Upload
amberlynn-evans
View
225
Download
0
Embed Size (px)
Citation preview
© 2012 Deloitte Development LLC. All Rights Reserved.
• Overview of Social Media
• Drivers and Benefits of Social Media
• Social Media Risks
• A Governance, Risk, and Compliance (GRC) Roadmap to address Social Media Risk
Governance Risk Assessment Policy Awareness Communication Controls
Contents
© 2012 Deloitte Development LLC. All Rights Reserved.
Web 1.0 Inspired by Industrial Age• Hierarchical (Hierarchy controls and regulates)• Linear interaction – simple minded• Organizations innovate• Organizational segments
Web 2.0 Information Age• Democratic (Community controls and regulates)• Network relationship – complex• Customers provide the innovation• Customers provide the segmentation
Evolution of social networking and media
Web 3.0 The Age of “Expertise”• In the recent years, the end users have taken the control of the Internet transforming its
use from a monologue to a dialogue.• Collaborative problem solving and innovation is leading to higher productivity.• User’s expectation of performance are driven by technology.• SoCoMo – Social, Cloud, Mobile & BYOD – Bring Your Own Device
“The differences between traditional and social media are defined by the level of interaction and interactivity available to the consumer.” – An ISACA Emerging Technology White Paper
© 2012 Deloitte Development LLC. All Rights Reserved.
Social media revolution
Source: YouTube, Socialnomics 3 [Video]. http://www.youtube.com/watch?v=fpMZbT1tx2o
Social media….it’s everywhere!
© 2012 Deloitte Development LLC. All Rights Reserved.
Of the Fortune Global 100, 65% have active Twitter accounts, 54% have facebook fan pages, 50% have YouTube video channels and 33% have corporate blogs
– 2010 Burson-Marsteller study
75% of Internet users worldwide visit social networks or blogs; 22% of the time spent on Internet usage is spent on social media activities
– Nielsen Corporation, April 2010
Facebook has more than 845 Million users, making it equivalent in population to the world’s third largest country
-- Facebook.com, WorldAtlas.com, July 2011
More than 250 million users access Facebook through mobile devices and are twice as active as non-mobile users
-- Facebook.com
Did you know?Social media
© 2012 Deloitte Development LLC. All Rights Reserved.
Social media landscape
Social Media
Virtual
community
Entertainment
Multimedia
Review & opinion
Collaboration
Conversation
46% of Smartphone
Users 1
1‘The State of the U.S. Mobile Advertising Industry and What Lies Ahead”, comScore,June 2011
“Social media technology involves the creation and dissemination of content through social networks using the Internet.”
– An ISACA Emerging Technology White Paper
© 2012 Deloitte Development LLC. All Rights Reserved.
Social media platforms
Social Networking
Social Book
markingand
News
Wikis
Blogs
RSS(Rich Site Summary)
Presenceand
Microblogging
OnlinePhoto and
Video Sharing
Social Media
Social media are highly accessible, scalable methods of online communication and social interaction, which allow the creation and exchange of user-generated content.
There are 7 main types of social media platforms
© 2012 Deloitte Development LLC. All Rights Reserved.
The adoption of social media as a business tool is rapidly increasing and can bring tremendous value
Business drivers for social media
Increase productivityand operational efficiencies through collaboration and
communication
Foster creativity, innovation,and collaboration
Enhance customer andstakeholder relationships
1
2
3
© 2012 Deloitte Development LLC. All Rights Reserved.
Human resources example – D Street
• D Street is Deloitte’s internal talent networking tool• Over 47,000 active profiles with about 120,000 views per month
As used in this document, “Deloitte” means Deloitte LLP and its subsidiaries. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
Discussion Point• Does your organization have an official policy for social media use?
• What is the average total productivity decrease for companies allowing employees to access social networking sites at work?
1% 1.5% 12% 52%
© 2012 Deloitte Development LLC. All Rights Reserved.
Social media incidents and risks
Employees at a Medical Center in California posted patient information on a social network.
Five nurses were subsequently fired.
An employee used a social network to post insulting comments about the city shortly before
presenting to the worldwide communications group.
A customer of a big airline carrier shared a video of a detailed complaint online, which caused a $180
million (10%) market cap impact.
