After the turmoil generated by the seemingly endless
stream ofdata loss scandalsat the end of last
year, organisations have become generally more sensitised to the
issue ofdata leakage.
This, combined with a raft of recent surveys around lost
productivity due to staff using
social networking sites such as Facebook and MySpace, is also
raising awareness that action needs to be taken in this domain.
For example, according to a study undertaken by information
security consultancy Global Secure
Systems and the organisers of the
Infosecurity Europe 2008
exhibition, the use of such sites is costing UK business an
estimated £6.5bn per annum in terms of reduced output.
A poll carried out among 776 office workers indicated that most
spent at least 30 minutes a day visiting social networking sites,
while two were so hooked that they engaged in such activities for
as many as three hours each day.
Unsurprisingly, therefore, other
research by Computerweekly.com found that some 63% of
organisations were planning to monitor or limit staff access to
these sites over the next six months, while 17% intended to ban
their usage entirely.
Meanwhile, a second survey undertaken by YouGov and commissioned
by infrastructure software and services provider,
Dimension Data,
provided a breakdown of which kinds of personal web sites were
being accessed most.
Of the 2,134 employees questioned, some 46% undertook online
banking at work, 19% visited social networking sites, 13% indulged
in file-sharing, while 10% downloaded media files such as MP3s.
Donal Casey, principal security consultant at Morse Consulting,
says: "I wouldn't say the use of social networking sites is causing
chaos, but it is an issue without a doubt as it's one of those
things that can become addictive. When you talk to IT executives,
they're aware of the situation as it's a newsworthy fact that these
sites are being used. But unless it starts visibly impacting staff
productivity, most aren't overly concerned."
Nonetheless, he adds that many organisations are keeping a
watching brief on the issue by monitoring internet usage and, if
and when the statistics show high levels of activity, tend to take
action at that point.
But, whether social networking web sites are causing overt
damage to staff productivity or not, their usage does pose various
network-related and security questions.
In network terms, the problem is that if large numbers of users
download content, particularly in bandwidth-hungry formats such as
video, it is likely to have a negative impact on performance and,
therefore, on the ability of staff involved in more legitimate
pursuits to do their job.
Another risk relates to the potential for
downloading inappropriate content. While Simon Jeffreys, a
partner at law firm, CMS Cameron McKenna, indicates that liability
for downloading and disseminating such material falls on the
employee concerned, such a scenario can leave the way open for
legal action against their employer too.
He says,"An employer that found out an employee had downloaded
and/or disseminated [inappropriate material] would have to notify
the police immediately and make strenuous efforts to stop it going
to others, including its own staff. You certainly wouldn't want
other employees coming across it lest they be offended and perhaps
bring a claim against you."
A consideration of even greater concern, however, is linked to
privacy, says Graham Quint, IT manager at Tewkesbury Borough
Council. "People shouldn't use their work address or contact
details on these sites as it makes them a potential target for
phishing," he says. "There are also security holes that have been
exposed in these systems and their privacy policies leave a bit to
be desired. FaceBook, for example, only disables an account after
someone wants to leave rather than deleting it."
Ken Munro, managing director at penetration testing house,
Secure Test, agrees. He
says, "People have always disclosed too much information on the
internet but sites like FaceBook have made the problem much worse
in that the standard configuration allows anyone to view your
profile."
The concern is that snippets of information made available here
and there can all too easily be pieced together and linked back to
individual organisations using profiling tools such as Paterva's
Maltego.
Moreover, if a staff member puts their work e-mail address on
such sites, it means that there are clues to the account name, so
that malicious individuals can probably work out the password or
use social engineering to get the information, leaving the
corporate network vulnerable to attack.
So what can IT directors do about these worrying scenarios?
According to Donal Casey, there are two options, both of which
generate their own pros and cons - the first is simply to ban
access to such sites outright and the second is to introduce
acceptable usage policies.
One company that went down the former route is Graypen, an
agency that looks after the interests of ship and tanker owners
when their boats are in port. The organisation employs about 135
staff in 24 offices around the UK, but was experiencing bandwidth
problems even though it had just invested heavily in upgrading its
network and Citrix-based server infrastructure and had also
introduced ADSL broadband links.
David Scott, IT manager at Graypen, explains, "People were
saying that their systems were running slowly, but we couldn't
understand why because everything was brand new. After we'd checked
the servers though, we realised that it was down to internet
activity. The problem is that if half the office is downloading
videos from YouTube and the other half is working, everyone gets
frustrated."
