In the latest edition of Speaker Spotlight, Security Management spoke with Shawn Flaugher, who works in-house for Duke University & Health Systems, handling security consulting and design. Shawn’s background is a good mix of military, law enforcement, guard service management, investigations, and integration, which he says has all come into play while consulting. During our talk, Shawn discussed how the benefits of social media outweigh the cons for the security industry and how he is still continually shocked by how much personal information people put out on the Web.

Shawn, give us a quick recap of what your session topic is on?

It’s a panel discussion. I was invited because I wrote a seven-piece series on social media for the security industry and that’s the theme of the session. I will discuss considerations that the security industry has specific to social media and some of the benefits that can help the industry.

Is social media such as Twitter and Facebook inherently dangerous for security professionals, considering all the worms and malware infesting some Web sites?

Absolutely. And not just worms and malware, but the simple fact that within the industry historically everybody tends to play things close to the chest. They don’t want to show anybody what they’re doing or what’s going on. It’s the general rule of “need to know.” There has to be considerations for the technological vulnerabilities of social media because of viruses and problems like that. But, you have to approach it so that you’re really taking into consideration privacy, operational security, and things of that nature.

What’s happening now is that security directors are starting to add social media into all their protocols. For instance, I work with the research industry and there are a lot of animal rights extremist threats that go on. What’s happening for a lot of security directors that face that kind of threat is whenever they get a new researcher or whenever they do their periodic security checks, they consider social media as part of their information security package. They talk about educating the people they serve about privacy, how to set accounts up correctly so they’re not letting their information out to the masses, and also best practices when you post pictures and other information, like “Do you have the address of your house showing? “Do you have your license plate showing in that picture of your kid finding Easter eggs?”

Can you use social media to do counterintelligence? What I mean is, you spoke about animal rights activists. But these groups are good at research. I don’t think they need to really rely on Facebook to get the information they’re looking for. So do you let out a little information to determine where threats are coming from, like trying to elicit a threatening message from someone to put them on your radar?

It’s definitely possible. In the world of social media, he who claims a name first owns it forever. So a lot of these organizations and researchers have made it part of their protocol to register with these social media outlets to cut down on the possibility of impostors. At the same time, any security program that is really focusing on counterintelligence can use this as a way to let some information out that’s really harmless, but see who reacts to it and how.

What are the best practices to maximize the benefits of social media for security professionals yet minimize threats to themselves and the organization?

A lot of that has to do with making sure first and foremost that your organization has a policy and abides by it. A lot of big organizations have very stringent rules on Internet use, including social media and blogs. Specifically, you need to understand these mediums and how they can be set up to give information to the world, your region, or specific people. It can be very difficult, especially for people who haven’t grown up with a mouse in their hand, to know how to set these accounts up so that you are protecting information. You’re sharing information with the people you trust but protecting information you want to keep to yourself. The other thing is having best practices in place so that any information in your posting doesn’t violate your own privacy or personal safety, but then again knowing that releasing specific kinds of information can be an information security threat to your organization, not just for physical security but also trade secrets.

What egregious violations of commonsense regarding social media have you seen in your position?

Much of what I do is related to a health system in a university. And when I really took note of things like Facebook, I was dealing with students and I could never fathom how these students were putting so much information on their Facebook page about where they live, what apartment they’re in, and what they’re schedule is. It was unbelievable to me. Even though it’s a medium that is filtered, anybody that had an e-mail address from an organization could join and get that information. It’s a stalker’s paradise.

I understand how blogs could be dangerous, but when you talk about blogs do you mean a company’s blog or an employee’s personal blog or both?

Most of it is their personal blogs. Organizations are getting hip to the idea that a great way to spread information and to communicate with their client base is through blogs. And so they sponsor somebody, usually from the company’s marketing department, to write a blog. But it’s the individual ones where information comes into play where you have engineers, designers, and other people with unique skill sets that are writing about what they are doing. They write about work that they’re in the middle of and what’s interesting to them. So if I’m a security director and I’m really interested in video analytics and I find three or four people on Twitter who are video analytic engineers, then I’m going to be very interested in the kind of information that they’ll talk about.

So you’re afraid employees will give away means and methods?

Exactly, that is the danger. You have to balance information that is useful and interesting with something that could cost your company money down the road or violate security.

How well do people like scientists and engineers understand that and protect that information?

I think it’s something that’s getting rapidly better. At first, it was a free for all. A lot of the stuff that you’d see online would shock the marketing director or shock the management folks because the people working on these things don’t even understand that they’re trade secrets. It was a unique, eye-opening experience to people because in one way, you had folks that were writing about what they were doing to the tune of secrets. But on the other hand, it exposed this vulnerability. It exposed the fact that a lot of the people that are using their specialized skills for a company don’t understand the security implications of what they’re doing. Not only might they be posting the information on a blog, they might be walking around with their laptop with all that information on it as well.

What policies do organizations need to put in place to not only make sure people aren’t going to post things such as trade secrets or sensitive information, but that they even catch it when it occurs?

On the front-end of this, you could adjust all your human resources agreements with employees—the do-not compete agreements— and things like that to include some kind of verbiage about releasing information, whether it be malicious or not. You need to focus on reminding people that whatever the company’s policy is on blogs—some companies say it’s okay to do your own personal blog related to your field as long as you don’t violate trade secrets, other ones say no, “You can’t have a blog on this at all.” On the other hand, security directors and security departments need to include social networking and blogs in their list of things that they check, a list of things that they keep their eye on when it comes to intelligence.

How do you monitor something like a Facebook page? One, it has to take a lot of research and money. Two, when does it become a privacy concern? If I knew my employer was snooping around my Facebook page, I’d feel violated.

Exactly, and that gets out of the range of what I talk about. It’s a hot topic recently for numerous reasons—like people getting fired for posting that they’re playing hooky from work. I didn’t specifically write about that or include it in the session but it does fall under the classification where people who use social media really need to be aware of who can view this information and what their motives might be.

On a closing note, why do the pros of social networking outweigh the cons for security professionals?

The pros boil down to the different reasons people would use it. You’ve got marketing managers using social media to get the word out. There’s a good way to do that and a bad way to do that, so the security industry doesn’t vary too much from the rest of the world when it comes to marketing. A lot of the best practices are the same as far as not annoying people with information that is purely sales-related. You’ve got to provide value.

When it comes to using social media to communicate as a crime prevention method, if you’re a security department or a police department, you have to understand it’s getting to a point that the younger people are a lot less comfortable picking up a phone and talking to you than they are writing a text message or an e-mail. That’s something I’ve seen firsthand and talked with students about. Taking that into consideration, you should probably adjust your means of communicating with people so you can accept that kind of information. And it has to be a two-way street. I’ve seen the benefits come into play where a police department or a security agency is releasing crime alerts or crime advisories. That’s giving people useful information. However, if you bombard them with basic or trivial information every day, they’ll just tune you out.

Thumbnail: