Making Your Community Bank's Social Network Activities Secure

By: (CISA, CISSP, CRISC)

Publication: Independent Community Bankers of America , October 2010

Almost half of Americans have a Facebook or MySpace account, and the number rises to three-quarters for those ages 18 to 34. Facebook boasts a staggering 400 million active users, with half of them logging on in any given day. Unique visitors to Twitter increased 1,382 percent from 475,000 unique visitors in February 2008 to 7 million in February 2009.

These statistics are staggering. It is no wonder many marketing departments at community banks are creating business pages on various social networking sites. But what are the data security risks to community banks from these sites?

With the increase in popularity of social networking sites, cyberattacks are increasing. McAfee Labs' 2010 Threat Predictions report listed social networking threats in its top two , stating that "the explosion of applications on Facebook and other services will be an ideal vector for cybercriminals, who will take advantage of friends trusting friends to click links they might otherwise treat cautiously." In trends from Microsoft Security Intelligence reports across 2009, we see a noticeable increase in the percentage of phishing impressions each quarter originating from Social Networking sites; see Figure 1.

Figure 1

Trends in Phishing Reports Last Year

Trends in Phishing Reports Last Year

Source: Microsoft Security Intelligence Report, volumes 7 and 8

Because most social networking sites use your email address as your personal username, there's been an increase in integration with other sites using the email address as the unique identifier. For example, in the release of Outlook 2010, Microsoft added a feature called Social Connector. With Outlook Social Connector, you can extend popular social networks like Facebook, LinkedIn and MySpace with Outlook. Simply click on a contact's name or expand the Social Connector view (at the bottom of an email) to see its recent activities in social networks including photos, status updates, activity feeds and profile information (name, title, email address etc.).

Social Connector pulls this information by sending the email addresses in the "to" and "cc" lines of the message to the social networks you have designated. Similar add-ons have been recently released for other major email providers including Yahoo and Gmail.

This is a cool feature for personal use, but how does this affect your community bank? Let's say an officer uses his bank email address for his personal Facebook account. If the employee is posting questionable or offensive content on his Facebook page, your customers might see it when they receive bank emails from the employee. This is causing many banks to begin including statements in their Acceptable Use Policy restricting employees from using bank email addresses in connection with social networking sites.

Avoiding risk:

Treat social networking like any other risk or opportunity for your community bank. Start by conducting a formal risk assessment. From the risk assessment, define a plan and implement controls to mitigate the risks identified in the risk assessment. At a minimum the plan should include regular monitoring of social networking sites. A good tool to use for monitoring general Internet activity is Google Alerts (google.com/alerts). Google Alerts allows you to receive email updates when key words or phrases are discovered by Google search engines, including new websites, news, blogs etc.

Controls could consist of both managerial (through policies) and technical. Common controls might include...

  • limiting or restricting access to social networking sites on bank systems
  • limiting or restricting employees from using bank email addresses in connection with social networking sites
  • regularly monitoring these sites for spoofed sites or disparaging comments about the bank
  • training employees on the security concerns related to these sites, particularly phishing attacks
  • restricting employees from using the same passwords for personal sites (including social networking sites) as they do for bank passwords

Whatever social media security precautions your bank decides to adopt, ensure that management decisions are rolled into the Acceptable Use Policy signed by all bank employees.