Risk and Social Networking Sites
Introduction
So you are looking to lift your company, education institution or government agency’s web profile…
You do the usual things: rework the main web site, stat-up blog feeds, revamp forums, establish wiki or other information feeds, acquire/renew SSL certificates so the site can be authenticated as really being a bricks and mortar business . So far so good. All this stuff is under your control on your servers. Your IT team can establish control and security over the software, you can monitor it and get a reasonable level of comfort that you can assure visitors that your site is safe to visit.
Then a consultant advises you that to reach the younger market, or even simply to project a progressive and innovative image you need to embrace the more inclusive social networking spaces like MySpace, FaceBook, YouTube and/or Twitter. “Everyone” is using these sites so they must be safe. Right?
No, wrong.
Identifying the Social Networking Strategy
Let’s look a little more closely at MySpace and FaceBook, specifically. There are three broad approaches to using these platforms in business:
- Teams use the sites to establish private networks for intra-team communication;
- Employees establish individual profiles and use the sites to establish direct customer to staff connections; and
- The business uses the sites (primarily, MySpace in this case) to establish branding for a product or service and allowing the public to friend the product or service, etc.
Analysing The General Risks
Each of these uses, in the right context, carries advantages to the business, so one view of the risk profile would say that not using the facilities is an opportunity cost that may disadvantage the business with respect to the competition, or (in the case of government) achieving the best possible policy outcomes and staying in-tune with a target market or spinning the desired message. So the case for adoption, might consider possible causes of outcome failures to include:
- Costs of setup and maintenance (staff time, materials preparation, policy formation, training, etc) exceeding tangible and intangible returns;
- Inattention of staff to maintenance of the material – hence tarnishing the organisation’s image rather than enhancing it;
- Inappropriate, inconsistent, or confidential content being posted hence complicating both the public positioning of the business or occasioning legal exposures;
- Inconsistent branding or product/business positioning, where branding and positioning consistency are part of the business image, thus creating confusion in the market;
- Disproportionate effort/investment (time, cost, attention, etc) being injected into maintenance of social marketing at the expense of other marketing or activity streams when measured in terms of comparative effectiveness and efficiency in achieving the business objectives, thus resulting in an overall drop in business performance and a net reduction in outcome achievement;
- Exposure of information that materially benefits competitors more than than advantages the business, thus resulting in a general weakening of the market positioning through more effective and targeted competitor behaviour;
- Market awareness among the target market of potential or actual service consumers of the social services being low while awareness among the non target groups is relatively high, thus resulting in a net reduction in spend efficiency, or no perceived improvement of service among the consumer group.
- Increased allocation of staff resources from finite available resources to maintenance of profiling information and friend interaction at the expense of productive outcomes (the traditional email productivity problem) – thus resulting in a demand for increased resources now for the same transaction outputs as before.
We will identify these collective issues as the overall risk ”That adoption of social networking within an Enterprise will fail to achieve intended business objectives” (such as improved brand awareness, improved profit, public acceptance of policy objectives, improved targeting of consumers through better feedback, etc). The risk’s identified causes and consequencescan be managed by appropriate remediation strategies and informed through the right measurement systems. They are essentially under your control – if in some cases, only just!
Between the three broad purposes of FaceBook/MySpace adoption there are some additional point-risks (a cause – consequence subgrouping of an overall master risk) that are specific to your purpose for the site(s). For example:
- Objectives 1 & 2 increase the information available to both internal and external recruiters, better enabling them to target your staff;
- Objectives 2 & 3 increase the group awareness of public perceptions of the business and the individuals because comments and feedback posted to the individual profiles by customers (or people pretending to be customers) can be visible to all other customers;
- Objectives 2 & 3 can be hampered by perceptions of low friend counts implying general public disinterest in the service, or the firm, etc.
Identifying The Show Stopper Risk
Again these potential outcomes can, to some extent, be managed, but there is another risk that is potentially far more serious. It is either not under your control or only controlled with an extensive amount of effort on your part. It is squarely in the IT domain, surprisingly traditional and arises directly as a consequence of the social networking medium:
- Client or staff computer infection by Trojan software.
Now before, you go “oh right, that one again”…I fall squarely in the camp of IT professionals who consider that virus and Trojan defences are not a big issue, and relatively easy to manage for both the individual and the enterprise. An enterprise just needs a sensible and proactive defence policy and some basic good house-keeping rules, and common sense. So this is a most unusual thing for me to decide to highlight.