A major news corporation’s social networking account was compromised . The hackers posted a
false message that an airliner had crashed at Ground Zero.
Privacy Risk Regulatory Compliance
Risk
Loss of control over content
Brand/reputation Loss
Negative Publicity
Identity theft
Impersonation
© 2012 Deloitte Development LLC. All Rights Reserved.
Social media – high-level threat landscape
Organization
People
Technology
Data
Unauthorized Disclosure
Intellectual Property leakage
Vulnerabilities
Identity Theft
Brand / Reputation Loss
Public
Unsatisfied Constituents
Impact network availability
(DOS)
Virus/ Worms/Trojans
Loss of Productivity
HR Policy Violations
Social Engineering / Impersonation
Privacy Risk
Trademark Infringement
Loss of Control Over Content
Copyright Issue
Lack of Situational Awareness
Negative Publicity
False Impression/ Misguidance
The advent of Social Media into the corporate environment brings along multiple risk to the Data, Technology, People, and Organization.
© 2012 Deloitte Development LLC. All Rights Reserved.
Social media attack illustration – pretexting+
The more someone knows about a person, the easier it is to impersonate them both electronically and in person to unwitting staff (Helpdesk, physical security personnel, etc.)
Access to the account provides further information, including home and mailing address, that can be used to redirect mail or examine transaction history, giving even more exploitable clues.
The hacker sees user has repeatedly mentioned bad experiences with the ATM of Bank Q on a social network.
Using the information gathered the hacker can exploit multiple channels to execute a password reset of the user’s account at Bank Q.
Hacker looks for info provided on unsecured social media profiles and collects key info
(DOB, Hometown, employer, picture of a new baby or car).
1. Pretexting target selection
2. Gain a toehold 3. Deep discovery 4. Exploit leverage
© 2012 Deloitte Development LLC. All Rights Reserved.
Detour: Brand and Crisis Management
Real-time Social Media
Conversations
Blogs, News Articles, Videos
Search Engines
Caching, Perm-anent
Archives
Discussion Point
• Do you think your organization is currently prepared to handle social media risks?
• What areas are currently well covered? What areas are not?
• What tools do you have in place to help?
• What is percentage of American employees watch online videos in the workplace?
2% 19% 51% 64%
© 2012 Deloitte Development LLC. All Rights Reserved.
The control of social media in the corporate environment lacks consistent practice. Based on our observations, organizations’ control approach generally falls into the following categories:
No Policy Block*
Limited Access
Controlled Access
Current Observations - social media controls
* It should be noted that blocking and limiting users’ access to social media sites only work within the corporate network environment. There are no effective ways of restricting users’ access when they use public Wi-Fi, hotel network, home network, cellular network, etc.
© 2012 Deloitte Development LLC. All Rights Reserved.
Fact check - Deloitte LLP’s Ethics and Workplace Survey
• 74% of working Americans believe it is easy to damage a brand’s reputation via social networking sites, though relatively few organizations are actively creating strategies and policies;
• 1/3 stated they never consider what their boss, colleagues, or clients think before posting materials online;
• 53% of employees believe that their social networking activity is none of the employers’ business;
VS• 60 % of executives state the organization has a “right to know” how
employees portray themselves and their organizations online, with 30% acknowledging informal monitoring practices;
• 49% indicate that, even if there were a policy in place, it would not affect their behavior.
Source: http://www.deloitte.com/view/en_US/us/About/Ethics-Independence/
As used in this document, “Deloitte” means Deloitte LLP and its subsidiaries. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
© 2012 Deloitte Development LLC. All Rights Reserved.
Auditing social media – from a GRC perspective
An implementation includes:
Evaluation of the entity’s involvement in social media
Alignment of strategy and the business objectives
Identification of the target audience and how each uses social media
Mapping of risks to the social media practice
Prioritization of organizational resources to address the risks
Establishing accountability and ownership of the controls
Supervision of the release of content to social sites
Implementation of process and technology controls
Policy Education
Risk Identification and Analysis
Strategy and Governance
Strategic Plan
Monitoring
Establish Responsibility and Ownership
Align the control
activities to the overall strategy
© 2012 Deloitte Development LLC. All Rights Reserved.
Auditing social media - strategy and governance
• Has a risk assessment been conducted to map the risks to the enterprise presented by the use of social media?
