Social Networks Can Be a Social Disease for Your Business

OPINION: Believe it or not, people can be stupid and lazy. Even your employees. You don't want to be a jerk about it, but the potential for compromise of your company's data and interests is great enough that you have a good case for blocking and/or monitoring use of social networking sites.

I used to scoff at social networks, but lately I find myself blowing time on Facebook and even Twitter. I'm self-employed so it's only my own time I'm wasting, but what about your company? Many companies are doing something about social networking and probably more should be doing something about it. They're an issue (I didn't say problem, but there's a case for the word) both from the productivity and security standpoints.

A friend of mine was distressed recently to find that her own company was blocking Facebook, both in the office and on the VPN. I wasn't sympathetic to her distress over this; they're not paying their employees to take those stupid quizzes all day. Their real motivation, or so they said in the memo they sent out, was that Facebook was actually consuming almost half of the Internet bandwidth consumed by the company. It's a bad enough problem but what it really shows is a productivity problem.

Goofing off is as old as work itself, but the more interesting problem with social networking is the potential for confidential data loss. Rapid-fire and almost competitive communications with outsiders drives many users of social networking services to spill more data than they should. Nobody's going to accidentally divulge 50 credit card numbers, the classic example of the sort of data looked for by DLP (Data Loss Prevention) products. But they do say stupid things.

This article looks at the problem of "citizen journalism." Everyone feels they can tell the world what's going on these days. Not everyone is a lawyer or has even the common sense to know when they're violating a confidence. Take the example of the jurors who used Twitter and Facebook, in at least one case on their cell phone, to post messages about cases on which they were sitting. "I just gave away TWELVE MILLION DOLLARS of somebody else's money" tweeted one such dope. Another posted status messages about the corruption trial of former Pennsylvania state Senator Vincent Fumo on Twitter and their Facebook page: "Stay tuned for a big announcement on Monday everyone!"

In another case, a New York City police officer wrote about his mood on his MySpace page. This called his judgement into question in a trial the next day in which he testified, and the defendant won. Did the defendant win because Officer Ettienne called his own mood the day before "Devious"? It didn't help.

I've been on a jury and, while they didn't say anything specific about Twitter, I would take the admonition against discussing the case with anyone else as a clear instruction not to blab about it online. I don't know why, but a lot of people seem to lose basic values of judgment when they are on these systems, like the people who go on Jerry Springer and shows like that and air their dirty laundry before the world.

As their employer you need to be concerned that some of what they're discussing is confidential company material, perhaps private data of third parties, and we may be at the stage where you need to do something to stop it. If you don't, you may find yourself being accused in the legal system some day of failing to take reasonable measures to protect data. How would you react if one of your people tweeted "Really close to closing the big deal!"? That alone could compromise negotiations.

So what are you going to do? I know it sounds stuffy and punitive, but first of all I'm with my friend's employer: Facebook and similar services have no place on your company computers. It's bad enough that they expand, however minutely, the attack surface for malware, but they also waste time and bandwidth. Me, I would cut them off.

For some companies this is both draconian and throwing out the baby with the bath water. Many businesses use these services for their own purposes, after all. Most of my own followers on Twitter are PR people, and sadly the same is true of my "friends" on Facebook :(. How do you allow for legitimate use of social networking services while blocking improper use of them? DLP (also known, amusingly, as "extrusion prevention systems") is one way to go, assuming you can write logical rules. I'm always skeptical of how good the rules in such systems can be without incurring numerous false positives. Fidelis has been marketing their XPS systems as being specifically tailored to performing DLP on social networking systems. If you're going to allow them, then monitor their use so that you know how much they are being used. Just because you know that employees are using these systems is not a direct reason to cut them off; it's just when they're using them too much.

You also need to have clear and stern policies about employees revealing company information outside of proper channels. Jury instructions should also probably be updated to make specific mention of some of the new technologies that people use so casually they don't even think about them. It may be a shocking concept, but assume people are stupid; maybe they think that writing on someone's Facebook Wall isn't actually "discussing the case" with them. Don't just assume that some form you made them sign at their orientation meeting covers stuff, although it may from a legal standpoint; spell it out to them with examples like the ones I've given.

It sucks that companies need to act like the secret police, but to a degree the law has put you in that position by making you responsible for safeguarding data. If your employees know that and that you take the obligation seriously then maybe they'll take their own responsibilities seriously, too.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.