Utilization of Resources and Assets
So we have completed our “H” in the H.U.M.O.R. Matrix. Next, we move on to Utilization. Determining how to track social media usage requires a concerted effort. Utilization analysis aims to identify all the tactical and strategic steps a company takes to create a secure social media framework. Social media places assets at risk in the organization. Assets include hard assets such as technology equipment and soft assets such as a Microsoft SQL customer database or intellectual property information. A process has to be in place to protect assets and determine how security resources are used in the environment, specifically in regards to the changing social media landscape. We divide the Utilization metric into three categories: technology, intellectual property, and copyright. Table 2-6 describes the categories.
Table 2-6 Utilization Categories
Assessing the Current Environment
As you did for Human Resources, you first conduct an assessment of the current environment. For each Utilization category—technology, intellectual property, and copyright—you must take steps to determine your current security posture. Your company has to first assess how social media affects your assets and what is currently being done to protect those assets.
Technology Assessment
After developing a social media security policy (as performed under the Human Resources portion of the matrix), technology is your next line of defense in protecting against social media attacks or inappropriate dissemination of information. The responsibility of the IT or Information Security department is to implement technologies to manage how assets are controlled. Companies that tie their social media usage and interaction to their corporate resources, such as accessing customer information or using payment gateways over social media, must put very robust tools in place to manage social media usage. Online social gaming company Zynga, which makes the popular Facebook games Farmville, Citiville, and Mafia Wars, got hacked by a British IT professional in 2011. He broke into the company’s system and stole 400 billion in virtual poker chips (potentially $12 million dollars in value). Although this didn’t lead to a material loss for the company, it did impact the company’s reputation with customers.
Follow these steps to assess the technology needed to secure social media:
1. Inventory List all technologies currently in place to secure social media and the mediums used. Focus only on what impacts your social media usage or could impact your social media usage or connectivity to your other assets.
2. Capability Assess the capabilities of the security technologies utilized in managing assets to manage your social media activities. If a particular piece of technology can’t protect you in the social media world, you are not concerned about assessing it here. For example, if you use McAfee’s Data Loss Prevention solution (www.mcafee.com), you have the ability to block files and confidential data leaving the organization. You can apply this same product to social media channels, such as posting files on a website like Facebook or sending out IM messages with confidential files or information using Skype.
3. Policy mapping Map the security technology that impacts social media usage to the corresponding requirements in your IT security policies and HR policies. You are reviewing the current environment at this point, so if nothing maps back to policy requirements, don’t try to make it fit. You are focusing only on what works today. You should also map your social media strategy at this point to your social media usage policy. Then, within your IT security policy, you have to build hooks into social media usage and apply the appropriate security tools.
Technology utilization crosses all boundaries in terms of how social media is used in your company and how assets can be put at risk. Social media uses different types of communication channels—from web and mobile social utilities like Facebook (www.facebook.com) to location-based applications like foursquare (www.foursquare.com). Shared cloud services such as Basecamp (www.basecamphq.com) provide collaborative sites for information sharing but open the company to data loss through third-party hosted software services.
Social media applications may be categorized as open source, cloud, or both. Open source applications are based on code made available for public use with certain restrictions. WordPress is an open source application you can download and install, but it can also be accessed as a cloud application. Cloud applications can be open source and are available in a publicly hosted environment. Most social media sites are cloud-based applications such as Facebook and Google Buzz. The key risks that need to be assessed when using these technologies include:
Inadvertently violating the open source license model
Using open source material in products that are then sold as proprietary
Not assessing the security controls properly in open source code, making the assumption the code is stable
Loosing future development if the open source project fails
Violation of third-party intellectual property because a contributor used proprietary code
WordPress (www.wordpress.org) places almost no restrictions on usage, as they state on their website:
WordPress is an Open Source project, which means there are hundreds of people all over the world working on it. (More than most commercial platforms.) It also means you are free to use it for anything from your cat’s home page to a Fortune 500 web site without paying anyone a license fee and a number of other important freedoms.
But contributors could still expose your company to risks other than licensing issues through code infringement or inherent security weaknesses in the code you download.
As just mentioned, most social media platforms are considered cloud computing. Consider that all the data handled by Facebook, Twitter, Blogger.com, Google Buzz, MySpace, YouTube, Flickr, Reddit, StumbleUpon, and so on, is hosted and stored on their servers. You have access to your accounts and data, but you do not know what will happen to the companies running those sites—especially when they do not have a business model for revenue in place as of yet. Twitter may be extremely popular, but it still does not make enough money to cover its operating costs. What happens to all the information Twitter has gathered if the funding runs out and the company shutters its doors or gets acquired?
Intellectual Property
Once you have understood how technology is utilized in the current environment, you need to look at what your company is doing regarding the next critical asset—intellectual property (IP). Remember, you are still in the information-gathering phase. First ask yourself: What IP do we need to protect and how can it be lost through our employees’ utilization of social media?
