Social Media Risks and ControlsIt's an 'Arms Race' Between Banks and CyberCriminals
BITS, the technology policy division of The Financial Services Roundtable, has released a white paper that highlights best practices for social media management and policy. Susan Rivers, vice president of corporate communications for BNY Mellon Corp., worked with BITS to publish the social media paper.
With the continual evolution of security risks comes an always evolving response to keeping a company safe, Rivers says. "We need to really emphasize a focused and comprehensive employee awareness and training program," Rivers says in an interview with BankInfoSecurity.com's Tracy Kitten [transcript below]. "Employees are always our first line of defense in protecting company information and client information."
For Kennedy, social-media risk assessments are critical to securing a company's private information. They should be conducted periodically as well to make sure the ever-changing risks are appropriately addressed. Social media policies also need to be developed and employees need to be trained. "Building a strong internal social media team of subject matter experts early on really helps with improving the strengths of your posture," Kennedy says.
During this interview [transcript below], Kennedy and Rivers discuss:
- Why and how social-media risk assessments should be conducted;
- How institutions should manage access, not through controls, but through policies and ongoing monitoring;
- The need for clearly defined governance and structure for social media monitoring and policy.
Kennedy joined BITS in 2008. At BITS, he leads BITS Social Media project and works with the organization's Security and Vendor Management programs, where he focuses on cloud computing and email security. Previously, Andrew worked as an IT professional and security consultant with for more than a decade of experience in the biotech and software industry.
Over the last two years, Rivers has helped drive the development of BNY's social media strategy, policy and procedures. Before joining BNY Mellon in 2007, Rivers served as vice president of public affairs for a private university in Rhode Island and previously served as director of executive communications at financial services firm TIAA-CREF. With more than 20 years of experience in print journalism, Rivers has written and/or edited for The Baltimore Sun, Newsday and The Wall Street Journal.
TRACY KITTEN: Andrew, before we get started, could you tell our audience a bit about your role with BITS and why BITS deems social media risks to be a priority for financial institutions?
ANDREW KENNEDY: BITS is a technology policy group that's in the Financial Services Roundtable and works primarily in three areas: regulation, fraud reduction and security. I focus, for the most part, on security, but certainly social media cuts across these three areas. The BITS membership indicated there was growing interest to produce a comprehensive reference document as financial services firms began to explore this space.
Addressing Social MediaKITTEN: And how have BITS and BNY Mellon worked together to address some of these social media concerns?
KENNEDY: BNY Mellon, like many other BITS members, contributed a great deal of time and effort developing this white paper. We started, at the BITS level, at the governance process and began to work our way through the organization and built a working group from our various standing bodies from the regulation fraud and security programs. The social media group began to meet weekly for many months and through many different phases of the development of the document. This was truly a member-led effort, and we have many individual contributors and their organizations available at the end of the paper.
KITTEN: How much time overall went into putting this paper together?
KENNEDY: It went through about six months of effort.
KITTEN: Susan, I'd like to bring you into the discussion. What role does BNY Mellon play when it comes to working with financial entities, as well as corporations, in the social media realm?
SUSAN RIVERS: Our role has been twofold, but always in the context as a member of this group in BITS that worked on this document. That's the one advantage of doing something like this. I think all of the organizations that participated came away with a lot of insights that we were able to glean from each other. For our part, the role has been twofold. I would say, as a communications strategist, not a security expert with BNY Mellon, I was able to bring to the table different kinds of insights, the insight or experience of someone really using this tool every day to enhance the corporate brand and reputation. That provided some added perspective to the development of the paper. Additionally, having already drafted social media policies, procedures and practices within our company, we were willing and happy to share some of our experience and insights with our partner organizations; and in our conversations with them, a lot of our assumptions were tested in return, so it was a win-win in the kinds of information that we shared together.
Areas of ConcernKITTEN: It's interesting. Social media is something that comes up quite a bit in discussions that we have, not just in the financial sector but in business overall. Many financial institutions have expressed interest in social media, and some have jumped in as a way to market and communicate with customers and members. What are some of the primary areas that BITS and BNY Mellon have identified as social media areas where banking institutions need to focus more security and fraud prevention efforts?
RIVERS: Well, some of the primary areas are multi-pronged, if you will. One is reputation and brand risk. The other would involve technology risk, the risk of having our servers and the integrity of our computer systems compromised by malicious activity from outside. Another risk that we've identified comes in unintentional loss of proprietary information. And, of course, one of the risks we're most conscious about would be the loss of private client information, and on all those levels, we address them with some interesting recommendations in the paper.
