The results are in from the Computer Weekly survey on usage of Social Networking sites. The survey, based on 331 responses from a wide variety of organisations, provide an interesting insight into the impact that social networking sites are having on the work place. My stance, that I’ll come to later in this blog, is that there is a serious security threat. Read on…
Just under a third of respondents (31%) allowed unlimited access to social networking sites, with the same proportion (31%) only doing so during non-core hours. 37% did not allow ANY access. Of those that allowed access respondents estimated that employees spent an average of 50 minutes on social networking sites per day. This rose to 56 minutes amongst those companies allowing unlimited access (44 minutes amongst companies not allowing access in core hours), and 62 minutes amongst London based companies.
It is estimated that probably around half of all usage was occuring during lunch breaks and a further 30% either before or after core business hours. In other words, employees are generally trying to be responsible about their usage of the social networking sites during company time. Given that around half of respondent companies monitor use to some degree, this would seem sensible. Banking and financial companies are those most likely to be performing monitoring.
Interestingly, 27% of respondents claim their IT department’s workload had increased because of the need to monitor social networking sites (45% amongst those in companies that monitored usage). I say it’s interesting because to me this infers one of two things. Either the monitoring is active rather than passive, or IT departments are being more frequently asked to provide reports on individual usage in support of HR concerns over employee performance or behaviour. If the latter, what the results don’t tell me is whether or not those are the same respondents who report that 20% of usage occurs during core business hours.
Facebook (54%), followed by YouTube (13%) and Myspace (7%) were felt to be the most popular sites in use.
Of those organisations who do not allow access, the biggest reasons given were ‘time wasting (29%)’, ‘not work related (21%)’, ‘Loss of productivity (21%)’ and ‘Security (17%)’. Given that 80% of usage quoted above is claimed to actually be occuring outside of core hours then the first three reasons do not generally appear to hold much water. Security figures more highly as a reason for blocking access than I expected and I predict that this percentage will rise sharply over the next 12 months.
There are a couple of reasons for my saying this. Firstly, we’re only just waking up to the fact that social networking sites are a potential vector for malware coming in and, almost uncontrollably if we’re allowing access, data going out. Secondly, the full potential of social networking sites as a vector for malicious code, corporate brand and identity theft, and social engineering has yet to be realised. Once organisations begin tapping into the potential for making revenue out them, the crooks will move in just as fast. In fact this is already happening, as reported last week here
“Attackers are using web 2.0 sites as a way to distribute malware and are data mining the web, looking for information people share to give their attacks more authenticity. McAfee Avert Labs expects a large increase in this activity in 2008.”
And here’s a question. Why do we feel the need to put so much information about ourselves online anyway? It’s ironic that the HMRC data loss causes so much public exasperation yet at the same time individuals are prepared to post the most intimate details of their private lives on a public social networking site.
Back to the survey results. I will put my stake in the ground. Those organisations who continue to allow full and unrestricted access to social networking sites need to wake up to the fact that they are putting the security of their data and other assets at risk. Another survey earlier in the years performed by Websense highlighted this fact,
The issue of data theft should be of particular concern…..not least because close to half (45 per cent) of survey respondents admitted to engaging in activity that could put their company’s data at risk.
Finally let’s remind ourselves of one simple fact, People are always the easiest target. Whether it’s because they are malicious, irresponsbible, careless, or just plain unlucky, the soft squidgy part of information security is always people. Now that millions of people are willing to reveal the sort of information they would probably not even want their own parents to know about, online, to an audience that is not malign, then we have a disaster waiting to happen.
A few years ago I went to a school reunion. All I really needed was to be wearing a t-shirt stating: job title, make of car, size of mortgage, number of kids. It’s all people were really interested in. Call me an old cynic….