In the “Human Resources” section, you determined what your current policies are and where the appropriate policy might be lacking. One specific area to consider is intellectual property. Also information about intellectual property can damage a company. If you determine you need a policy specific to IP, then you must now assess how to utilize that policy. Such a policy can be for your own information, but it can also be for your customers. If your employees have access to customer IP or your own IP, you have to determine how IP management is affected by social media usage.
Follow these steps to assess risks to IP over social media:
1. Determine if IP is currently being sent out via social media sites using technology controls.
2. Determine if you have the capabilities to manage, track, and block IP assets over social media platforms.
3. Determine types of communications used to disseminate IP information, for instance, a Twitter message about your customer’s latest product development or a Flickr photo showing restricted customer information.
4. Determine if your company might be impinging on a customer’s or another company’s IP, for example, taking data from crowd sourcing sites or social media sites and using it internally to your company. The Nielsen rating company did just this when they captured information from Patientslikeme.com’s forum pages for Nielsen marketing purposes (more on this in Chapter 4).
Finally, as you assess your utilization of technology, list all the tools necessary for protecting IP. Key tools used today for normal IP protection are Data Loss Prevention technologies such as Symantec’s Vontu (www.vontu.com) or Trustwave’s Vericept (www.vericept.com). When you are using social media sites, tools necessary to track IP going out the door should be focused more on URL filtering technologies such as Websense (www.websense.com).
Copyright
Copyright protection is very similar to IP protection. An employee can easily compromise her own company’s copyrights and trademarks or infringe upon those of other organizations and individuals. What steps are you are taking to assess copyright protection? For example, take a blog post by your Marketing department that references some company or topic. Let’s say they need a good picture to go with the post. They can easily search Google for images and then copy the image and use it in the post. This could lead to copyright infringement associated with your company. Or, what if your Marketing department sends out an e-mail newsletter with copies of stories about a pertinent topic from a magazine or news website. This is exactly what happened in February 2011 to Webcopyplus. The company had to pay US$4,000 to settle a lawsuit based on the fact that a copywriter used an image in a commercial piece of work. The image was available on the Internet, but Webcopyplus neglected to pay for it.2
2PR Web, “Copywriter Pays $4,000 for a $10 Photo Due to Copyright Infringement,” February 15, 2011, http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/02/15/prweb5061854.DTL.
The other side of the equation is the actual desire to protect certain copyrighted property. This is a business decision and goes beyond the realm of IT or Marketing. Take, for example, Nestlé’s problems in 2010. The environmental group Greenpeace been targeting Nestlé’s use of palm oil, which Greenpeace says is a source of deforestation, greenhouse gas emissions, and threatens endangered species, particularly orangutans. Greenpeace’s video was posted on YouTube and Nestlé tried to have the video removed from YouTube, citing copyright. Greenpeace retaliated by having followers change their Facebook profiles and send Twitter messages using Nestlé logos and copyrighted data. Nestlé received a very negative response, as sited by CNET: “Hey PR moron. Thanks, you are doing a far better job than we could ever achieve in destroying your brand,” to “It’s not OK for people to use altered versions of your logos, but it’s OK for you to alter the face of Indonesian rainforests? Wow!”3 The brand’s ability to navigate the social media landscape backfired.
3Caroline, McCarthy, “Nestle Mess Shows Sticky Side of Facebook Pages,” CNET News (March 19, 2010), http://news.cnet.com/8301-13577_3-20000805-36.html.
Outside of traditional law enforcement tactics to respond to negative campaigns, the company had no strategy in place. This is another reason why companies need digital literacy training and community management best practices, in addition to the general security training already given. Companies must have protection mechanisms in place to track the use of copyrighted assets on social media. Your company has to assess which tools can be used in this arena and the capability of the IT staff to manage those tools and work with Marketing, Legal, and Human Resources to protect those assets. In assessing the need to protect copyrights, utilize the same steps as you do when assessing intellectual property.
Regulations regarding social media are still very vague. Some industries have best practices they would like to apply to social media usage. Industries such as the legal and healthcare professions are already very heavily regulated. Those regulations in theory apply to social media usage as well. There are numerous regulations on the books regarding intellectual property, so these can easily be applied to social media usage. How a company tracks adherence to those regulations in social media poses a new challenge.
Measuring the Current State: H.U.M.O.R. Matrix
Once you have determined the assets that need to be protected and the technologies you need to have in place to protect them, you can complete the next section of the H.U.M.O.R. matrix, measuring your current Utilization capabilities. Table 2-7 shows the key aspects of the Utilization metric you need to track. Let’s go back to our test company JAG to see how it’s doing in this area. JAG rated a Poor due to several key factors, which include:
Lack of technology controls in place to monitor what is happening in the environment, from users posting information to tracking customer mentions on social media platforms.
JAG has no tools to monitor the social media sphere for risk to IP.
JAG does not know if its own employees might be infringing on other copyrights when posting blog information because it does not strictly control blogging content.