In the physical world, the most basic concept of security ismaking sure the doors are locked. But in the social networkingworld, the challenge for insurance CISOs is to keep the doors openwhile still securing sensitive data and intellectual property.

"From a security officer perspective, we need to find ways tosay 'yes' to the business," says Mike Dockery, CISO, CincinnatiInsurance Companies. "We need to enable our CIOs. If they want touse social media to connect with agents, employees, or customers,it's my role to enable it in a secure fashion."

Dockery realizes networking is going to happen regardless ofwhat CISOs do. "It's going on whether we like it or not, so we haveto deal with it," he says. "People have social media on theirpersonal smart phones, their iPads and tablets, and they're usingthose devices for personal purposes. There are limits to what acompany can block or control."

"One of the biggest fallacies companies operate under is thatsocial media won't affect them if they don't 'officially' use it,"says Brad Keller, senior consultant and program director at TheSanta Fe Group, which performs strategic consulting for financialservices companies. "You have companies blocking network access tosocial media or pretending like it doesn't exist, but it doesexist. Companies may as well embrace that rather than trying tocontrol [access to] those sites."

THREAT ASSESSMENT

Not all social media is public, but most insurers think ofsocial media in terms of marketing and customer communications.According to Novarica, use of social media for that purpose hasexploded over the past two years compared to other Web 2.0technologies: 62 percent of carriers reported using social mediafor customer communications in 2011, versus just 23 percent in2009. (See "Customer Communication," chart).

"The field and field management have an increasing desire to usesocial media. Agents are asking for it as another way to connectwith customers," says Roy A. Haberman, corporate vice president,New York Life.

But in meeting that need, companies need to control risk. Forinsurers, the key security risks of social networking includepotential data leakage of sensitive information, unintentionalupload of malware, and targeting of individuals for socialengineering attacks.

"Data being exposed that shouldn't be out there is the singlebiggest issue risk managers are concerned about," says DonDesiderato, principal in Novarica's insurance practice.

At a basic level, these risks are the same as could be appliedto any number of other networking technologies. "Purely from thestandpoint of information security risk, social media is nothingnew. Security practitioners have always had to worry about dataleakage through what employees say or do," says Gary Loveland, USadvisory security leader, PwC.

The difference is that social media has made it easier to sayand do things that put companies at risk. "Social media establisheda culture of sharing information," Loveland says.

"If I have a conversation at the water cooleror with my friends over dinner and divulge some information that Ishouldn't, that conversation isn't preserved except in the minds ofpeople who were there. With social media, it's shared instantlywith the world, and preserved forever," Keller says.

"To some extent, it's the same problem presented by forums,personal Websites, and other online venues," he says. "What socialmedia adds is an incredibly large audience."

Technical security breaches leading to data loss occur throughvulnerabilities in Web 2.0 technologies that support social mediaplatforms or are caused by employees downloading malware. Socialthreats arise from intentional disclosure of information or throughsocial engineering attacks against unsuspecting employees.

TECH THREATS

In a recent report on security, PwC notes socialmedia's flexible Web architecture enables exploitation andcompromise. "Web 2.0 platforms are increasingly powerful anddesigned to enable easy sharing of rich data," Loveland says.

Dockery illustrates that ease and power with a scenario wherethe data of a hard drive could be stolen via Twitter. The processwould involve breaking up the content into thousands of individualtweets that are sent and then reassembled remotely.

"Web 2.0 is an amazing, very reliable communication technology.But if you aren't monitoring your outbound Twitter feedappropriately, an entire hard drive can disappear without ourknowledge," he says.

"The same strategy is true for viruses," Dockery adds.Virus-writers can place pieces of viruses on individual sites thatare reassembled into a final code piece when all aredownloaded.

"You can't detect those type of viruses based on a single virussignature because that signature doesn't exist until after it'salready on the user's machine," he says. "Web 2.0 technology hasenabled a strategy for virus delivery that some filters can'tcatch."

Positive reinforcement has led to an increase in the use ofsocial media by cybercriminals to infiltrate companies forfinancial gain or simply to cause mischief.

"If you look at it from the hacking side of the business, peopleare willing to spend a lot more time doing 'data mining' exercisesthat can be done more easily thanks to social media, to target aspecific company, and to even develop a well-defined and rigorousprocess for monitoring that information due to the success of theirefforts," Loveland says.

"Hackers are increasingly sophisticated. They are trying totriangulate data from multiple sources, including social media, andbring that information together because that effort leads tooutcomes that are successful by their standards," he adds.

On the other hand, Dockery sees the potential of social mediaand the related rise of mobile devices to help lessen the risksassociated with some other areas of electronic communication.

