The pros of social networking outweigh the security cons, but the risks to corporate image and data are still significant
Everyone knows the biggest thing on the Internet these days is social networking. Businesses and individuals use Twitter, Facebook, MySpace, Digg and Delicious — just to name a few — to build and maintain relationships. The question is, with whom? Friends, colleagues and customers? Or criminals?
At the core of the issue are two factors: user identity and user-contributed content. Did you know that Jessica Biel is everyone’s friend on Facebook? Or at least someone claiming to be Jessica Biel is — she’s the most counterfeited celebrity on the web. How many of your users would be ecstatic to become Biel’s friend, only to find out the links on her page lead to malware sites pushing drive-by downloads?
Is the age of privacy over?
For some strange reason, users seem to think they’re completely safe online. How many times have you heard someone say, “It must be true. I read it on the Internet”? Let’s face it, there’s a sucker born every minute. Three hundred and fifty million of them use Facebook. Social networks provide a plethora of information as well as a rich environment for attackers. It is all too easy to write a Facebook application that pushes malware onto a user’s computer, and I get direct messages from malware bots on Twitter on a daily basis.
There are also legal risks as well as threats to company and employee reputation. It’s very easy to be frustrated at work and hop on Twitter to complain. An excited salesperson has a good meeting with a prospect and tweets about it, and the competition reads the tweet and moves in to undersell. Or maybe an employee leaves a meeting with hot insider news and can’t wait to update his Facebook status with it. What do you do if an office argument goes public with employees railing against each other over Twitter? And how about when Joe in accounting Facebooks those photos of your CEO in a Speedo smoking pot, drinking beer and womanising at the last corporate retreat?
This scares information managers to death. And with good reason. It was not very reassuring when Mark Zuckerberg, founder of Facebook, declared that “the age of privacy is over.” Does a better way of ensuring that companies ban Facebook even exist?
Given these threats, some IT departments have decided to block social networking sites completely. In my opinion, this is an immature knee-jerk response and the more appropriate choice is to train users on proper usage and then enforce those policies. Banning social networking tools is sort of like saying because Chris Henry of the Cincinnati Bengals died in a pick-up truck accident we should outlaw all pick-up trucks. Seems sort of silly, doesn’t it?
According to Forrester Research, business use of social media doubled from 11 to 22 percent between 2008 and 2009. There are many business benefits to using social networks. Davis Janowski of Investment News summed up how financial advisers are using social networks in an article on 26 April, 2009: “to attract clients, to develop relationships with [business partners] … and also to display their expertise.” Many companies are turning to Twitter to provide customer support. I even have a great story about Iams responding to my cat food concerns immediately via Twitter. Incidentally, I have an equally negative story about Travelocity’s half-hearted attempt at addressing my complaints about their excessive hold times.
And it’s not just the ability to interact via social networking sites. Perhaps the greater advantage to business is the ability to mine others’ interactions via social networking. What company doesn’t want to know how its brand is perceived?
However, in Forrester’s January 2010 report, “Twelve Recommendations for Your 2010 Information Security Strategy,” analyst Khalid Kark suggests that businesses “address risks associated with social media,” particularly “less control over corporate data.” One reason that IT departments are struggling to address the security risks presented by social networking is that there is no purely technical solution. This means that the traditional approach to security of throwing money at a bunch of point solutions isn’t going to work. A combination of technology and administrative controls is needed, as is the most dreaded of IT tasks: end-user education.
At the heart of IT departments’ concern is the fact that social networking can expose intellectual property, inside secrets and procedures to the public, and, worse, to competitors.