The issue of cybersecurity touched off a hot discussion here, so I thought I'd share a few more things I learned from talking with Hewlett-Packard Co. (NYSE: HPQ)'s Rebecca Lawson earlier in the week. (See: Is Social Networking Increasing Cyberthreats? and HP Targets Cyberthreats.) One of the more interesting takeaways: Security breaches via social networking are not a technology problem but a people problem.
I know this isn't a new concept, but bear with me. HP's midyear security report noted a contradiction: New vulnerabilities in security are not being discovered (or reported) as frequently as they were in the past, but attacks continue to increase. This indicates hackers are getting better at capitalizing on existing breaches and don't really need to create new ones in order to exploit systems.
The most frequent types of problems coming in through these gaps are associated with a well-meaning user clicking on the wrong link. All of these URLs look legit and may actually be a mirror image of an approved site. Most users won't even know anything is wrong. I won't go into the technical aspects -- cross site scripting (XSS) vs. SQL injection (SQLi). The data is scary enough. HP reports both types of attack use existing security gaps to exploit data. SQLi accounts for 68 percent of total Web application attacks discovered in the first half of the year; XSS accounts for 21 percent.
Any Facebook user knows it's virtually impossible to resist opening a message or a link or a Friend request. In terms of lost business productivity, social networking has become the new online shopping. My personal social networking guru (and EBN contributor) Andy Lawson points out that social networking is no worse than any other means by which a hacker gains access to a corporate network. The key is educating users on the dangers of seemingly friendly links.
Social media is merely another venue for massive amounts of data that can be abused. So do you ban it? HP's Lawson says the technology to tackle just about any known threat exists. One of the key strategies around enterprise security, she says, is discovering the gaps between existing silos of IT. Another is embedding the awareness of these gaps throughout the enterprise.
"A lot of [the problems] around social networking are people and culture issues," she says. "The first step is to have the right levels of awareness within the enterprise and build it into your people and culture."
I'm trying to think of a catchy slogan around the idea. Is "think before you click" already taken?