The difference is the nature of the interaction among users and otherwise experienced and knowledgeable staff that a social web site creates. If someone you trust gives you something to look at, in an environment in which you feel secure, you will probably look at it…and that is the essence of the problem. I suspect that users are likely to be less cautious in the social networking context than they are even with email systems – which we know are 98% spam (statistic based on our own email filter logs!).
For some years my IT Audit team ran “Tiger Team” penetrations of secure networks. All IT intrusion specialists understand, that apart from systems that are simply below standard in their defences, effective intrusion generally requires some degree of social engineering – a bit of research on key people to get an idea of the passwords possibilities and targets, knowledge of where to go to get access (eg. where branches are located, where systems are located in virtual or physical space, etc), physical access (or virtual access) to a weakly protected node, knowledge about work habits, an understanding of human nature, the ability to claim an association with someone else who is trusted, some degree of trust (eg an employee) so you can get others to cooperate with you, knowledge of the technologies in use, the ability to hide in a stream of otherwise normal activity without attracting attention, the ability to attract the attention/assistance of individuals or applications that can facilitate an attack without them realising they are assisting, etc.
MySpace and FaceBook in the first instance, deliver on all these fronts:
- Their nature is to expose personal information about the individuals profiled on the pages – that is, after all, what they are about.
- They provide a common meeting place that is universally known – the MySpace and FaceBook sites themselves. The whole point of using these sites is that the job of getting your market to find you is done, so setting up your own version of MySpace or FaceBook on your web site does not achieve the same outcome.
- They facilitate the knowledge of the technologies in use - Anybody can create FaceBook and MySpace apps, or learn how to create a profile page, or interact with others, etc – it is the entire purpose of and essential to the medium.
- The sites create a false sense of safety. They protect themselves from attack, but not the necessarily the users, yet the illusion of a controlled space promotes an expectation that the services available have been vetted, when in fact the nature of the web means that services are no more secure than any other web service.
- They foster trust of individuals through artificial group association when in reality “friends” are simply random potentially unknown individuals who are self selected. While you do not have to accept them, part of the point about using such a medium to promote yourself or your business/product is that you will probably be inclusive rather than exclusive – so clients visiting you should not assume that your other friends are in any way a vetted and approved group (as opposed to a user group forum, who will generally all be actual clients). “Strangers” would be a better, more appropriate term.
- They facilitate the exchange of large volumes of trivia.
Now, all this is not necessarily a problem without the last ingredient. They attract your clients like bees to honey, and because of all the other factors, in the process your clients “open the door” – they click on links of your friends, they view pages with add feeds fed by a third party and they post things (potentially with links) to you bulletin boards that you do not control, but that others access in trust. And it all happens in real time.
Does this matter? Yes.
Where Theory Meets Reality
Here are some examples:
- In July 2006, 1 million users of MySpace were infected with ad-ware simply by visiting profile pages.
- In 2007, 12 million page views potentially infected up to that number of MySpace visitors with with a Trojan.
- This month and last (2009), an unknown number of MySpace and FaceBook users have been infected by the KoobFace Trojan as a result of viewing items added to the postings of friends of others’ MySpace and FaceBook sites. The first thing this Trojan does is contact all your existing “friends” via your site and post messages to them from you with the Trojan embedded in the message (after changing your mood so they are encouraged to take a look!). The second thing this Trojan does is monitor your key strokes so as to collect identity, account and credit card information.
This is just the start of the list. When we tested this, the KoobFace Trojan slipped straight past two of our anti-virus/anti-spy-ware systems unnoticed! Our tertiary network analysis defences spotted the change – but these are security specialists tools and not the stuff on normal machines – and we knew for what we were looking. Imagine how infecting the networks and computers of your corporate and public clients would help your market brand. Bad if the client’s protection systems detected the infection attempt – but even worse, if they didn’t! Not only will the Trojan keylogger infection compromise their security, but as they enter the user id’s and passwords to access your client support systems, they will compromise your security.
The first problem here is that you and your IT team do not control the platform – and that is the issue that has to be addressed with all cloud computing solutions. The second problem is that the essence of these technologies is unstructured social interaction (which is good), seemingly in a playground with nice metal fences (which is also good), but really in the middle of a highway, where the cars and trucks are invisible – but just as dangerous (which is not so good).
Wan’na play outside? Yep – why not play in the street?
Not sure that this is true:), but thanks for a post.
1Zoran
Social networking sites rely on connections and communication, so they encourage you to provide a certain amount of personal information.
2Fantastic and interestic article. We can get more and more information and tips on Risk and social networking. Here they have said that how to analyse the general risks, they pointed out to understand easily. And also given the details of how to identify the show stopper risk. This is really useful article.
http://www.ermsummit.com
http://www.gsmiweb.com
3Well, your post is really the freshest on this laudable topic. I agree with your conclusions and will eagerly await your upcoming updates. Saying thanks will not be adequate, for the wonderful lucidity in your writing. I’ll immediately grab your rss feed to stay abreast of any updates. Delightful work and much success in your business efforts!
