Is data loss prevention ready for social media?

A recent YouTube video involving a pizza company, where employees were shown mishandling the food, made us wonder whether data loss prevention (DLP) tools can be used to prevent incidents in the external social media and collaboration space.

According to data on emerging social media space by KPMG, usage of social media technologies is on the rise with over 52% of users using at least one of the technologies like blogs or facebook on a daily basis. Couple this with an IREC poll that shows high rate of DLP adoption or planned adoption in the organizations and it would appear that information risk organizations are well poised to take advantage of DLP to enforce polices and prevent incidents related to brand risk or unintentional data leakage on social media sites.

DLP Adoption Rates

However, a look under the hood shows that numerous challenges continue to prevent adoption of DLP in enforcing social media policies:

1) Companies have deployed DLP to monitor and log rather than block. To prevent social media incidents, the DLP would have to be set up to block traffic.
2) In most security organizations social media is not considered one of the major loss channel after email. In our conversations with CISO’s majority of them have prioritized USB and other types of data at rest loss prevention as a threat with higher likelihood and loss potential than social media. They have mostly dealt with social media by blocking it completely.
3) Majority of the organizations have deployed DLP only on email. Web channel is harder because of the latency caused by monitoring activities.
4) Companies have found it harder to deploy context sensitive DLP as there are more false positives in that approach.

DLP Deployment Approach

In fact an IREC peer poll of 25 member companies conducted in February 2009 bears this out. Only a small percentage of the installed DLP base can take advantage of DLP for social media policy enforcement.

So what should information risk organizations do? From a prevention perspective develop a policy/ addendum to AUP that explicitly addresses external social media and educate end users about the potential damage to organizations brand by social media incidents. In addition this is a good time to work with sales and marketing. Research from our Marketing Leadership Council program shows rise in usage of these technologies by the marketing function. Utilize this opportunity to both train the function and partner with them to develop an incident response plan to social media incidents.

Explore posts in the same categories: Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: