Well, if you look at the results of my very unscientific poll from last week, it appears there is a very wide range of opinions about the use of social networking sites at work.
To jog your memory, the question was: “Has your organization ever fired someone for using social networking sites while at work?”
And the results:
* 11%: Yes, and I agree they should have
* 0%: Yes, but I think it was wrong
* 22%: No, but I think there are some people who should have been
* 33%: No, and I don’t think employees should ever be fired for using these sites
* 33%: I don’t know
I don’t think many organizations are actually addressing this issue yet. However, the risks need to be considered now by those responsible for information security and privacy; there seem to be more every day.
“‘Storm’ Trojan horse taps into YouTube fever: Hackers have changed their tactics again”
“Storm, a.k.a. Peacomm and Nuwar, is now spreading via e-mail that includes a link that appears to be to a YouTube video, said Johannes Ullrich, chief research officer at the SANS Institute, on the Internet Storm Center’s blog this weekend. “The link looks like a link to YouTube, but actually points to a ‘numeric’ URL like old Storm variants,” said Ullrich.”
Yes, this is a form of phishing exploit. However, if going to YouTube is permitted within your organization, it is likely many of the folks on your network will click on the link. Another good topic for some awareness communications.
“Facebook Gets Personal With Ad Targeting Plan”
“Next year, Facebook hopes to expand on the service, one person says, using algorithms to learn how receptive a person might be to an ad based on readily available information about activities and interests of not just a user but also his friends — even if the user hasn’t explicitly expressed interest in a given topic. Facebook could then target ads accordingly.”
Exploring the privacy issues alone could fill a book. Not to mention all the data leaking from your corporate network onto these sites…imagine your customers’ personally identifiable information (PII) being unknowingly used to inundate them with ads…or worse.
I believe companies *CAN* allow their network users access to social networking sites, but first they must *LAY THE GROUNDWORK*! Establish policies, implement defenses, and very importantly provide training and ongoing awareness about the associated threats.
Tags: awareness and training, facebook, Information Security, IT compliance, MySpace, personally identifiable information, PII, policies and procedures, privacy, risk management, social networking, YouTube