"Social media and mobile device management areconnected. As a result, 'holes' into the corporate network thatcompanies needed to create when those devices didn't exist can beclosed," he says. "For instance, the fact that employees cancommunicate over social media channels on personal devices allowsus to shut down some openings into our corporate network that wererequired to access to personal Webmail."

MEDIA AS METHOD

In addition to technology vulnerabilities, social media has theincreased potential to expose sensitive data and intellectualproperty because of what Desiderato calls an "almost dangerouslevel" of assumed trust.

"A lot of carriers are worried that when people arecollaborating on social media sites, even if it's only internalemployees, they are going to reveal sensitive data," he says. "It'seasy for someone to say 'give me your name and password so I canget into the system and look at the details you're talking about,'and people will do that because the nature of social media isaround trust."

Social engineering takes further advantage of the trust-basednature of collaboration media, enabling cybercriminals to pose ascoworkers and colleagues behind an electronic cloak.

"Social networking sites do have their own security. There areapps for consumers to prevent them from being victims of scams.Companies have their own firewalls and security software andstrategy. But ultimately technology is only of so much use becausethe real challenge of social media attacks are that they are donesocially," says Chet Wisniewski, senior technology advisor forSophos.

"People put information on social networking sites that theywouldn't otherwise reveal publicly. Customers, employees, andstakeholders can all reveal information about your company. Andbecause that information is now out there, people are gathering itand using it. It's definitely a richer target for someone who wantsto do something unethical," says Tom Andreesen, managing directorin Protiviti's social media risk practice.

"The password resets on corporate systems often ask employees toconfirm personal information," says Loveland. "That informationoften can be very easy to obtain as people include it voluntarily,along with identifying their employer, on social media sites,enabling virtually anyone to use that information as a phishingexercise or to gain access to corporate systems."

And with social engineering, the disclosure of seeminglyinnocuous information can put companies at risk, Wisniewskiobserves.

"If I were to want to get into a company's network to conductsome sort of espionage, sites like LinkedIn can be a goldmine ofinformation," he claims.

For instance, a cybercriminal could search foremployees who are new to a company, then pose as one to call the ITdepartment. "I can ask a lot of questions, say I'm new, ask for apassword reset, and so on. I have credibility in asking as the 'newguy,' and I can play on people's natural trust and willingness tohelp," Wisniewski explains.

PROTECTION STRATEGY

Insurers need to create a multi-tier protection strategy,starting with establishing policies and procedures that govern theuse of social networks and corporate information.

"Something as simple as a social media policy is lacking at someinsurers," says Desiderato. "Some really haven't built anygovernance around the social media security process."

"We do see that a lot of companies have a very flimsy socialmedia use policy," agrees Andreesen. "If they don't have a policy,they should create one. If they have one, they should monitor it,maintain it, and be sure employees are aware of it."

Dockery believes the security profession has simply taken timeto adapt to the new world of social media. "A year ago, the gap wehad was that there weren't enough templates around best practicepolicies that we could use to train people," he says. "Today, youcan go out and there are hundreds of social media policytemplates."

PwC identifies several key areas of a security policy thatincludes social media. Insurers should classify data so employeesunderstand precisely what is—and is not—sensitive information, andwho is authorized to share that information. They also shouldspecify the types of social networking accounts that the companysponsors and how sharing of data via those sites is allowed.Policies can specify who is responsible for different types ofcommunications and who has oversight responsibility for socialmedia.

"Having a person or group of people with clear responsibilityfor security is essential," Loveland says. "That may sound obvious,but too many companies overlook it."

Businesses must then educate employees on those policies and theneed to protect intellectual property and sensitive information,and they should fully detail the consequences of noncompliance.

BEYOND POLICY

But policies have their limits. "It's important you train peopleas part of your control process, but it's difficult to extend thattraining to people who aren't under your control, such as agentsand customers," Dockery says. "They are going to post and sendthings, regardless of what your polices are. You are going to needto capture and track to solve the 'he said, she said' situations.Capture should be part of both your security and compliancestrategies to compensate for these potential external risks."

Social networking data capture has been abigger concern for insurance carriers outside the P&C sectorand for other financial institutions that have to comply with FINRAor SEC guidelines regarding the ability to capture, index, andarchive electronic communications. However, P&C carriers canlearn from the practices of other sectors because data captureguidelines and capture technology both include an implicit securitycomponent.

Up until a few years ago, New York Life had no choice but to sayno to the requests of its sales force because, according toHaberman, the technology to comply with FINRA and the SEC regardingsocial media wasn't available.

"Unless we could meet the requirements to archive [social mediainteraction] as a type of electronic communication, as is done foremail, we could not use it," Haberman says.