Unfortunately, however, he found acceptable usage policies
ineffectual. "Even though we had a policy, we had no way of
enforcing it. People just delete their cookies and history and, as
soon as you walk through the door, they get off the site. So you
can have all of the best practices in the world, but if you've no
way of enforcing or controlling them, they're worthless."
As a result, following a conversation with a colleague at
another company, he decided to trial
Bloxx's web filtering
technology for 14 days. But after as little as 24 hours, Scott had
enough activity data to do something about it, and took a report to
the managing director.
The most frequently accessed web sites were eBay, the MSN
Hotmail e-mail system, the Paypal ecommerce payment system and
social networking sites, "which were the killers" because "people
were downloading videos and big pictures that were taking up
bandwidth and degrading our terminal services".
Scott says, "Nearly 100 people were involved at all levels of
the company and after looking at the results, the MD just said
'block the lot'. It was a short, sharp shock and it wasn't a
popular move, but it really worked. If people complained, we just
pointed out that they weren't happy if the network ran slowly and
this was the only way to sort it out, which they accepted."
While such action is understandable given Graypen's particular
set of circumstances, Casey points out that this approach would not
necessarily work for all organisations.
"A lot of companies use social networking sites for recruitment
and supply chain activities these days so there are acceptable
business uses being made of this technology, particularly by young
folk coming into employment who are used to it. So you have to be
careful with blanket bans," he says.
Such considerations also apply to professional networking sites,
such as LinkedIn, which are likely to diverge increasingly from
their social networking counterparts, believes Ian Blatchford, a
partner at consultancy RSM Bentley Jennison.
But another point to bear in mind, says Jeffreys, is that the
Trades Union Congress and the Chartered Institute of Personnel and
Development have both
issued statements indicating that banning access to such sites is
not a fair bargain to strike with staff - although excessive
usage should not be permitted either.
"Staff don't have any legal rights to use their employer's
computer system for personal ends and it's not a human right. But
not to allow any usage at all isn't very reasonable so what we're
talking about here is staff undertaking such activity during their
breaks," he says.
As increasing numbers of personnel continue to work long hours
under pressure, it becomes important to ensure that they are able
to strike some form of work-life balance. The danger in this
context is that "banning usage entirely may upset them and end up
being counter-productive", Jeffreys adds.
If such advice is taken, however, it means that acceptable usage
policies and user education become paramount and potential
loopholes and wording must be considered carefully.
One organisation that is working through this process at the
moment is Tewkesbury Borough Council, where IT manager Quint is
currently in discussion with the organisation's legal and HR
departments as well as the unions over an initial policy draft,
which, after it is agreed, will be issued to all staff to sign.
"There'll be a grace period when staff will be expected to sign
and if they don't, they'll be given one extension. If they don't
sign by the end of that period, we'll disable their account and
won't re-enable it until they've handed the signed sheet agreeing
to comply. It's all good practice really," he says.
To date, however, Quint says he has spent "a good wadge of time
looking at all the possible attack vectors and routes to policy
abuse". He says, "If people don't feel something is appropriate,
they'll work around it so you need to cover all angles. You also
have to ensure that there's no legal ambiguity or holes because it
can end up in a disciplinary or ultimately with the police if it's
something serious. That's why HR and legal have to be
involved."
Although abuse of social networking sites has not proved to be a
problem as yet beyond the activities of one or two "youthful
employees", Quint believes that, in many ways, the issue is more of
an educational and management one than an IT matter per se.
"There's an ICT solution to many things, but at the end of the
day, this is a business issue and, if productivity is being lost,
it's up to line managers to address the issue with staff," Quint
concludes.
Considerations around acceptable usage policies:
Establish what the organisation is trying to achieve and what it
feels is appropriate to sanction, limit access to or even to
ban.
Employees should always be made to sign the policy to prove that
they have read and agreed to abide by it and this process must be
recorded.
Policies should be reissued for signing at least annually or
they may not be considered legally valid if a case goes to
court.
Key policy elements:
Staff can only use social networking sites during lunch breaks
or outside of formal working hours - although this can be difficult
to enforce, particularly in a flexible working culture.
Personnel should be prohibited from including corporate e-mail
addresses in their personal profiles.
They must actively log out of sites like Facebook when they have
ended a session - this does not take place automatically and as the
link is not encrypted, network traffic becomes vulnerable to
sniffing.
Employees need to understand that downloading or accessing
inappropriate content or making libellous or defamatory comments on
social networking sites could lead to disciplinary action.
Ask staff to ensure that only friends - rather than just anyone
- can see their profile.