Organizations are adopting social media tools within their networks at increasing rates, yet the legal and compliance risks are often not fully understood or addressed.  A recent Forrester report noted that more than half of security decision-makers and influencers at enterprises reported that they were “concerned” or “very concerned” about the inability to meet regulatory obligations using social media platforms. 

According to the report, critical reliance on third parties for information collection and capture, rapidly rising social media content volume and fast-changing applications, and the difficulty of ensuring authentication all make it difficult for security professionals to keep up with the legal and regulatory compliance associated with social media.

The report suggested that security pros should look to financial services for guidance on social media risks, keeping in mind that retention obligations clearly apply to social media, retention obligations also apply to both corporate- and employee-owned mobile devices, and firms should monitor and provide ongoing training to employees.

Above all, critical steps that security professionals must take in order to respond to the risks that social media poses include the following:

1.  Build effective policies governing social media usage in your enterprise.
Your social media policy should cover what your organization will and will not do online, what your employees can and cannot do, and what members of the public can and cannot do on your social media sites.

2.  Determine how tools that control social media fit into broader information governance.
Look before you leap when it comes to adopting tools that help enforce social media controls and make sure they’ll integrate with your company’s existing systems.

3.  Incorporate flexibility and continuous monitoring in social media.
Social media is constantly innovating end evolving – your organization will need to do so as well.

Just as technology is continuously evolving, so are the wily ways in which fraudsters circumvent the safeguards for changing technologies.  Symantec’s study Internet Security Threat Report offers a review of where cyber thieves are finding new opportunities and, accordingly, where experts believe the thorniest security trouble spots lie.

According to Symantec, here are the top five threats to beware of:

1. Targeted attacks continue to evolve.  While targeted attacks on the large infrastructures of corporations are attempted almost every day, companies are increasingly being attacked to specifically gain access to their intellectual property.  A prominent example of this would be last year’s “Hydraq” attack on Google, a suspected politically motivated attack to steal sensitive information from Gmail accounts, which prompted Google to threaten to pull its operations out of China.  Given that this attack wouldn’t have been successful without convincing recipients that links and attachments in an email were from a known source, the lesson for future attackers is that the biggest security vulnerability to exploit is our trust of friends and colleagues.

2. Social networks + social engineering = compromise.  Hackers are getting better at learning who we are through social media outlets and posing as friends.  So-called social engineering attacks are becoming more sophisticated and harder to detect.

3. Hide and seek (zero-day vulnerabilities and rootkits).  In order to be successful, targeted attacks must penetrate an organization and remain undetected for as long as possible.  So-called “zero day vulnerabilities” help hackers maintain a game of hide and seek.  Zero days occur when a hacker discovers (and exploits) a security vulnerability in a software program before the program’s engineers do, although some believe that the fear of these vulnerabilities as a basis for attacks are worse than the reality.  Rootkits, software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications, are also helpful in keeping hackers undetected.

4. Attack kits get a caffeine boost.  Hackers are profiting on security vulnerabilities by packaging their discoveries into easily downloadable attack kits that are sold in the underground fraud economy.  Symantec believes that these kits played a role in creating over 286 million variants of malware last year.

5. Mobile threats increase.  With the explosive usage of smart phones and other mobile devices, hackers are naturally becoming ever more drawn to this territory as a platform for fraud.   Sophisticated operating systems mean that vulnerabilities are plentiful, and Trojans hidden in legitimate applications sold on app stores offer an effective means to multiply the damage.

Fraudsters will never stop finding ways to capitalize on security weaknesses and wreak havoc on privacy and bottom lines, which is why every business should work with security experts to stay ahead of these threats.

It’s that time of year again when people near and far get ready to celebrate the most wonderful holiday of them all.

OK, perhaps it isn’t exactly Christmas, but Data Privacy Day – observed on January 28th in 2012 – is no less a celebration; it’s just that this one is designed to promote best practices and awareness around privacy.  The “holiday” was begun in Europe in 2007 and continues to be observed in 30 countries as Data Protection Day.  In the U.S., National Data Privacy Day is managed by the National Cyber Security Alliance (NCSA), a non-profit public-private partnership which estimates that through media and other activities its messages regarding cybersecurity reached 175,000,000 people last year, all in the service of promoting a digital society that can best leverage the five c’s: content, community, communication, commerce and connectivity.

