Social networking tools can be a productive form of communication, especially for younger employees, many of whom perceive email as the equivalent of writing a letter, but organisations must also consider the risks of social networking sites.
Blocking social networking sites due to concerns over employee productivity may deprive a company of the speed and flexibility that the Web 2.0 technologies offer when used for legitimate purposes. Social network tools generally enable richer group interactions without the need for numerous emails. Blogs, for example, can ensure that members of a project can easily stay in the loop, joining in when needed without having to open and read every message.
For many organisations, there can be a valid business case made for taking advantage of these sites. Warner Music Group, Sony BMG and Universal Music Group joined up with MySpace Inc. to allow users to listen to and watch music content and purchase related merchandise and tickets. President Obama, too, made extensive and productive use of social networking tools during his campaign for the presidency. But uncontrolled use of social networks can have serious security and productivity implications for companies.
Time wasting and potential cyberbullying are only some of the issues with social networking sites. Due to their large user bases, sites such as Facebook and Twitter are regular targets for hackers, and because of the informal nature of these sites, users are very exposed to phishing and other social engineering attacks. Attacks are proving to be so successful, in fact, that the Israeli government had even taken to warning its citizens to beware of subtle attempts from social network users to recruit them as spies or offer money for information.
Hackers are constantly coming up with new ways to install malware and steal information or money through sites such as LinkedIn, Plaxo, MySpace and Facebook. The Nigerian 419 advance fee fraud is fairly well-known, but a more recent ruse is the use of fake videos which, when you attempt to watch them, ask you to download a codec that supports the video's format, which is, of course, malware.
Social networks and e-discovery
When letting employees access social networking sites, it is your organisation that is responsible, legally speaking, for the information that they put out there on the Web. It could bring your organisation into disrepute even if no laws have been broken. Racist comments posted on a social networking site used by Isle of Man students, for example, were "deplorable" according to the Department of Education. In another case, a magistrate, who posted messages on Twitter about cases at the town's magistrates' court, resigned following a complaint from colleagues.
Not only do you need to have some control over what your employees are saying, but you must also control where they are saying it. If your organization faces litigation, it may have to deal with the issue of e-discovery, and that entails a whole lot more than going through some old emails. Essentially, e-discovery is the electronic extension of the legal discovery process in which each party to the case can request documents and other evidence, including all electronically stored information from other parties.
Don't be misled that e-discovery is only an issue for companies with operations in the U.S.; we have similar laws here in the U.K. which are quite clear. If it is relevant to the case, it must be disclosed. Best endeavours will not be considered sufficient if you can't demonstrate that you've reviewed electronically stored information held in all locations. Last year, the British Standards Institute published the BS10008:2008 standard, and I suggest you check it out. The standard, which lays out requirements for the implementation and operation of electronic information management systems, addresses issues relating to the authenticity and integrity of electronic information, which may be used as legal evidence.
Looking ahead, e-discovery requests are likely to be on the increase. The Confederation of British Industry (CBI) has reported a sharp rise in employment tribunal cases as a result of recent redundancies, and the Competition Commission significantly increased its data disclosure demands last year. Other regulators are likely to step up their e-disclosure demands. These factors point to an increased corporate need for e-discovery tools and an IT security team that understands the core aspects of e-discovery law and practice -- thankfully these are all key security objectives: data availability, confidentiality and integrity.
How to defend against the security risks of social networking tools
So what can be done to reduce risks arising from social networking tools and e-discovery? The starting point has to be a clear set of social networking acceptable use policies and related controls governing the use of off-site tools. These will enable the company to know where to look for electronically stored information in the event of discovery, and mount a reasonable defence if employees have put relevant data on unsanctioned sites. We don't yet know how the courts will deal with the numerous issues raised by this type of data. What we do know is that ignorance about what your employees are doing with company resources is always dangerous and should be reduced as much and as soon as possible.
Not everyone will need access at all times, so one simple step is to introduce firewall rules to allow access only at specific times to sites which are relevant to someone's job. It's best if you discuss with employees how best to accommodate productive interaction while discouraging wasteful social chit-chat as you'll need to present the logic for any ban or restrictions. The guidelines should be backed up with training and awareness to make sure everyone understands the potential risks and the purpose of your acceptable usage policy.
This policy needs to spell out which social networking tools can be used, by whom, and for what purposes, along with strict guidelines about what can and cannot be said. Employees should be required to sign off on their awareness of, and agreement with, the guidelines and policy. Mechanisms to detect violations should be put in place and violators must be dealt with. As in other areas of information assurance, the mere existence of a policy is not enough -- breaches must be detectable and punishable.
Web security gateways such as Websense Inc.'s Web Security Gateway or Mi5 Inc.'s Webgate, now a Symantec Corp. product, will help you protect not only your data, but your employees as well while they make use of the Web 2.0-based tools.
Deploying this type of technology, along with sensible rules, will enable your organisation to benefit from social networking tools while avoiding many of the dangers. And check your policy and controls to ensure they are appropriate to your business so you get the balance right.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.
This was first published in August 2009