You can listen to the podcast of this interview here.
Welcome to another edition of AITS Thought Radio. My name is Richard Wood and I am the publisher if the AITS newsletter and website.
Matt Kabik: I'm Matt Kabik, the humble editor of AITS.org.
Richard: Humble, indeed he is. The AITS newsletter currently goes out to more than 110,000 IT professionals around the globe, and if you are not a subscriber you should be. I advise you to visit us at AITS.org and sign up today. Speaking of today, joining us is McGraw-Hill author Gary Bahadur. He is the lead author of
Securing the Clicks: Networks Security in the Age of Social Media. I must say this book should be a must read for every CIO of companies with a public face. I must also add that the book should probably be sold with a package of sedatives because you are going to have some sleepless nights after you read this book.
Matt: Right, I was actually just telling Richard here, after I read this book, I'm obviously not a CIO but I was nervous, about everything I was doing, which is a really a sign of a great quality to this book.
Richard: Gary, how are you this morning?
Gary Bahadur: Fantastic. I really appreciate you guys having me on and look forward to talking about some really scary social media things.
Richard: I was looking at some statistics online and that for every minute, for example, Facebook users share over 600,000 pieces of content and Twitter users send out over 100,000 tweets every minute and brands and organizations on Facebook receive something like 34,000 likes, and this is, again, every minute. Currently, we have, what, like 2.1 billion people in the planet that have some form of internet access and I'm afraid that not all of them have your company's best interest at heart. In the past, security meant protection from those rare or focused outside attacks or internal corruption but now with the rise of the individual through social media, it's not just hackers, but your own customers could turn on you. Would that be a correct statement?
Gary: Absolutely and you know how to define the attacker in the past. It was some guy sitting in a deep, dark basement trying to break into your company and steal something or other, but now who is the real attacker? Your customer is the attacker, your employees are your attackers, your partners are your attackers. Is it really fair to say they are attackers? They are just sharing an experience half the time. That risk is still there so who do you target to defend yourself against? It's pretty challenging.
Richard: I think that's interesting and that's something that I really picked out of your book was just that the attack isn't, like you said, it isn't an attack, it's more or less a customer who is going to be saying something negative and whether you address that or not. I have a question right off the bat from this point. Let's say your company doesn't have a social media presence, like you don't have an intern running your twitter, you don't have somebody running your Facebook, should you still be concerned about your social medial presence outside of your company?
Gary: You already have a social media presence, whether you know it or not, right? They are still talking about you whether you know it is going on. You have to and you are forced to build your internal processes, forced to build out however you are going to run your social presence, you've got to have someone do it. You can't bury your head in the sand, that' for sure.
Richard: Yes, absolutely. I think that's what strikes me the most is burying your head in the sand. So many companies are like, “Oh, we will just deal with social media by not having any”. You are already out there. Matt: I like the example right at the beginning of the book, you have the example of the BP oil spill and the disaster there and the social disaster it became for the company. How much damage, although you can't measure it necessarily in true dollars and cents, that whole disaster and the way it was handled took down the president of BP Petroleum and affected the stock price and certainly the reputation of the company for decades to come.
Gary: It did and it is so funny that if you actually look up that fake BP Twitter account handle, it is still active so you've got to wonder did they attempt to even manage that Twitter stream?
Richard: Before we go any further, I want to make sure everyone understands what happened. Why don't you explain what happened with the fake Twitter?
Gary: Sure, sure. Take a quick step back there. Every company has a Twitter handle whether it's BP or BPPR, or what have you. Someone created a fake BP Twitter handle, and I believe it was BP marketing or some such and it seemed real but then they started tweeting some negative but yet funny tweets about the whole disaster during the disaster and they guy or girl, I don't know who set it up, actually had more followers than the actual BP Company. That's pretty funny. It's still out there and they are still tweeting again.
Richard: It's still active?
Gary: Right, absolutely.
Richard: Look at that, we have a spoofing situation as well, that someone could actually co-opt your brand, essentially, and took it even further than BP was willing to go with that. With just a nominal amount of effort, an outside force was able to exceed BP's own internal efforts at social media.
Gary: Right and you have to defend it in the social sphere as you would if someone registered the name BP as corporation or someone started a website with BP in the website. They would normally defend the brand and send out BP letters and all that. You have to take those same tactics in the social media outlets and defend your brand wherever someone is mentioning it.
Richard: In line with that, specific to social networks, what are some of the dangers that are specific to social networks?
Gary: The newest, most prevalent danger is the ability to re-create, if you will, a company or a person. By that I mean if you're sharing all the things about yourself or your company, whether it's LinkedIn or Facebook. You are creating all this data and data is how we define ourselves these days. If I know everything about you, and let's take a person for example first, so you're posting to Facebook your name, the car that you own, your girlfriend's name and your high school you went to, aren't these all the same questions that a bank asks you to authenticate yourself with, everything except your Social Security number? You are creating this whole new way of data mining and the ability to create a whole new entity or fake a whole new entity based on all this data. That's one of the biggest macro problems of social media, the amount and all the sharing, as you say, of that data, every minute, all that data is out there now.
