enterprise
Walking the tightrope: social media and data protection in the enterprise

Within the last decade, the appearance of social networking tools such as Facebook, Twitter, LinkedIn and others have expanded at phenomenal rates.

These social media sites, as well as webmail, wikis and blogs threaten the exposure of an organization's confidential information.

With their overwhelming acceptance, how does an enterprise balance the need to allow employees some internet latitude and, at the same time, not expose sensitive data or risk violating any of the increasing data breach laws? It is by no means simple, but there are steps that each organization should be taking to avoid problems.

From the risk side, those who are not paying close attention, may not be aware that in addition to the well-known federal laws such as Gramm-Leach-Bliley (GLB), Sarbanes-Oxley (SOX) and the Health Insurance Portability and Accountability Act (HIPAA), 46 states now have laws that require notification when an individual's confidential information has been compromised. In addition to the loss of individuals' personal information, the loss of confidential corporate information could seriously impact a company as well.

While the initial response could be a proposal to turn off or block access to those sites that may be on a target list of ones to avoid, a little analysis reveals the downside to this strategy.

For one, any organization attempting this approach would certainly create a lot of unhappy employees. They'll just blog about the company policy and post it on their home social networking page.

A second shortcoming of the “block-it” strategy is that every filter can be circumvented. A quick search of “how to get around web filters at work” will eventually lead to a solution for most filters.

Finally, the task of blocking every potentially dangerous site is virtually impossible.

As an alternative, an open-minded approach that tolerates the latest social media can potentially have a beneficial aspect, especially when it comes to recruiting and sales. Employees will certainly communicate positively about the company's response compared to those Luddite-run companies that block their employees. There possibly is an amount of favorable press that a company can garner from this approach as well.

A compromise solution has two parts that include both administrative and technical controls. From the administrative side, the organization must have clearly defined policies in place to explain the appropriate usage of the web and social media while the employee is at work, even during lunchtime and/or breaks, using the company's equipment and/or network. The policy should include company privacy after hours as well.

Anything that would compromise the company's competitive capability should be explained. Internet and email policies have been around for quite a while and are expected and accepted. Blogging and social media policies are newer but they require the same definitions and restrictions to develop the desired behavior. Online examples are available for those companies starting from scratch in this area.

Once the desired policies are in place, the next step involves technology. The available technical controls can be identified as both detective and corrective solutions.  Today, data leakage prevention (DLP) technology provides organizations the capability to deal with social media and avoid the loss of sensitive information. 

A study by IT research company TheInfoPro indicates that DLP tops the list of planned security expenses for 2010, so it is well recognized as an important part of data security. DLP ensures compliance with the proliferation of regulations, provides controlled use of intellectual property and allows control of personally identifiable information and electronic protected health information.

The DLP technology works in conjunction with a forward proxy. Supporting internet access for several clients through a single server, a forward proxy provides security, caching and/or filtering. The forward proxy receives all outbound HTTP/HTTPS and FTP connection attempts, makes internet decisions and allows or denies access based on the organization's policies. Before sending any data, the forward proxy checks with the DLP solution to make sure that no sensitive data is in the pending transmission.

For its role in the process, the DLP solution examines outgoing traffic and determines if it contains confidential information. A DLP solution has the ability to fingerprint confidential data and then examine outbound traffic to determine whether it contains information that should not be sent outside the firewall.

When exploring the available data loss prevention solutions, it is imperative to evaluate the complete capabilities of each product and their applicability to your company.

In addition to data inspection and blocking for social media, some DLP solutions can address other data security issues, including registration and discovery, data encryption and user notification as well as logging and reporting. At this point, whether you are in health care, finance, government or any organization with employee records and intellectual property that need protection, the main recommendation is to take the first step.