4I guess I’m gonna need to read up some more, but this was a good spring board.
5Admirable, thanks for sharing this info. Looks great on my iPhone, but on the Blackberry Pearl’s browser your site comes out a little weird.
6I don’t usually reply to posts but I will in this case. WoW
7You made some good points there. I did a search on the topic and found most people will agree with your blog.
8Firstly, thanks for this post. Although I never post any comment on any blog but this time I though I should appreciate your good effort and ask you to keep going. I just loved being here.
9Thanks for sharing this helpful info!
10This is truly awesome! Thanks for making this available
11Wonderful insight
12I’ve seen progression in every post. Your newer posts are simply wonderful compared to your posts in the past. Keep up the good work!
13Hi, I can’t understand how to add your site in my rss reader. Can you Help me, please
14There are rss feed buttons in a few spots on each page (look for the rss symbol), as well as the big “subscibe” button in the header on each page, or your can just use this link for your RSS reader:
http://bpc.bishopphillips.com/riskthink/index.php/feed/
Tjis will feed the posts. There is a similar comment feed on the bottom of each page.
15Regards
JB
Greet post this will really help me!
16Helo there, well I truly see that your published content is rather incisive with a good deal of good data. On the other hand, was wondering whether you would love to interchange links with my site, as I am searching to compile more web links to further inflate and gain better web exposure for my web site. I do not mind you putting my web links at the main page, just having this web links on this page is great and adequate. Also, would you be kind enough leave a message at my web portal if you are keen in swapping links, I would really appreciate that. Thank you very much and hopefully to hear from you as soon as possible!
17I never would have thought how much information there was online about this! Thanks for making this all easy to figure out
18Hello – I must say, I’m impressed with your site. I had no trouble navigating through all the tabs and information was very easy to access. I found what I wanted in no time at all. Pretty awesome. Would appreciate it if you add forums or something, it would be a perfect way for your clients to interact. Great job
19Wow dude, this is really helpful information, much appreciated.
20What a great article
21Hey could I reference some of the information from this blog if I reference you with a link back to your site?
22Can I just say what a relief to discover someone who actually knows what theyre talking about on a internet. You actually know how to bring an problem to light and make it important. More folks have to read this and understand this side from the story. I cant consider youre not far more popular since you really have the gift.
23Thanks, I learned a lot.
24Superb! Generally I never read whole articles but the way you wrote this information is simply amazing and this kept my interest in reading and I enjoyed it. You have got good writing skills.
25Firstly, thanks for this post. Although I never post any comment on any blog but this time I though I should appreciate your good effort and ask you to keep going. I just loved being here.
26Nice post! You truly have a wonderful way of writing which I find captivating! I will definitely be bookmarking you and returning to your blog. In fact, your post reminded me about a strange thing that happened to me the other day. I’ll tell you about that later…
27Thanks a million for this, I am greatful for the info
28Can you email me back, please. Thank you.
29Interesting read, perhaps the best article iv’e browse today. We learn everyday cheers to you!
30been a typo, Your weblog seems to be good. Have a pleasant day.
31Hello, this is my first time i visit here. I found so many interesting in your blog especially on how to determine the topic. keep up the good work.
32I so liked reading your site. Great content. Please continue posting such awesome cotent.
33Excellent content. Thanks for posting.
34I very much liked reading your website. Really good content. Please continue posting such awesome cotent.
35Where will it be, i want to read more about this article, thank you.
36Intriguing post. I have been searching for some good resources for solar panels and discovered your blog. Planning to bookmark this one!
37Cool stuff, thanks for sharing, pretty much on the ball.
38Informative Blog! see Mine at Visit My Blog
39Informative Blog! Check Mine at http://www.habboretros.net
40Hi. I understand a few of your other posts and wanted to know if you would be interested in exchanging blogroll links?
41Thanks for the awesome information, good quality, well written, easy to understand the main point, two thumbs up!
42Resources similar to what you described here is going to be quite useful to me. I will post a website link to this page on my blog. I am sure my members will find that helpful.
43Thanks for sharing
44Nice blog!
45love this post! A lot of fantastic information for anyone to understand. Can’t wait to read more from you
46Hi there may I reference some of the information here in this blog if I provide a link back to your site?
47Hey may I reference some of the content here in this post if I link back to you?
48One does not often find on the internet as decent articles as yours is. I cant wait to read some more of your works.
49