Tech in Depth: The pros of social networking outweigh the security cons, but the risks to corporate image and data are still significant. Keep employees safe while they make use of these valuable collaboration tools.
Everyone knows the biggest thing on the Internet these days
is social networking. Businesses and individuals use Twitter, Facebook,
MySpace, Digg and Delicious-just to name a few-to build and maintain
relationships. The question is, with whom? Friends, colleagues and customers? Or
At the core of the issue are two factors: user identity and
user-contributed content. Did you know that Jessica Biel is everyone's friend
on Facebook? Or at least someone claiming to be Jessica Biel is-she's the most counterfeited
celebrity on the Web. How many of your users would be ecstatic to become Biel's
friend, only to find out the links on her page lead to malware sites pushing
For some strange reason, users seem to think they're
completely safe online. How many times have you heard someone say, "It
must be true. I read it on the Internet"? Let's face it, there's a sucker
born every minute. Three hundred and fifty million of them use Facebook. Social
networks provide a plethora of information as well as a rich environment for
attackers. It is all too easy to write a Facebook application that pushes
malware onto a user's computer, and I get direct messages from malware bots on
Twitter on a daily basis.
There are also legal risks as well as threats to company and
employee reputation. It's very easy to be frustrated at work and hop on Twitter
to complain. An excited salesperson has a good meeting with a prospect and tweets
about it, and the competition reads the tweet and moves in to undersell. Or
maybe an employee leaves a meeting with hot insider news and can't wait to
update his Facebook status with it. What do you do if an office argument goes
public with employees railing against each other over Twitter? And how about
when Joe in accounting Facebooks those photos of your CEO in a
Speedo smoking pot, drinking beer and womanizing at the last corporate retreat?
This scares information managers to death. And with good
reason. It was not very reassuring when Mark Zuckerberg, founder of Facebook,
declared that "the age of privacy is over." Does a better way of
ensuring that companies ban Facebook even exist?
Given these threats, some IT departments have decided to
block social networking sites completely. In my opinion, this is an immature
knee-jerk response and the more appropriate choice is to train users on proper
usage and then enforce those policies. Banning social networking tools is sort
of like saying because Chris Henry of the Cincinnati Bengals died in a pick-up
truck accident we should outlaw all pick-up trucks. Seems sort of silly, doesn't
According to Forrester Research, business use of social
media doubled from 11 to 22 percent between 2008 and 2009. There are many
business benefits to using social networks. Davis Janowski of Investment News summed
up how financial advisers are using social networks in an article April 26, 2009: "to
attract clients, to develop relationship with [business partners] ... and also
to display their expertise." Many companies are turning to Twitter to
provide customer support. I even have a great story about Iams responding to my
cat food concerns immediately via Twitter. Incidentally, I have an equally
negative story about Travelocity's half-hearted attempt at addressing my
complaints about their excessive hold times.
And it's not just the ability to interact via social
networking sites. Perhaps the greater advantage to business is the ability to
mine others' interactions via social
networking. What company doesn't want to know how its brand is perceived?
However, in Forrester's January 2010 report, "Twelve
Recommendations for Your 2010 Information Security Strategy," analyst
Khalid Kark suggests that businesses "address risks associated with social
media," particularly "less control over corporate data." One
reason that IT departments are struggling to address the security risks
presented by social networking is that there is no purely technical solution.
This means that the traditional approach to security of throwing money at a
bunch of point solutions isn't going to work. A combination of technology and
administrative controls is needed, as is the most dreaded of IT tasks: end-user
At the heart of IT departments' concern is the fact that social networking
can expose intellectual property, inside secrets and procedures to the public,
and, worse, to competitors.
Matthew D. Sarrel, CISSP, is a network security,product development, and technical marketingconsultant based in New York City. He is also a gamereviewer and technical writer. To read his opinions on games please browse http://games.mattsarrel.com and for more general information on Matt, please see http://www.mattsarrel.com.