IBM Center for Applied Insights

Highlights: Today, there are over 280,000 IBMers on LinkedIn, over 170,000 people on Facebook with IBM listed as their workplace, and an estimated 30,000 IBMers engaging on Twitter each month. Done the right way, social media can pay off both for individuals and the enterprise.

Security Essentials for CIOsNavigating the risks and rewards of social media

Executive Series

Imagine an immense tradeshow floor filled with all of your clients. It’s also teeming with your most promising prospects, along with thousands of talented potential hires. There’s no better place for you to showcase your offerings, your smarts, and what sets you apart. Naturally, your rivals are there too, angling for clients, brainpower and ideas. So there’s plenty of competitive pressure to attend. But, regrettably, there’s a downside. Growing numbers of thieves, industrial spies and other ne’er-do-wells are circulating the same halls. As is so often the case, opportunity comes with its share of risk.

This non-stop global conference, of course, is social media. At IBM, we feel that these digital gatherings provide near limitless opportunity for our employees to make connections, exchange ideas, and innovate. For us, engaging in social media, inside and outside of the company, is a strategic imperative. So is security. We believe the solution is to create a risk-aware culture — one that acknowledges both the value and the risks associated with the digital world. It is important that we engage digitally in a smart and secure way.

Just a few years ago, many companies saw social computing as an outcropping on the periphery of their businesses. Since then, social networks have exploded, with hundreds of millions of people trading ideas and leads, from work, home and on the move. This growth has created enormous value, for everything from recruiting staff to customer service. In a recent Ponemon Institute survey, nearly 70 percent of global respondents said that social media is now very important for achieving their business objectives.1

2

Security IntelligenceExecutive Series

Analyze the risks The next step is an analysis of the risks inherent in each of these initiatives. ISACA has defined five primary social media risks for business.3 They range from the increased threat of viruses and malware to brand hijacking and lack of content control to changing customer expectations to increasing the chances of non-compliance.

One growing trend is for criminals to harvest personal information from social networks, and then to use it to craft personalized phishing attacks. If successful, these can deliver malware, which can quietly steal information, shut down vital operations, or even carry out sabotage.

There are not only external risks, but also risks from employees as well. What if company secrets are exposed via social media? What would happen to the firm’s reputation if negative photos of employees made their way onto Flickr? What to do if an ugly and false rumor goes viral on Twitter or if a colleague appears to be spilling details from yesterday’s meeting on Facebook?

These risks may be common across enterprises, but the way in which organizations respond will likely be unique to their corporate culture. The important element is to raise these early on in the process, and build appropriate response plans.

Create and communicate your policy The third step of the process is crucial. It involves communicating the opportunities and risks of the digital world, and providing policies, awareness programs and tools to guide the entire work force. For this, ongoing education and guidance must be built into the fabric of the enterprise’s social media strategy.

At IBM, we began these efforts with our own Intranet. In 2005, IBMers were using an in-house social network known as Connections to exchange everything from algorithms to chili recipes. Then, external blogs and social networks began to take off, and IBM considered the opportunities and challenges of engaging far beyond the corporate firewall. Collaborating on a wiki, IBM employees drew up our Social Computing Guidelines. This initial effort was a starting point and we’ve been evolving it ever since.

Today, there are over 280,000 IBMers on LinkedIn, over 170,000 people on Facebook with IBM listed as their workplace, and an estimated 30,000 IBMers engaging on Twitter each month. Done the right way, social media can pay off both for individuals and the enterprise. By participating, our employees build what

However, there is still a long way to go between seeing the value and actively engaging. In IBM’s latest CEO Survey of 1709 CEOs around the world, only 16 percent of them are currently participating in social business platforms to connect with customers. Within five years, that will likely grow to 57 percent.2 Outperformers in the survey were more likely to identify openness, often characterized by a greater use of social media, as a key influence on their organization.

This growth and attention has created new opportunities for thieves and hackers, and many enterprises are unsure what to do about it. In the Ponemon study, 63 percent of respondents said that social media puts their organization at risk and is a serious security threat. The risk is recognized, but only 29 percent admitted to having the necessary security controls to mitigate that threat. There is still a long way to go.

Nearly 70% of global respondents said that social media is now very important for achieving their business objectives.1

Because of this growth, in both opportunity and risk, we feel it’s important to share our ideas on how to help build a risk-aware culture for the social world.