• Is there an established policy (and supporting standards) that addresses social media use?
• Do the policies address all aspects of social media use in the workplace—both business and personal?
• Have effective trainings been delivered to all users?
• Do users (including employees) receive regular awareness communications regarding policies and risks?
Source: ISACA, Social Media: Business Benefits and Security, Governance and Assurance Perspectives [Whitepaper].
© 2012 Deloitte Development LLC. All Rights Reserved.
Auditing social media - risk assessmentThe agency should consider the following when identifying
social media risks:
Risks of using social media as a business tool to communicate with customers or constituents
Risks of employee accessing to social media sites while on the corporate network Risks of using social media tools from their corporate issued mobile devices Risks of employee personal user of social media from home and personal computing
devices
Analyse Risk Impact: How will it adversely affect the organization? What functions would get impacted? How likely would it happen?
Examples: People | Loss of Productivity Data | Unauthorized Disclosure Organization | Reputational Loss Technology | Virus/Worms
© 2012 Deloitte Development LLC. All Rights Reserved.
Auditing social media - social media policy
Key Guidelines
• Does the policy address intellectual property rights?
• Does the policy require monitoring of all content posted on social media sites?
• Does the policy give a careful consideration to review and accept the social media provider’s terms of service?
• Does the policy specify whether only public information can be posted on social media websites?
Business Use of
Social Media
Does the policy specify what the employees can and cannot do on a social network? Such as sharing non-public or confidential information.
Does the social media policy connect with other policies that might be affected by social media (including IT, Ethics, IP, Privacy, Anti-discrimination, harassment, etc)?
Does the policy clarify consequences?
Employees’ Personal Use of Social Media
+
Do NOT disclose confidential information Do NOT share information that may violate copyright laws Do show respect, honesty, and transparency during your social media activities
Bottom Line
© 2012 Deloitte Development LLC. All Rights Reserved.
Auditing social media - risk awareness program
Develop the training curriculum: Establish the training program committee: marketing, legal, IT, HR Take into consideration the organization needs and resources when designing the
training program In house or e-learning? Mandatory or optional? Organization wide or particular department focused?
Develop a curriculum tailored to the level of social media involvement of your company Update the curriculum regularly
Establish a social media facilitator: Responsible for the organization’s social media awareness program Conduct social media training with employees Develop and maintain awareness communications regarding social media policies and
risks Provide consultation to employees with social media questions Consider the role of this facilitator in incident response processes
© 2012 Deloitte Development LLC. All Rights Reserved.
Auditing social media - risk awareness program (Cont’d) ISACA recommends any strategy to address the risks of social media usage should first focus on user behavior through the development of policies and supporting training and awareness program that covers:
• Whether it is allowed• The nondisclosure/posting of business-related content• The discussion of workplace-related topics• Inappropriate sites, content or conversations
Personal use in the workplace
Personal use outside the workplace
Business use
• Whether it is allowed• The nondisclosure/posting of business-related content• The discussion of workplace-related topics• Inappropriate sites, content or conversations
• Whether it is allowed• The process to gain approval for use• The scope of topics or information permitted to flow through this channel• Disallowed activities (installation of applications, playing games, etc.)• The escalation process for customer issues
© 2012 Deloitte Development LLC. All Rights Reserved.
Auditing social media - control implementation
• Have business processes that utilize social media been reviewed to determine that they are aligned with policies and standards of the enterprise?
• Are content control processes in place to determine that social communications intended to represent the company are approved before dissemination?
Source: ISACA, Social Media: Business Benefits and Security, Governance and Assurance Perspectives [Whitepaper].
ISACA Business Model
• Does IT have a strategy and the supporting capabilities to manage technical risks presented by social media?
• Do technical controls and processes adequately support social media policies and standards?
• Does the enterprise have an established process to address the risk of unauthorized/fraudulent use of its brand on social media sites?
Process/Data
Technology
• Has effective trainings been delivered to all users?• Do users (including employees) receive regular awareness
communications regarding policies and risks?People
© 2012 Deloitte Development LLC. All Rights Reserved.
Auditing social media – controls | people
Loss of Productivity
Identity theft
Social Engineering
Risk Control
Objective:
Employees, contractors and customers are aware of their responsibilities relating to social media.
