OPINION: Believe it or not, people can be stupid and lazy. Even your employees. You don't want to be a jerk about it, but the potential for compromise of your company's data and interests is great enough that you have a good case for blocking and/or monitoring use of social networking sites.
I used to scoff at social networks, but lately I find myself blowing
time on Facebook and even Twitter. I'm self-employed so it's only my
own time I'm wasting, but what about your company? Many companies are
doing something about social networking and probably more should be
doing something about it. They're an issue (I didn't say problem, but
there's a case for the word) both from the productivity and security
A friend of mine was distressed recently to find that her own
company was blocking Facebook, both in the office and on the VPN. I
wasn't sympathetic to her distress over this; they're not paying their
employees to take those stupid quizzes all day. Their real motivation,
or so they said in the memo they sent out, was that Facebook was
actually consuming almost half of the Internet bandwidth consumed by
the company. It's a bad enough problem but what it really shows is a
Goofing off is as old as work itself, but the more interesting
problem with social networking is the potential for confidential data
loss. Rapid-fire and almost competitive communications with outsiders
drives many users of social networking services to spill more data than
they should. Nobody's going to accidentally divulge 50 credit card
numbers, the classic example of the sort of data looked for by DLP
(Data Loss Prevention) products. But they do say stupid things.
looks at the problem of "citizen journalism." Everyone feels they can
tell the world what's going on these days. Not everyone is a lawyer or
has even the common sense to know when they're violating a confidence.
Take the example of the
jurors who used Twitter and Facebook, in at least one case on their
cell phone, to post messages about cases on which they were sitting
"I just gave away TWELVE MILLION DOLLARS of somebody else's money"
tweeted one such dope. Another posted status messages about the
corruption trial of former Pennsylvania state Senator Vincent Fumo on
Twitter and their Facebook page: "Stay tuned for a big announcement on
In another case, a New York City police officer wrote about his mood on his MySpace page
This called his judgement into question in a trial the next day in
which he testified, and the defendant won. Did the defendant win
because Officer Ettienne called his own mood the day before "Devious"?
It didn't help.
I've been on a jury and, while they didn't say anything specific
about Twitter, I would take the admonition against discussing the case
with anyone else as a clear instruction not to blab about it online. I
don't know why, but a lot of people seem to lose basic values of
judgment when they are on these systems, like the people who go on
Jerry Springer and shows like that and air their dirty laundry before
As their employer you need to be concerned that some of what they're
discussing is confidential company material, perhaps private data of
third parties, and we may be at the stage where you need to do
something to stop it. If you don't, you may find yourself being accused
in the legal system some day of failing to take reasonable measures to
protect data. How would you react if one of your people tweeted "Really
close to closing the big deal!"? That alone could compromise
So what are you going to do? I know it sounds stuffy and punitive,
but first of all I'm with my friend's employer: Facebook and similar
services have no place on your company computers. It's bad enough that
they expand, however minutely, the attack surface for malware, but they
also waste time and bandwidth. Me, I would cut them off.
For some companies this is both draconian and throwing out the baby
with the bath water. Many businesses use these services for their own
purposes, after all. Most of my own followers on Twitter are PR people,
and sadly the same is true of my "friends" on Facebook :(. How do you
allow for legitimate use of social networking services while blocking
improper use of them? DLP (also known, amusingly, as "extrusion
prevention systems") is one way to go, assuming you can write logical
rules. I'm always skeptical of how good the rules in such systems can
be without incurring numerous false positives. Fidelis has been marketing their XPS systems
as being specifically tailored to performing DLP on social networking
systems. If you're going to allow them, then monitor their use so that
you know how much they are being used. Just because you know that
employees are using these systems is not a direct reason to cut them
off; it's just when they're using them too much.
You also need to have clear and stern policies about employees
revealing company information outside of proper channels. Jury
instructions should also probably be updated to make specific mention
of some of the new technologies that people use so casually they don't
even think about them. It may be a shocking concept, but assume people
are stupid; maybe they think that writing on someone's Facebook Wall
isn't actually "discussing the case" with them. Don't just assume that
some form you made them sign at their orientation meeting covers stuff,
although it may from a legal standpoint; spell it out to them with
examples like the ones I've given.
It sucks that companies need to act like the secret police, but to a
degree the law has put you in that position by making you responsible
for safeguarding data. If your employees know that and that you take
the obligation seriously then maybe they'll take their own
responsibilities seriously, too.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.