• About Us
  • Certifications
  • Associations
  • Partnerships
  • News
  • Articles
  • Webinars
  • Careers
  • Contact Us
• Technology Services
  • Network Design and Implementation
  • Network Advantage (IT Support & Maintenance)
  • Virtualization
  • Data Storage and Protection
  • Disaster Recovery
  • Technology Strategic Planning / Assessment
  • Network Monitoring/Management
• Security Services
  • External Penetration Testing
  • IT/GLBA Audit & Assessment
  • Information Security Program
  • Security & Compliance Consulting
• Aspire Hosting
  • Cloud Hosting
  • Email Hosting
  • Email Filtering and Encryption
  • Support
• Tandem Software
  • Risk Assessment
  • Business Continuity Planning
  • Information Security Policies
  • Vendor Management
  • Internet Banking Security Program
  • Identity Theft Prevention Program
  • User Group Conference
• Blog
  • Recent Posts
  • Archive
  • RSS Feed

Making Your Community Bank's Social Network Activities Secure

By Russ Horn, CISA, CISSP, Chief Operations Officer
CoNetrix Security and Compliance Consultant

This article was published in October 2010 by the Independent Community Bankers of America

Almost half of Americans have a Facebook or MySpace account, and the number rises to three-quarters for those ages 18 to 34. Facebook boasts a staggering 400 million active users, with half of them logging on in any given day. Unique visitors to Twitter increased 1,382 percent from 475,000 unique visitors in February 2008 to 7 million in February 2009.

These statistics are staggering. It is no wonder many marketing departments at community banks are creating business pages on various social networking sites. But what are the data security risks to community banks from these sites?

With the increase in popularity of social networking sites, cyberattacks are increasing. McAfee Labs' 2010 Threat Predictions report listed social networking threats in its top two , stating that "the explosion of applications on Facebook and other services will be an ideal vector for cybercriminals, who will take advantage of friends trusting friends to click links they might otherwise treat cautiously." In trends from Microsoft Security Intelligence reports across 2009, we see a noticeable increase in the percentage of phishing impressions each quarter originating from Social Networking sites; see Figure 1.

Figure 1

Trends in Phishing Reports Last Year

Source: Microsoft Security Intelligence Report, volumes 7 and 8

Because most social networking sites use your e-mail address as your personal username, there's been an increase in integration with other sites using the e-mail address as the unique identifier. For example, in the release of Outlook 2010, Microsoft added a feature called Social Connector. With Outlook Social Connector, you can extend popular social networks like Facebook, LinkedIn and MySpace with Outlook. Simply click on a contact's name or expand the Social Connector view (at the bottom of an e-mail) to see its recent activities in social networks including photos, status updates, activity feeds and profile information (name, title, e-mail address etc.).

Social Connector pulls this information by sending the e-mail addresses in the "to" and "cc" lines of the message to the social networks you have designated. Similar add-ons have been recently released for other major e-mail providers including Yahoo and Gmail.

This is a cool feature for personal use, but how does this affect your community bank? Let's say an officer uses his bank e-mail address for his personal Facebook account. If the employee is posting questionable or offensive content on his Facebook page, your customers might see it when they receive bank e-mails from the employee. This is causing many banks to begin including statements in their Acceptable Use Policy restricting employees from using bank e-mail addresses in connection with social networking sites.

Avoiding risk:

Treat social networking like any other risk or opportunity for your community bank. Start by conducting a formal risk assessment. From the risk assessment, define a plan and implement controls to mitigate the risks identified in the risk assessment. At a minimum the plan should include regular monitoring of social networking sites. A good tool to use for monitoring general Internet activity is Google Alerts (google.com/alerts). Google Alerts allows you to receive e-mail updates when key words or phrases are discovered by Google search engines, including new websites, news, blogs etc.

Controls could consist of both managerial (through policies) and technical. Common controls might include...

• limiting or restricting access to social networking sites on bank systems
• limiting or restricting employees from using bank e-mail addresses in connection with social networking sites
• regularly monitoring these sites for spoofed sites or disparaging comments about the bank
• training employees on the security concerns related to these sites, particularly phishing attacks
• restricting employees from using the same passwords for personal sites (including social networking sites) as they do for bank passwords

Whatever social media security precautions your bank decides to adopt, ensure that management decisions are rolled into the Acceptable Use Policy signed by all bank employees.

View More Articles

 

• About Us
• Certifications
• Associations
• Partnerships
• News
• Articles
• Webinars
• Careers
• Contact Us

© 2012 CoNetrix  |  Legal Notice  |  Privacy Policy  |  Contact Us
5214 68th Street, #200  |  Lubbock, Texas  79424
806.687.8600  |  800.356.6568

Connect with us on: