By Carl Blackett, ICT Security Architect, Norfolk County Council
In this new age of ‘instant information’ is it short sighted to block social networking sites within an organisation purely because of stories in the press relating to scams, misuse and threats?
There’s an increasing trend to use social networking sites like Facebook and Twitter as a business-enabling tool rather than solely as a personal communication aid for families and friends; Facebook now even allows you to ‘advertise’ easily. Should businesses embrace this new culture, or stick to the old-world view of ‘If it has been reported as bad, it must be’?
Is there anyway an organisation can stop staff accessing such sites in the context of the increase in consumer products which allow instant access anytime? Just look around your organisation to see how many people are carrying both corporate and personal devices…
Here’s a quick quiz; see how you do.
- Do you prevent your staff from accessing social networking sites on corporate devices?
- Do you prevent staff from attaching their own devices to corporate machines?
- Do you monitor when these personal devices are used to access social networking sites?
- Do you have control over your organisation’s social networking ‘footprint’?
If the answer to 1 is YES but the answer to 2 or 3 is NO, then the answer to 4 is NO. Did you expect that?
Perhaps it’s time for a re-think?
With the increase in the number of organisations embracing Bring Your Own Device (BYOD) this trend is only going to grow. So perhaps now is the time to look at educating users about the issues, and empowering them to use these tools responsibly, rather than trying to block access; after all, this may turn into a battle you can’t win.
So, how do you educate users about social networking sites and the issues around them?
Teach users about good password management including password strength (difficult to guess but easy to remember), password security (keep it to yourself) and using different passwords for different sites (a password is only as strong as the weakest system you use it on).
- Scams, click-jacking and fake apps
Teach users how to spot something that is attempting to harvest data and steal identities. If people are aware of what can happen they may be less inclined to click anything- and-everything in the hope of a free gift.
- Sensible sharing
Social networking sites can be restricted to allow only a limited number of people to access data and information. If you have a target audience, do you need to tell ‘everyone’ or only those you wish to educate? Teaching people how to amend these settings to protect themselves will help you protect any corporate data you wish to place on there.
- Monitoring (for employees)
Social networks send emails relating to access, posts and mentions. Monitoring these will highlight any potential misuse which can be stopped before it gets too severe.
- Monitoring (for employers)
Regular checks of internet usage will show any misuse of social networking sites. All employees should be aware you are monitoring internet access and that misuse will be investigated. This should act as a deterrent for anyone who wishes to misuse the privilege and use corporate resources to ‘check their cityville or click that link for a free iPad’…
If all these steps are in place and your users are using social networking to enhance your corporate image and expand your client base, could there be a justification to lower the defences and allow social network access for employees?
The internet world is changing and social networking is becoming a more mainstream tool for business operations; without secure enablement there is a risk you could be left behind…
Social networking in the corporate environment is no longer about ‘no’, it’s about ‘yes, BUT’.