Despite widespread usage of social networking sites among employees of all ages, organisations’ reaction to the phenomenon has so far been mixed. For some, the issue of social networking sites still remains below the radar, while others - especially large organisations - have banned access outright. The other extreme has seen organisations embrace social networking wholeheartedly as an effective way of proliferating information to staff, customers and partners. Adopters of this mentality also use the technology as a tool to maintain contacts and build better relationships.
Paul Hanley, Deloitte’s head of technology, media and telecoms security, explains: “If there’s a company you want to target more effectively and you get tickets to the Grand Prix or whatever, you can use a site like Facebook to profile people and find out what their hobbies and interests are.”
Many organisations, however, are less concerned about the potential information security implications of using social networking tools and more worried about the potential for time-wasting and reduced productivity. That does not mean to say, however, that such information security risks do not exist.
Donal Casey, principal security consultant at Morse Consulting, attempts to put the threat posed by social networking sites into context: “As a standalone item, they would be five or six on a list of 10 [information security threats] so not massively high. However, as part of other strategies - such as data loss prevention - they would be number one or two as they provide an easy way for unregulated information to leave the environment.”
Foot in mouth
Such data leakage could be accidental. For example, an employee using Twitter might indicate that they were fed up because the company’s stock price had fallen before the information was released to the markets. One of the issues here is that the apparent anonymity of the internet often spurs people on to be more open than they would be if conversing with someone face-to-face.
The high level of redundancies that inevitably occur during a recession also increase the likelihood of malicious activity, which at the very least could lead to the firm’s reputation being damaged as a result of slander. While it is possible to contact the site carrying any sensitive or disparaging information to request that it be removed, the problem is that such data can continue to linger in cyberspace as third parties may have undertaken a screen dump or copied information onto their own sites.
"We can't have people doing anything illegal like downloading pirated software or films because if they breach the law, it doesn't make us look good." |
Yann Chatreau |
Another worrisome issue for information security, however, is data aggregation. This activity entails trawling around a range of different social networking sites in order to build up a picture of an individual. The danger for the individual is that they could become subject to identity theft, while the danger for their employer is an increased risk of being targeted for attack. For example, malicious individuals may be able to work out a staff member’s corporate passwords based on clues provided on websites such as social networking sites, or use such information for social engineering purposes.
Viral infection
A final information security consideration with regards to social networking, meanwhile, relates to viruses. Because sites such as Facebook and MySpace comprise rich internet applications that enable users to upload photographs and files, a potential hazard involves downloading malicious code from third parties in the shape of small applications or plug-ins. But such code could potentially include viruses or Trojan horses, while signing up to the terms and conditions for use could involve consenting to the deployment of spyware.
Therefore it would appear sensible to lock down corporate machines to prevent such downloads. Another option is to only permit staff to access social networking sites if using machines that are not connected to the corporate network but are instead located in the organisation’s internet cafe, for example. A further important consideration is to ensure that patching and anti-virus systems are kept up-to-date.
In terms of the more worrying data leakage scenario, however, it is crucial to undertake a risk assessment and gap analysis in order to establish which information is most valuable to the organisation, what it is worth, how it might become vulnerable and how it can best be protected. It is also important to work with the human resources and legal departments to come up with easy-to-understand acceptable use policies for information security and social networking tools that can be used as a means of disciplining personnel should they be abused.
This exercise should likewise be backed up by staff training and education to ensure that employees are aware of the information security risks and how they can guard against them. The introduction of a reporting mechanism to enable them to inform the relevant authorities if abuse is taking place is also useful.
Finally, it may be sensible to reserve the right to use technology to monitor staff communications. It is worth bearing in mind, however, that while staff in the UK must be informed of such activity, legislation in this area does vary from territory to territory. For instance, if the decision is made to simply issue a company-wide blanket ban on access to all social networking sites, organisations operating in Germany may find that they come up against a legal challenge.
‘There’s a hole in my bucket...’
