Andrea Di MaioTwitter’s outage last week, allegedly due to a Denial of Service attack that affected also other sites (including Facebook), raised very valid questions about whether government agencies using these web 2.0 tools are exposed to greater risks than those that do not.
I am no security expert, but it seems to me that there are three main types of risk:
- Malicious software that may be downloaded through any of these sites when users click on links (or through emails that appear to be coming from these sites, but do not).
- Unavailability of those sites when they are needed, which is what was experiences through the DNS attack
- Data posted on those sites may unwillingly reveal information that may negatively affect government operations
The first type of risk can only be addressed by strengthening network security. I do not believe social networks pose greater risks than any other external web site. The challenge for government organizations is to deploy security tools, apply security policies and constantly monitor emerging threats. I suspect that organizations that are good at Internet security, will be good at facing risks from social networks too.
The second type of risk suggests that government organizations should not exclusively rely on a very limited set of external social networks for any mission-critical activity. Challenges here include (1) building an inventory of what external social networks are being used for which mission-critical tasks and (2) developing a risk-reduction strategy based on a combination of alternative external and internal (i.e. government-controlled) social networking mechanism. At the present stage, for organizations that have not banned the use of external networks (hence no special permission must be granted to use external networks), even developing a sufficiently complete inventory may be quite a difficult task,
The third type of risk is almost inevitable. In fact, even if there is no deviation from the prescribed code of conduct, employees may reveal, via a combination of personal and professional information, patterns that may make the organization vulnerable. One approach to contain this would be to make sure that employees always create a professional profile that is separate from the personal one. On the other hand, this may severely constrain their ability to actively engage with various stakeholders (see previous post).
It seems to me that while most discussions around security risks in social networks revolve around the first two categories, the third one will turn out to be the toughest to address.
Category: social networks in government Tags: security, Twitter
5 responses so far ↓
1 Prasanna August 11, 2009 at 3:34 pm
As I was reading through the different risks, I was already thinking about how you were going to summarize the post. And it was not far off from what I thought. People!
2 Twitter Outage, Social Networks and Security Risks | Canadian Security Connection August 11, 2009 at 6:02 pm
[...] here to read her suggestions on how to address these risks. Share/Save/Email this post Categories: [...]
3 Listing the Downsides of Government 2.0: Any Hints? August 16, 2009 at 5:17 am
[...] Security (expanding on what I wrote earlier) [...]
4 pisola - links for 2009-08-22 August 22, 2009 at 3:21 am
[...] Government, Social Networks and Security Risks – “Twitter’s outage last week, allegedly due to a Denial of Service attack that affected also other sites (including Facebook), raised very valid questions about whether government agencies using these web 2.0 tools are exposed to greater risks than those that do not.” [...]
5 Government, Social Networks and Security Risks September 24, 2009 at 7:15 pm
[...] The first type of risk can only be addressed by strengthening network security . I do not believe social networks pose greater risks than any other external web site. The challenge for government organizations is to deploy security tools …More [...]