As our world becomes ever smaller and more networked, Data Privacy Day provides information to consumers about the ways in which personal information is collected, stored, used and shared. The international privacy promotion also helps businesses understand the laws and regulations to which they’re subjected and offers guidance about how to best shield themselves from risks.  Above all, the event is designed to foster a dialogue between different entities – citizens, private organizations and public institutions – about how to balance innovation, progress and growth with the need for privacy protection.

Since privacy is our shared responsibility, how can you contribute to this security festivity?  Train your employees, or consider hosting an event or sponsoring NPD.  If you have kids or teach them, turn to the Teens and Young Adults page, the Parents and Kids page, or the Educators page, which offer guidelines such as how to update your Facebook privacy settings, resources such as videos on how to protect your personal information and privacy, as well as your children’s.  Data Privacy Day activities will include presentations, conferences, technology demonstrations, webpage and video competitions, instructional videos, workshops, and regional events, so there are plenty of ways to get involved; for more information, turn to  www.dataprivacyday.org.

And remember to stay tuned to Experian’s Data Breach Resolution blog, where every day is data privacy day.

The winter holidays are upon us and that means the travel season is pivoting into high gear.  Employees everywhere are preparing to trot off hither and yon, likely with their laptops and mobile devices in tow – and, accordingly, with your company’s data, as enticing to prowling cyber-thieves as overstuffed Christmas stockings.  While holiday travelers unwind and turn their focus to hearth and family, fraudsters focus on snatching precious data from unwary targets at airports, wi-fi hotspots, hotels and beyond.

What can companies do to mitigate the risk to their holiday-traveling data?

First, remind employees about the importance of protecting their laptops and other data-carrying devices. According to the Ponemon Institute, close to 637,000 laptops are lost each year, most commonly at security checkpoints.  Ponemon notes that 10,278 laptops are reported lost every week at 36 of the largest U.S. airports, and 65 percent of those laptops are not reclaimed.  The airports with the highest number of lost, missing or stolen laptops include (in this order) Los Angeles International, Miami International, Kennedy International, and Chicago O’Hare.  While Atlanta’s Hartsfield-Jackson International is the busiest airport in the U.S., it is tied for eighth place (with Washington’s Reagan National) for lost, stolen or missing laptop computers.

The average value of a lost laptop is $49,246, a number based on several factors: replacement cost, detection, forensics, data breach, lost intellectual property costs, lost productivity and legal, consulting and regulatory expenses.  Given the damage associated with laptops that go MIA, it might be wise to restrict access to corporate information while employees are traveling.  If full access to server information isn’t needed, consider using other systems such as read-only export files.  Suggest that employees transfer sensitive data from laptops to your company’s secure central server, or move it to a disk that may be stored safely until they return.  And don’t forget that encryption can serve as an endpoint protection, which allows employees to perform a remote data erase if a device is lost.

A few other tips:

• Encourage the use of privacy filters, which block the ability to view computer screens from an angle.
• Guard against open wi-fi prowlers by setting computer defaults to require owners’ authority before connecting to a new network.
• Discourage the use of public computers.  Many of them contain “keylogger spyware” that can monitor every keystroke.

From Facebook to LinkedIn — and all chat venues in between — social media is both good news and bad news for businesses. Many companies take advantage of the low-to-no cost method of promoting their business, but social media also presents an opportunity for large-scale data breaches.

During the course of a seemingly harmless IM chat an employee can instigate a data breach through a file transfer or other means of inadvertently leaking personally identifiable, health, or other sensitive information. A business social networking site can also pose a monumental threat to businesses through phishing attacks disguised as invitations. Although they look legitimate, the messages actually take the targeted victims to a third-party website in an attempt to download malware onto their computers.

A well-crafted social media policy with clear guidelines addressing these and other risks can substantially reduce the number of data breach incidents related to social media use. An all-inclusive social media policy can also help prevent diminished customer trust, lost revenue resulting from a data breach, and the subsequent costs of resolving a data breach.

Although some companies cover social media use in a confidentiality agreement or in an employee handbook, creating a separate detailed social media policy will more effectively reduce the potential for misuse. Your company’s legal or compliance team will have insight on how to customize a best practices policy for your particular business. Also include employees, such as those most active in social media, who will be internal advocates for the policy.

Vital components of an effective social media policy include:

• Strict guidelines for disclosures.
• Content filtering to restrict or limit access to social media websites.
• Procedures ensuring that anti-virus and anti-malware controls are updated daily.
• Standardized training to inform employees of the risks associated with social media use.
• A wireless data policy for mobile device use of social media.
• Corrective actions resulting from noncompliance.
• Policy review schedule to ensure that the policy is revised to reflect new social network or technology developments.

By taking a proactive stance regarding employee use of social media your business will remain a positive presence both online and offline.

In this daunting time of high-wire cyber attacks, when even the most trusted brands are falling prey to tireless hackers, there’s no such thing as being too prepared.  Enter cyber liability insurance, a relatively new area of the insurance industry that provides coverage where general commercial liability (CGL) insurance typically does not.  Unless a cyber insurance endorsement is a part of your CGL insurance, don’t count on your policy to cover the wide-ranging costs associated with a breach – attorney fees, forensic expenses, mailings, call center, credit monitoring, secondary liability expenses, cleanup costs, and so on.  While major companies that service large organizations have been in the game for awhile, more companies are now tailoring coverage for small and medium-sized businesses, which incidentally have become the prime targets for hackers.

Here’s the 411 on insurance that can serve as your company’s 911 for cyber costs and liability:

1.            Breach Costs.  Cyber liability insurance can cover direct and indirect costs associated with a breach, ranging from breach notice costs (including costs associated with providing free credit monitoring to individuals) to damages and defense costs (prompted from lawsuits or regulatory investigations or actions).

2.            Service Provider Breach.  If the breach happens not to your company but to a service provider that handles your company’s data, cyber liability insurance can cover all associated expenses except for internal man-hours squandered on addressing the breach.

3.            Social Media.  If your CGL insurance doesn’t cover social media activities, make sure you obtain cyber liability insurance that does.  With social media becoming an increasing part of any company’s online footprint, it’s critical that your business is covered in this area.  Start by making sure your company has a social media policy in place.

4.            Crisis Management, Business Interruption and Data Restoration.  Cyber liability insurance can help get your systems back up and running and assist with the PR costs needed to get your company’s reputation restored as well.

5.            Denial of Service Attack.  What happens when your company or service provider is shut down by an attack and your company is thus shut down for business?  Cyber liability insurance can cover lost income and repair costs.

Data is a prized asset that warrants its own specific protections.  Make sure ahead of time that your data is properly insured so that when a breach strikes your company isn’t burdened with exorbitant costs along with inconvenience.

Facebook and other social networks have generated a lot of buzz recently due to their data privacy settings and policies.  Unfortunately, many consumers are not aware of these settings and openly share their personally identifiable information.  This reckless sharing has resulted in damages including identity theft and hacked bank accounts.  A recent Ponemon Institute study found that social media users are at greater risk of physical and identity theft due to the information shared online.

Your company may not be active on Facebook or Twitter, but undoubtedly your employees are.  How could what your employees say affect your company or their employment relationship with your firm?  One prime example is the “Cisco Fatty” tweet that cost a recent graduate an internship at Cisco. This example, and many others, illustrates the importance for companies to create a social media policy for their employees.  The policy serves as a tool to help a company monitor and manage what is said online and may help employees think twice before tweeting what’s on their mind.

Some companies simply cover social media use guidelines through a confidentiality agreement or include a few sentences in the employee handbook.  However, some human resource experts recommend creating a separate policy that is discrete and accessible by employees at all times.  Now what is covered in these policies can vary greatly and is contingent on how active the company is involved in social media.

Consult your legal and/or compliance team to define the guidelines that best fit with your company cyber security policies.  The process will be time well spent.