One organisation that has spent a lot of time thinking through such issues is legal firm Allen & Overy. Because of the nature of its work and the fact that its client base predominantly comprises financial services companies, its big worry is the loss or leaking of sensitive information.
Yann Chatreau, the firm’s IT security and service continuity manager, explains: “Damage to reputation is a key concern. The risk is about loss of trust, but also we can’t have people doing anything illegal like downloading pirated software or films because if they breach the law, it doesn’t make us look good.”
As a result, Allen & Overy, which already complies with the ISO 27001 information security standard, is careful to “look at risks very proactively” and initially used Trend Micro’s software to block access to all social networking sites when their usage started hitting its radar about five years ago.
After the IT department discovered that a misconfigured web server was enabling personnel to access Facebook by the back door and decided to block that too, however, there was a massive outcry from the user base, which has increased from 30% to 80% of staff over the last few years.
“So we looked at what was done by other law firms and they nearly all allow it. The legal profession is pretty much a closed community and a lot of people use the site, not so much for business reasons, but to stay in touch with each other and get informal advice”, Chatreau explains.
Raising awareness
As a result, the pragmatic decision was taken to allow access solely to the social networking site Facebook and business site LinkedIn. The latter was considered to be low risk because “you can’t upload documents to it and there’s more control over people’s profile as you can’t see much about them unless you’re part of their network”, Chatreau says.
"Any breach of security policy can be seen as a breach of contract." |
Yann Chatreau |
In order to mitigate any potential information security risks further, however, he believes that “the first thing you have to do is raise awareness”. Therefore, all staff members, including new joiners, are provided both with education and training in information security as well as concrete guidelines as to appropriate usage. Such guidelines include only using the corporate email system rather than social networking sites’ facilities for business purposes and only allowing known third parties to access one’s profile.
Moreover, features such as video streaming and instant messaging are blocked to prevent personnel from accessing inappropriate material and downloading viruses respectively, while posters with security hints and tips are hung on the walls to act as reminders for safe behaviour.
As a final measure, all information security policies were incorporated into employees’ employment terms and conditions from January 2007, which means that “any breach of security policy can be seen as a breach of contract”, says Chatreau.
Another organisation that has been somewhat more prescriptive in its approach to social networking sites, however, is Pennaf, the parent company of the Welsh Clwyd Alyn Housing Association and Ty Glas Housing Society.
Pennaf, which employs about 360 staff working across 26 sites, splits its personnel into two categories – non-essential internet users, who are only permitted to employ corporate systems for web access before 9am, between 12-2pm and after 5.30pm, and essential users. The latter are provided with unlimited access to the body’s hosted online applications as well as approved third party websites. Social networking sites do not fall into the approved category, however, although eBay and the AutoTrader website are on the whitelist.
Flexibility is key
Carl Rose, Pennaf’s IS systems support and development analyst, explains the rationale: “We don’t feel that we have to protect people from buying the wrong car or latest bargain in their lunch time, but we are wary of sites where comments – or the ways in which people represent themselves - could be seen to reflect on us.”
But that is not to say the organisation is inflexible in its approach to social networking sites. Rose indicates that site access was in the past unblocked for a limited time period for one staff member who could make a genuine business case for usage. The formal request was formalised and signed off by the individual’s line manager.
“We don’t say that staff mustn’t use these sites – we say that there must be a business justification for them to do so. People can request access if there’s a genuine requirement”, Rose says.
The organisation has also developed plain English-based acceptable usage policies to ensure that personnel understand their rights and responsibilities and employs ScanSafe’s hosted security service to enforce them.
But no matter how organisations choose to deal with the social networking issue, the most important thing is to have thought through the information security issues and how they affect the business carefully, believes Casey. “Don’t leave it until next year to deal with and don’t ignore the risk. Talk to the right people, understand the threats and develop a coherent approach for dealing with the situation in the most effective way for you”, he concludes.