Richard: Right. We are speaking with Gary Bahadur, one of the authors of Security in the Clicks Networks: Security in the Age of Social Media, published by McGraw-Hill and you can certainly find a link to Gary's book online at AITS.org at our modest little bookstore there. I think you will agree that this is a must read for every CIO and even an HR director, in fact. You've got fabulous examples throughout the entire book there. Could we talk a little bit about the steely reality, or let's talk about cyber stalking. I guess that's kind of on a par of what we were just talking about
Matt: Right, cyber stalking, which is basically cyber bullying in a way, is generally seen as something that people in middle school, young adults experience, but you talk about corporate cyber stalking, which I wasn't aware of but after reading your book, makes perfect sense to me. What is it exactly and what kind of impact could it have on a CIO in a business?
Gary: It's really about tracking someone. If we look at the initial things of cyber bullying where this is evolving from is using information against you, either in a threatening way or stealing something from you. You evolve that into the corporate realm now. What are your competitors really looking for? They are looking for data about you, data about your staff and how to take advantage of that, steal accounts, damage your reputation. If you are in, say the restaurant business, Yelp is a great example of an easy way to destroy someone's reputation. You can start posting negative reviews about your competitor's restaurants: “Oh, I ate there and had terrible service. The food was bad.” Who knows who is behind that Yelp account? You look at say a bigger company now. Your staff is all on LinkedIn. All your sales guys are probably on LinkedIn, so I come and I start tracking your sales guys, what they are posting. Maybe they are doing a status update, “Hey, I'm having lunch with the VP of products at company ABC.” Well now I now that hey, this is a connection, a company ABC, maybe I can come in there, talk to him, talk him out of a contract, etc.
Richard: Wow that is some backhanded”¦ How legal is that right now to do?
Gary: If you're putting it out there, it's free bait at this point. I haven't stolen anything, you told me the information. He's going to say, “I opened my big mouth”.
Richard: That's the type of thing that can happen to any sized company despite whatever their public output is or what their public face is. You have a great example there also of the Dominos pizza fiasco back in 2001. Could you walk us through that real quick?
Gary: It's employees and we all know we can't really control employees all that well, employees of a Dominos, which is franchise owned, posted a video of really not so nice things of what they are doing at a Dominos and posted that video online. Now, that immediately goes viral showing employees are doing all these nasty things to food in a Dominos restaurant. Well that was a franchise employee, but it affects a big brand of Dominos. One of the problems with this scenario was the response and the response rate and time of the corporate. In social media you've got to be very quick to respond and do damage control or it can spin out of control pretty quickly. Now the problem Dominos had is they didn't immediately follow up, start taking ownership, responding and really managing the danger of that video going out there. If you can respond quickly and say, “Hey, we'll take care of it. We're so sorry” all these things quickly, you can head off what people are saying and change the conversation pretty quickly. That has happened so, so much in the past couple years where they don't respond quickly enough. Another great example is with Southwest when the director, Kevin Smith, was kicked off of a Southwest flight for being too fat. Some of us may have that problem but you don't want to be kicked off.
Richard: We're not going to talk about that problem at all; we are going to go on to something else. No, no, go ahead.
Gary: You go to Twitter and if you're a well-known personality and you start tweeting what happens, it goes viral, and Southwest did not respond quickly enough. Then the conversation goes out of control and you've lost it.
Richard From a CIO's point of view, first of all, you have to plan for this or have an eventuality. You have to have a strategy to put in place should something like this occur. You have to make some advanced planning?
Gary: Sure. You are a CIO, I guarantee you've got a plan for say a power outage in your data center or you've got a plan for your building getting on fire and you have to go to a new building. This is the same thing. It is a scenario you have to model out. What happens if someone puts a video out there about us? What happens if an employee posts, say patient data under a Facebook page and we're in healthcare. They've just broken a couple laws right there. Let's do this disaster recovery planning is what it really is.
Richard: You have, I guess an acronym. It's just HUMOR, the HUMOR Matrix, is that correct?
Gary: Yeah, absolutely. It's a process right? Human resources where it all starts in social media, utilization of your resources, the monetization of social media and the amount of money you really have to put into your budgets now for social media. Operational, every step of your day is planned out, hopefully in companies, so let's plan what we need to do on a daily, weekly, monthly basis in social media to make sure we are on top of things. We are secure. Lastly, it all comes down to one thing, which is reputation management. These things come together and across multiple departments. Legal, HR, IT, operations, marketing, they all have to really have to play together very nicely to manage social media activities.
