Over the past few months I’ve been keeping a fairly close eye on the evolution of social networks and the security and privacy impacts they have not only on the individuals participating, but also on the businesses that allow their personnel to use the sites from the company’s network. Or, what is more often the case, the large amount of employees using the sites from the company network during work hours unbeknownst to their bosses.
Organizations need to think about the threats, risks and resulting potential negative impacts of their employees using social networking sites from the network, then establish reasonable and effective policies, procedures and implement technologies to mitigate those risks.
Simply prohibiting all such access may sound like the simplest solution for many organizations, but before prohibiting all access, organizations need to think about how this would impact their personnel…employees’ viewpoints about work and their motivations for wanting to help protect the company, customers and information assets. Even sites originally created to make business connections, such as LinkedIn, Spoke and Xing, are adding more functionality that to make them more and more like social networking sites.
Organizations need to establish policies that will be acceptable to personnel while at the same time being reasonable and positive for the business. For them to be effective these policies and procedures will then need to be communicated using ongoing and effective awareness communications to personnel.
In the past few months it seems like every day I find a news report of one type or another about employee use of social networking sites from work.
Yesterday Barracuda Networks released some interesting statistics about this topic.
50% of Barracuda’s customers are blocking MySpace or Facebook. It is interesting that 44% are blocking MySpace and a much lower number, 26%, are blocking Facebook. However, those numbers are on the rise.
Why are organizations blocking access to social networking sites? From what companies I’ve spoken to have told me, the primary reason is because business leaders do not want to pay their employees to spend hours of time on the sites socializing. They don’t want to be paying them for “goofing off.”
However, beyond the time-wasting factor, organizations also need to be aware of the information security and privacy risks to the business. There are many.
Here are just a few:
· Others on the social networking site may be using social engineering schemes and malicious code through the many peer-to-peer (P2P) communications these sites use. Even if you have software in place to prevent malicious code from damaging your network, this security software may not prevent attacks or damage that can occur through P2P communications, such as instant messaging (IM), file sharing (such as Nutilla) or voice capabilities (voice over IP, or VoIP).
· It is easy for other malicious software, such as keyloggers and screenscrapers, to be loaded on your employees’ workstations while they are communicating with others on social networking sites. These malicious programs are able to record their every keystroke or use other methods to secretly steal sensitive corporate or customer information.
¬∑ Employees may discuss your business, co-workers, or customers on social networking sites. This puts them, your business and customers at risk. For example, an employee may unknowingly put your company or coworkers at risk by making a joke about them that others read as being a fact, or unknowingly expose someone’s personally identifiable information (PII). The reports of this type of activity happening are increasing.
The topic of how social networks impacts individuals, families and friends, and businesses was the topic of my October 2007 issue of “Protecting Information.”
Within this issue I provide more information about the information security and privacy risks of social networking sites to not only businesses, but also to individuals and their families and friends.
I welcome your thoughts!
Tags: awareness and training, Barracuda Networks, facebook, Information Security, IT compliance, MySpace, policies and procedures, privacy, privacy training, risk management, security training, social networking