Deploying Socialware's Compass software for compliance gave NewYork Life the ability to define and automate policies around socialmedia use, including the extent of online activity thatrepresentatives are allowed to do. For instance, New York Lifeprohibits agents from 'liking' on Facebook, using apps on Facebookand LinkedIn, or re-tweeting.

"Those are all types of activities that could be construed as'endorsements,'" Haberman says.

Compass allows insurers to capture, index, and archive theinteractions in Facebook, LinkedIn, and Twitter. It also letscompanies control content that is considered non-compliant andprohibits it from being made public via social media, adding alayer of information security.

TECHNICAL DEFENSE

Although sound policies and processes are essential, insurersmust not overlook effective security technology. "Because socialmedia solutions can be deployed readily and made externallyavailable, we're seeing they're not treated with the same rigor andtesting and security design," Andreesen says.

"Companies don't do the same layered approach that they woulduse for other solutions," he elaborates. "They have to treat socialnetworking solutions just like they would for a major enterpriseapp rollout: make sure the security and technology teams areinvolved so the design is appropriate, so there is considerationfor how that asset is linked into existing corporate assets, and soon."

To that end, insurers must use multi-layered security solutionsthat monitor for malware, data leakage, and other suspiciousactivity. Loveland says a gap assessment around data leakage oftenleads to surprising results.

"As part of the 'white hat' [penetration testing] services weperform, we do a search for critical data and intellectualproperty," Loveland says. "We often find that where data issupposed to be, it is properly secured. But we also find a highpercentage of data that is in places where it shouldn't be. Peopletake extracts, make copies, dump it into spreadsheets, and now putit on social media. So instead of being protected, it'sexposed."

Loveland stresses that, as hackers become moreaggressive in their attacks on social media, businesses must stepup the use of traditional protection tools to verify incomingcontent and traffic and detect cross-site scripting exploits andphishing. Content filtering utilizing spam blockers and anti-virusapplications should be utilized to block or allow a communicationbased on analysis of its content. Identity and access managementcontrols and multifactor authentication should be used to help stopauthentication hacking.

In particular, data-loss prevention  technology (DLP)that can identify sensitive data at rest, control its usage at userend points, and monitor or block its movement across networkperimeters should be extended to social media platforms. "If I'mdoing work and I have access to the payroll file, and I attempt tomove data across the network to either a file or outlet that Ishouldn't, DLP should not allow an unencrypted transmission out.DLP can be essential," says Loveland.

But Wisniewski believes DLP doesn't have as big of a role in the144-character world of social media as it does other online venues,such as email. "To stop truly accidental transmission, DLP toolscan detect the inadvertent cut and paste of small segments intosocial media, but you can't paste a whole spreadsheet into aFacebook post," he says. "Also, if you have a disgruntled coworkerintent on causing trouble, they can get around DLP safeguards."

Although insurers tend to focus on security around social mediaaccessed from in-office hardware, Loveland says that mobile devicessuch as smart phones and tablets running robust Web 2.0 apps arelikely to become the next frontier for hackers. "It's importantthat a company's security policy protects any endpoint device andthe data on it," he says.

STRIKING A BALANCE

The rapid evolution of social media and the devices used toaccess it keep CISOs in a reactive mode. "There tends to be a 12-18month lag before a tool shows up that can really address thesecurity behind new devices and vulnerabilities," Dockery says.

In fact, despite the risks of social networking, only 40 percentof respondents to PwC's 2010 Global State of Information SecuritySurvey reported their organization has security technologies thatsupport Web 2.0 exchanges. In addition, a little more thanone-third audit and monitor postings to external blogs or socialnetworking sites, and only 23 percent have security policies thataddress employee access and postings to social networkingsites.

"The insurance industry is really just looking at securityaround social media now," says Desiderato. "Carriers have realizedthat social networking is part of the culture. They are starting byattacking it through a governance perspective, and the vendormarket is staring to heat up and build solutions around what issaid on social media."

The best policy balances access and control and employs adefense-in-depth strategy that involves both business and IT.

"IT needs to partner with the business to say we're not going toblock or restrict you, we're going to try to help you, and we wouldlike you to help us by doing and not doing certain activities,"Wisniewski says. "Companies need to provide technological defense,but they also need social behavior change in addition totechnology."

For CISOs, the continued challenge will be to find ways to say"yes" to the business, while protecting users from themselves.

"Understanding the ownership and control challenges aroundsocial media and accepting the fact that you can't rely ontechnology alone to protect you are the first steps. The good thingis there has been an increase in the development of effectivesocial media policies and an awareness of security around socialnetworking in general," says Dockery.

"As always," he adds, "An essential part of security is the'firewall between the ears.'"