IT problems often take place at the line between the personal and the professional. Employees download a file to their work computer that has a virus in it. Salespeople put both personal and professional contacts on their BlackBerrys and then leave them in a cab. The simple answer is to forbid personal use of company assets, but the cost is the blend of personal and professional that leads to more productivity or better connections. Nowhere is that more apparent than social networking.
What looks like a pure time-waster that your employees use to avoid work can turn out to be an essential tool—for example, sales personnel are famous for mining LinkedIn for sales leads—so handling the security and productivity issues that are sometimes raised by social networking sites isn’t simple at all.
“These sites are valuable for building relationships and getting contacts, and when employees are using them for those reasons, it’s not really an option to just block them,” says Mike Hrabik, CTO of Solutionary (www.solutionary.com). “On the other hand, there are many people who take advantage of these large groups of members and who gather information to attack the members of those sites.”
Malware & Social Engineering
The technical issues with these sites are relatively well-known. Viruses abound on Facebook, for example, where hackers post links for unsuspecting users to click. Those links often lead to a fake site where the user is prompted to give personal information or simply give that user a virus that then propagates itself through his entire contact list. “When a computer inside your network gets compromised, the attacker can access all data on that system as well as all the data and systems that computer or any users of that computer have access to,” says Kevin Prince, CTO of Perimeter E-Security (www.perimeterusa.com). “This can also be a launch point to attack and compromise other internal systems or databases.”
Twitter is also a well-known gathering place for all kinds of malware, to the point where the site had to create a filter to prevent legitimate and malicious users from posting links that led to known phishing sites or other malware. Fake support emails purport to link the reader to Twitter but lead to spam or malware sites.
Even scarier than the behavior of the hackers, though, is the behavior of the users. Social engineering doesn’t work without the participation of the victims, and what users choose to share or allow others access to on social networking sites can expose them to social engineering. Criminals display ever more inventive ways to get users to offer information freely (if under false pretenses) that they then use to steal information or even money from the company.
Not So Private
As anyone who reads about Facebook or who visits it regularly will know, the site often adds new functionality that makes its users more visible to third parties—not their most sensitive information, necessarily, but more information about where they go, what they do, and what they click. Users on Facebook have to monitor these changes and make efforts to update their privacy settings to opt out of these new functionalities.
Generally, privacy on these sites is an illusion, and a failure to understand that often leads to trouble for the users. “There’s a natural trust of other users on the sites (because they are their friends, right?) as well as a belief that these sites have been built in a way to protect their privacy, which is often not the case,” Prince says. “So the problems can be widespread, and educating employees on the dangers of these sites is the best way to reduce problems.”
In other words, as with email, it’s important to warn users that what they think is private really isn’t and that it can be a jumping-off point for hackers to capture their personal information. “It should always be assumed by users that any information they post on a social networking site can be seen by the entire world,” Prince says. “Remind them to use a different username and password for these sites than for other things like their online banking or work login. Too often users do this, and a criminal can figure it out on one site and use it on others.”
That issue is getting more urgent as users apply tools that unify all their communications and allow them to log in to all of their applications at once. “People are going to be looking for that and trying to take advantage of it,” says Carl Herberger, vice president of information security and compliance services for EvolveIP (www.evolveip.com).
Prince also warns of plug-ins and other sites and services that allow users to link to social media sites for easier or enhanced access. “These sites usually require your authentication, and these sites are compromised more frequently than the social media sites,” he says.
Filter Or Forbid?
Web content filtering tools can be used to monitor how much employees are accessing which sites and how long they’re on them. Those same tools can be used to block social networking sites, either specific ones or the whole category of social networking.
But don’t think that blocking is the answer, because even if it doesn’t cause a revolt among salespeople or others who use these sites professionally, it can be difficult to screen all of them out. You can block Facebook and then find that users are accessing another site you’ve never heard of that has the same functions and risks associated with it.
In that sense, policies are often the IT manager’s most usable tool for limiting the damage these sites can expose the network to. When blocking them altogether isn’t an option, policies that are communicated and enforced may screen the company from most of the potentially dangerous behaviors. “They can be a great tool for organizations, they just have to be controlled and managed properly,” Prince says.
Herberger notes that policies are more effective when enforced, and that means testing. If you announce a policy about social networking sites and then fail to determine whether employees are complying with it, your lack of enforcement may breed contempt. “Routinely test for the behavior you’re trying to promote or avoid,” he says. “The first test drives home that you’re trying to reduce risk, but it’s only by the third or fourth test that you actually get acceptable levels of the behavior.”
Key Points
Social networking sites pose both technical threats and behavioral threats.
Blocking social networking isn’t always the answer, because many employees use these resources for business reasons.
Your best bet is establishing policies that outline acceptable use and testing to make sure that users are complying with those policies.
By Holly Dolezalek