Richard: Let's run through an example. Let's say I already have a Twitter account set up in my company. I have somebody who manages that and we get something from somebody who is very reputable who has a lot of followers that is very negative about my company or maybe just an outright fallacy, what would it look like in a very condensed way? What would a typical response be that would be a good response to that, some sort of eventuality?
Gary: The fist thing is well, how do you know someone said something about you, right? You've got to monitor the conversation. You've got to know, “˜hey, our name was just mentioned in these tweets.' How do we know that, well, we've got some software tools in place. You have to start with the right monitoring tools. Once you see that, how do you respond? If it's an outright fallacy is there legal action that you may want to consider? That's the last step really. That gets so muddy.
Richard: Adds its own aspect of public relations to it.
Gary: Exactly. Once you gather up all the information, you see what other people are seeing and then you have to combat social media attacks really in a very positive manner because the negative attack against someone attacking you is never going to end up well. What do you put out there? How do you put it out there? How do you engage the customers listening to this tweet and responding to it? The followup is extremely important, but the content of your follow-up, you can't just say, “˜well look at this press release.' No one is going to read a press release about something, so let's engage them over not just Twitter now because that's going to go into someone's Facebook page and it's going to go to their Google Plus account, etc. Let's track where we need to combat this attack and we could be very aggressive and start creating whole new social medial channels in a positive way before it even gets there. A lot of it is really responding in a way that gives out more information and gives out better information.
Matt: You mentioned that with Dominos. One of the things they did right was they immediately admitted to the problem and addressed how they were going to deal with it.
Gary: They actually did take a little too much time on that. That was actually one of the things they could have done better is quickly and, yes, they owned it up right and that's a good thing. There is good and bad that people are learning still about how to address social media risk.
Richard: We are speaking with Gary Bahadur, one of the authors of Securing the Clicks: Network Security in the Age of Social Media, published by McGraw-Hill, and again, you can find a link to Gary's book online at AITS.org at our modest little bookstore there. I'd like to touch base with one more thing in our last little segment here today. That is related to the security crossover. How an insecure Facebook account might even affect your corporate security. For example, the use of passwords or hacking into one account leading to hacking of your internal accounts?
Gary: That's a great question. We can actually just look at a recent example of the LinkedIn attack. LinkedIn lost a, I can't remember the number of passwords, but a pretty good number. Then you saw other connected accounts being compromised as well and related stories to that because what do you we do? Unfortunately, we have so many accounts now.
Richard: Right, how many passwords can we keep?
Gary: Exactly, so I'm pretty sure we all reuse a password now and then.
Matt: I have no idea what you mean.
Richard: That's right and I've never heard of this problem before.
Gary: It's never written about.
Richard: Never, close that drawer now.
Matt: Not on my hand every single day.
Gary</strong>: We do this and once you've cracked these passwords, I guess you look at some of these public stories about cracked passwords, they are still pretty typical things, 1111 password. Your name, things like that. People still use easy to guess passwords. Now you come across all these social sites and especially if you're in a corporate realm and somebody gets in say Facebook or you LinkedIn they can really learn a lot about you, about how your business is working, who you are connected to. One interesting thing about social media of value to it is trust, right? If me and you are friends on Facebook and LinkedIn, and then someone else comes in and I see they are in your network, I'm more likely to trust them and accept them or believe what they are telling me. Now, if you obviously take that to the negative side of how you look at the world, well If I gain access to an account and I send out some things about whatever, reputation attacks or nice things about one's reputation, I'm more likely to trust it, but I've compromised the account and I'm pushing out whatever content I want to your whole network who trusts you. Now that trust factor is broken.
Richard: Wow, wow.
Matt: I have experienced that myself on handling AITS' twitter. I've seen when people that I follow have gotten hacked. Honestly, as an intelligent person, I know that eventually they regain control but there is always the thought in my mind of whether what I am looking at is actually what was intended to be posted or it is somebody else controlling that account.
Richard: Spoofing or anything like that. Again, we are speaking with Gary Bahadur, one of the authors of Securing the Clicks and we certainly want to encourage you to come out to the AITS.org and go to our little bookstore there and take a look at the book there, and hopefully order it. I think it is a must read and I think I'm going to go out and change all my passwords in about 15 minutes. Gary, it's sure been a pleasure speaking with you today and I would sure like to invite you to come on back and do another podcast with us at a little later time.
Gary: Thank you.
Richard: Thank you for joining us and I hope you will listen again here on AITS Thought Radio and be sure and visit us a the AITS website where you can find other great podcasts and more than 1,000 articles on the subject of IT best practices, IT governance management systems and more and all absolutely free. While you are there, make sure you sign up for our AITS daily newsletter. Until next time, this is Richard Wood.
Matt: This is Matt Kabik.
Richard: Thank you so much for listening.