Financial Services Organizations: How to Stop the “Other” Social Media Threat
By BUFFERZONE Team, 5/02/2017
When it comes to guarding against data leaks, financial services organizations have been on high alert for several years. Unfortunately, this is a case where widespread fear is actually a best practice. As we have noted previously, cyber criminals target financial service institutions four times more frequently than organizations in other sectors, and there is no slowdown in sight.
In light of this non-stop threat, financial services organizations have invested significantly in various technologies to keep the bad guys away from their networks and data. But there is another, less obvious area of the threat surface they must fortify as well: employees using social media.
Snooping on an Unprecedented Scale
Financial service organizations are being urged — and legally mandated in some jurisdictions — to take proactive steps that prevent employees from accidentally or ignorantly posting sensitive or confidential information on social media. As noted by Harvard Business Review: “Leaks are nothing new; companies have been eavesdropping on each other forever. But social technologies open new channels that permit snooping on an unprecedented scale.” And a McKinsey & Company survey found that the number one risk that executives associate with social media usage is leakage of confidential information, followed by inappropriate intellectual property distribution.
The (Accidental) Enemy Within
The problem is that when it comes to social media and data leaks, financial services organizations have traditionally focused on thwarting spear phishing and keeping the bad guys out. The idea that employees could potentially post sensitive information on Facebook, Twitter, LinkedIn and other social media platforms and sites is a new kind of cyber threat. No, it does not involve adversaries and enemies. But yes, the risk is massive, and the consequences could be severe, costly and lasting.
More Training is Not the Answer
Ideally, organizations could plug this gap with end user training. But this is evidently not the answer. Seventy-five percent of executives surveyed by the UK government’s global best practice consultancy AXELOS felt that training was not “very effective” at changing employee behavior regarding information security. And an Identity Week survey of 250 IT security professionals found that 80% of them think end users routinely ignore security rules.
New Problem, New Solution
Using strategies and tactics from an old playbook – such as more end user training — to solve this problem is not going to work. This is a new problem, and organizations in the financial sector need a new solution, and it’s called read-only browsing.
As the term suggests, read-only browsing allows employees to access social media platforms sites to do their day-to-day job, but blocks them from updating pages or commenting. As a result, sensitive information cannot be mistakenly shared, and employees cannot not put their organization’s data or reputation at risk with a tweet, comment, like, upvote and so on. That seemingly harmless action could doom an M&A deal, send a stock price plunging, trigger a customer uprising, and put an organization in the headlines — and on regulators’ radar screens — for all of the wrong reasons.