KITTEN: I'd like to pose this question to both of you. The paper discusses social media compliance, information retention and hiring issues, as well as security risks that range from reputational threats, as you've noted, Susan, to phishing and social engineering exploits. Can you explain a little bit about the information retention and hiring concerns? What risks should institutions be mindful of when it comes to information retention, as well as hiring?
KENNEDY: Social media offers new opportunities for employers and potential new employees to find each other, and we feel that's a very good thing. But organizations are often using social media as a tool to vet employees. Hiring using social media is not unlike traditional hiring practices. Some information, such as age, marital status, medical conditions and others, are considered off limits. Companies need to ensure that this information isn't collected or used during the screening and hiring process.
RIVERS: I might add that some of the employee privacy concerns which Andrew just detailed for recruiting and hiring are very high on the list with the HR Policy Association. They just had a roundtable that discussed these. A lot of organizations and professionals are examining the implications because, again, there is disclosure of company information and trade secrets that companies want to be very, very cognizant of. But at the same time, they also need to be very, very careful to preserve their employees' privacy and First Amendment rights.
Emerging & Evolving ThreatsKITTEN: Andrew, does the paper address emerging and evolving threats that are associated with social media?
KENNEDY: Absolutely. When we were scoping the effort, we cast a wide net looking to build a comprehensive list of risks associated with financial services firms building a social media presence. Our industry is well aware that sophisticated adversaries are targeting us and our customers, so we spent a considerable amount of time looking at the evolving malware and social engineering attack landscapes and how we could reduce the risk to social media users, customers and confidential information.
KITTEN: Susan, I'd like to ask you about threats associated with social media sites and how those have evolved. When we look at sites like Facebook and Twitter, what types of trends are you seeing?
RIVERS: Well, it's interesting. I liken it to a kind of arms race. As people with malicious intent use these tools to either hack into a computer system or steal identity or other private information, companies have to become increasingly vigilant and sophisticated in the kinds of technical tools they use to combat that. We find that as the threats change and transform, companies also need to become more agile in responding. It keeps everybody busy.
KITTEN: If you took a step back and you were to look at the next 18 to 24 months, what threats do you see as being the most challenging for banking institutions when it comes to social media practices?
RIVERS: Picking up on the last answer that I gave, I think there's a continual evolution of security risks, and that means we need to continually evolve our response to those to keep the company safe and keep our clients' information safe as well. But also we need to really emphasize a focused and comprehensive employee awareness and training program. That's key. Employees are always our first line of defense in protecting company information and client information. And ultimately, I think the best way to run a social media program is to break down the organizational silos that might exist in a company, because it's through those silos that we sometimes create contradictory tactics and messages and possibly introduce risk.
Mobile Banking ConcernsKITTEN: That's a great point, Susan. Talking about some of the risk in emerging technologies, Andrew, I'd like to come back to you and talk about the emergence of the mobile banking platform, mobile banking applications and the connection that those platforms and applications have to social media. What concerns do you see there?
KENNEDY: We are seeing a growing connection between these two distinct concepts of mobile banking platform applications, as well as social media. Mobile certainly carries with it its own set of risks, and here at BITS and elsewhere within the industry, there's a lot of thought going into how to secure the mobile space for improved security there. Both concepts are relatively new and, combined, add an additional layer of complexity firms need to remain on top of when considering the combination of these concepts.
KITTEN: Finally, before we close, could each of you share with our audience the top three to five security takeaways you deem most relative in the white paper?
KENNEDY: One of the top things that we think about here is how social-media risk assessments are really becoming critical and should be done periodically to make sure those ever-changing risks are appropriately addressed. Secondly, clear social media policies should be developed that are tailored and not overly broad. Third, training employees to sufficient levels - Susan had mentioned that earlier - and making sure that there are regular updates as new social media threats evolve. Fourth is managing access, not through controls but through policies, ongoing monitoring and training of the situation. Lastly, building a strong internal social media team of subject matter experts early on really helps with improving the strengths of your posture.
RIVERS: I'd like to just add to what Andrew just mentioned, and that is the need for a very clearly defined governance structure so that throughout the company, people know who owns the program, where they can go for advice and guidance as they try to perhaps initiate using social media in their own line of business. I think that can't be overstated.