Social media risks for government

Growing use of social media presents the public sector with new cyber-security challenges.

While government use of social media has become mainstream, and the Civil Service here is formulating guidelines on its use by staff (see issue 54, page 120), new media bring new risks. Among the dangers for governments are identity theft (to employees and the public alike) and malware such as viruses and other harmful code, according to Dr Alan Oxley, an IT service management expert who has written on social media use by government.

As citizens put more and more personal information online, this data can be harvested from websites and compiled into a single, comprehensive portrait of a user, then used by cyber-criminals to commit identity fraud. Public sector managers need to consider minimising the necessary amount of personally identifiable information online, states Oxley in his guide to mitigating risk in use of social media.

Rules of behaviour regarding social media should be specified, particularly about what information can and cannot be posted on these websites. A process for handling unauthorised or fraudulent postings is necessary. Citizens should be warned about the dangers of identity theft.

IT staff in public sector agencies and departments can further minimise risk by researching new ways to serve the public through social media without personal information being required.

Phishing, acquiring personal information via social media (among other ways) by fraudulent means, also poses a risk e.g. the emails distributed following the hacking into LinkedIn accounts in June, when 6.5 million passwords were stolen and subsequently published online.

Additional security problems arise with social media phishing as messages are not subject to checks performed by email systems (though web browsers have phishing filters). Personalised messages are likely to pass through filter systems as they do not fit the typical pattern of ‘rogue communication’. To reduce risk, Oxley, who works at the Universiti Teknologi Petronas in Malaysia, advises that sections of a public body’s social media pages should be devoted to helping citizens verify whether an email seemingly sent by the body is authentic. The public should be regularly warned about fraudsters, and also what information should and should not be posted on social media.

In addition, staff should monitor social media behaviour to ensure usage policy is adhered to and caution users about divulging private information.

Hackers have been able to install malware on a user’s computer seemingly innocuously since the advent of interactive websites, often with users unaware that their machine is infected. Combined with spoofing (websites mirroring trusted websites) or social engineering (fraudulent attempts to acquire personal information), hackers can bypass security software to do so.

Security officials in the public sector should work with social media providers’ security teams to ensure that the roles and responsibilities of both parties are clear. Government organisations should be routinely made aware of any proposed configuration changes.

Managers should develop an acceptable use policy specifying the rules of social media behaviour. Categorising such products into four categories is also advised: for use at work or at home; to be used at work (behind the office firewall); those only to be used on certain office PCs (i.e. those with better security or isolated from the bulk of the office network); and those not to be used in any place.