Define your social agenda The first step for every enterprise is to determine where it fits in the social sphere, and what it might gain from social media. Ideally, top executives from every division will meet to explore the possible benefits. Core questions include: Will participation boost brand awareness? Can it improve customer satisfaction? Could we use social media to drive collaboration or crowdsourcing for product innovation? Discussions must also extend to the costs of not engaging. Will the company be hamstrung in responding to public relations issues if it lacks a well-known Twitter account or Facebook page? Will it be at a disadvantage finding and communicating with good recruits if it doesn’t use social media?

Each enterprise will come up with its own answers. Some may conclude that certain functions, perhaps HR, Sales, and Marketing need to be active on social networks while other functions require a smaller presence or none at all.

Source: Ponemon Institute

3

Security IntelligenceExecutive Series

we call Digital Eminence, a reputation for sharing experience and ideas that can boost their professional persona as well as the company’s prestige, while drawing people and business to IBM.

Monitor security and measure progressOne word of warning, enterprises must be extremely careful to balance privacy issues and security when it comes to social media use. Gartner recently reported that by 2015, 60 percent of enterprises are expected to actively monitor employee’s social media use for potential security breaches.4 It’s important to maintain a secure environment, but companies should also consider doing so in a way that is sensitive to privacy and other concerns.

Once an enterprise delves into social media, it is useful to measure various efforts and to gauge their effectiveness. If human resource professionals are using social networks for recruiting, how do the talent pool and pipeline match up before and after? If developers are collaborating through social media, how much more quickly are products and services getting to market? With the development of new tools and constant flows of data, social media is an ongoing laboratory. The learning never ends.

Join the conversation To read additional articles, learn more about Security Essentials for CIOs, or share your thoughts with other security leaders join us at ibm.com/smarter/cai/security.

About the author Kristin Lovejoy is Vice President of IT Risk, Office of the CIO, IBM. She can be contacted at klovejoy@us.ibm.com.

About IBM Center for Applied Insights The IBM Center for Applied Insights (ibm.com/smarter/cai/value) introduces new ways of thinking, working and leading. Through evidence-based research, the Center arms leaders with pragmatic guidance and the case for change.

Social Computing Tips for Employees

Like many of today’s emerging technologies, social computing puts employees in the driver’s seat—essentially making them your brand ambassadors. You might want to consider the following tips as you empower your employees to effectively navigate the risks and reap the rewards of social platforms:

• Be authentic. Encourage employees to identify their employer in their profiles, but provide a disclaimer that their opinions remain their own.

• Think before posting. Content and context go hand-in-hand. Confidential or private information isn’t ever appropriate to share in a public context. For example, a tweet about a recently released whitepaper would be fine, but a tweet about confidential company financials would not be.

• Respect others’ rights. You should respect the rights of others, including their privacy and intellectual property rights.

• Be careful with connections. Your employees might receive connection requests from those who are hunting for private company information so remind them that it’s good to be choosy when considering who to connect with.

• Read the fine print. Social networks have terms of use and privacy policies, and you and your employees should review these closely to confirm that you can live with those terms and policies. Also, social networks may change their terms and policies over time, so you should regularly check them for changes before connecting.

• Admit mistakes. Things move faster than ever in social media, and employee mistakes are likely to happen. A culture where employees are encouraged to admit and quickly correct mistakes can help to avoid any fallout from the inevitable social media faux pas.

1 Ponemon Institute, “Global Survey on Social Media Risks: Survey of IT & IT Security Practitioners”, September 2011

2 2012 IBM CEO Study, “Leading Through Connections”, http://www-935.ibm.com/services/us/en/c-suite/ceostudy2012/

3 ISACA, “Social Media: Business Benefits and Security, Governance and Assurance Perspectives”, June 2010, http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Social-Media-Business-Benefits-and-Security-Governance-and-Assurance-Perspectives.aspx

4 “Gartner Predicts Huge Rise in Monitoring of Employees’ Social Media Use”, PC World, 29 May 2012, http://www.pcworld.com/businesscenter/article/256420/gartner_predicts_huge_rise_in_monitoring_of_employees_social_media_use.html

Security IntelligenceExecutive Series

Please Recycle

© Copyright IBM Corporation 2012

IBM Global Services Route 100 Somers, NY 10589 U.S.A.

Produced in the United States of America June 2012 All Rights Reserved

IBM, the IBM logo and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml Other company, product and service names may be trademarks or service marks of others.

References in this publication to IBM products and services do not imply that IBM intends to make them available in all countries in which IBM operates.

WGW03006USEN-00