Activities: • Establish user agreements for social
media use• Conduct awareness training to inform
users of the risks involved using social media websites
• Use content-filtering technology such as DLP (Data Loss Prevention)
• Limit access to social media sites
Responsible parties:
HR, Information Security
HR Policy Violations
© 2012 Deloitte Development LLC. All Rights Reserved.
Auditing social media – controls | process
Reputational Loss
Regulatory Compliance Risk(i.e. Copyright, trademark infringement, and privacy issues)
False Impression
Risk Control
Objective:
The enterprise brand is protected from negative publicity or regulation violation
Activities: • Establish policies to ensure legal-
sensitive communications are tracked and archived
• Conduct awareness training to inform users of the risks involved using social media websites
• Scan the internet for misuse of the enterprise brand
Responsible parties:
Legal, HR, Information Security
© 2012 Deloitte Development LLC. All Rights Reserved.
Auditing social media – controls | data
Unauthorized Disclosure
Improper Content
Intellectual Property leakage
Risk Control
Objective:
Enterprise information is protected from unauthorized access or leakage through/by social media.
Activities: • Establish user agreements for social
media sites• Develop policies on the use of
enterprise-wide intellectual property• Ensure there is a capability to log all
the communications
Responsible parties:
Legal, HR, Information Security
* Please bear in mind that these risk control mapping are being presented to help illustrate the approach in evaluating your business involvement in social media practice. It is not designed to include a comprehensive listing of risks and control activities.
© 2012 Deloitte Development LLC. All Rights Reserved.
Auditing social media – controls | technology
Constraining network bandwidth
Virus/Worms via the social media sites
Risk Control
Objective:
IT infrastructure supports risks introduced by social media.
Activities: • Install anti-virus applications on all
systems including mobile devices• Use content-filtering technology such
as DLP• Limit access to social media sites
during business hours
Responsible parties:
Information SecurityData theft from mobile devices
© 2012 Deloitte Development LLC. All Rights Reserved.
Cyber Threat Profile Analysis
• Perform a study on what organization specific foot printing information is available on the Internet, and how it might be used to produce an exploit that targets the organization’s IT or Industrial Systems.
Suspicious Program Diagnostics
• Use available industry hash data sets and cyber intelligence to match against a generated inventory of system files endeavoring to identify hidden exploits. Perform digital forensic analysis on suspect computers including examining system memory.
Social Media Impact Survey
• A policy assessment is performed to assess how social media is being used within the organization.
Intranet Cyber Compromise Diagnostic
• Security event logs and infrastructure logs are analyzed to look for evidence of internal machines that may have been compromised and are attempting to communicate with miscreant controlled devices on the Internet.
Anti-Phishing Capability Diagnostic
• Assess organizations’ anti-phishing program in order to help identify gaps and improvement opportunities. It includes looking at recent phishing incidents, intelligence services, and the organization’s incident handling procedures.
Additional considerations
© 2012 Deloitte Development LLC. All Rights Reserved.
Reference and Additional Resource
• “Web 2.0 reinvents corporate networking.” Gopal, Raj et al. Deloitte Consulting LLP
• “Market Intelligence and Content Curating.” Eric Openshaw, Deloitte & Touche LLP
• “Social Media Audit/Assurance Program “ ISACA
• “Social Media: Business Benefits and Security, Governance and Assurance Perspective” ISACA
• “2012 Identity Fraud Report: Social Media and Mobile Forming the New Fraud Frontier” Javelin Strategy & Research
• “Auditing Social Media: A Governance and Risk Guide” by Peter R. Scott and J. Mike Jacka
• “Security, Mobility, and Social Media: Minimizing Risk in the Era of Sharing “ by Partha Mukherjee, Lawrence J. Bolick and Brian Cain
• “Securing the Clicks: Network Security in the Age of Social Media” by Gary Bahadur, Jason Inasi, and Alex de Carvalho
• “Sophos Security Threat Report – 2011” by Graham Cluley
• Cisco 2010 Annual Security Report
• “KOOBFACE – Inside a Crimeware Network “by Nart Villeneuve of the Information War Monitor
© 2012 Deloitte Development LLC. All Rights Reserved.
Contact info
Mike WyattDirectorDeloitte & Touche LLP+1 512 771 [email protected]
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation.
Member of Deloitte Touche Tohmatsu Limited