How to prevent social networking from damaging business

After the turmoil generated by the seemingly endless stream of data loss scandals at the end of last year, organisations have become generally more sensitised to the issue of data leakage.

After the turmoil generated by the seemingly endless stream of data loss scandals at the end of last year, organisations have become generally more sensitised to the issue of data leakage.

This, combined with a raft of recent surveys around lost productivity due to staff using social networking sites such as Facebook and MySpace, is also raising awareness that action needs to be taken in this domain.

For example, according to a study undertaken by information security consultancy Global Secure Systems and the organisers of the Infosecurity Europe 2008 exhibition, the use of such sites is costing UK business an estimated £6.5bn per annum in terms of reduced output.

A poll carried out among 776 office workers indicated that most spent at least 30 minutes a day visiting social networking sites, while two were so hooked that they engaged in such activities for as many as three hours each day.

Unsurprisingly, therefore, other research by found that some 63% of organisations were planning to monitor or limit staff access to these sites over the next six months, while 17% intended to ban their usage entirely.

Meanwhile, a second survey undertaken by YouGov and commissioned by infrastructure software and services provider, Dimension Data, provided a breakdown of which kinds of personal web sites were being accessed most.

Of the 2,134 employees questioned, some 46% undertook online banking at work, 19% visited social networking sites, 13% indulged in file-sharing, while 10% downloaded media files such as MP3s.

Donal Casey, principal security consultant at Morse Consulting, says: "I wouldn't say the use of social networking sites is causing chaos, but it is an issue without a doubt as it's one of those things that can become addictive. When you talk to IT executives, they're aware of the situation as it's a newsworthy fact that these sites are being used. But unless it starts visibly impacting staff productivity, most aren't overly concerned."

Nonetheless, he adds that many organisations are keeping a watching brief on the issue by monitoring internet usage and, if and when the statistics show high levels of activity, tend to take action at that point.

But, whether social networking web sites are causing overt damage to staff productivity or not, their usage does pose various network-related and security questions.

In network terms, the problem is that if large numbers of users download content, particularly in bandwidth-hungry formats such as video, it is likely to have a negative impact on performance and, therefore, on the ability of staff involved in more legitimate pursuits to do their job.

Another risk relates to the potential for downloading inappropriate content. While Simon Jeffreys, a partner at law firm, CMS Cameron McKenna, indicates that liability for downloading and disseminating such material falls on the employee concerned, such a scenario can leave the way open for legal action against their employer too.

He says,"An employer that found out an employee had downloaded and/or disseminated [inappropriate material] would have to notify the police immediately and make strenuous efforts to stop it going to others, including its own staff. You certainly wouldn't want other employees coming across it lest they be offended and perhaps bring a claim against you."

A consideration of even greater concern, however, is linked to privacy, says Graham Quint, IT manager at Tewkesbury Borough Council. "People shouldn't use their work address or contact details on these sites as it makes them a potential target for phishing," he says. "There are also security holes that have been exposed in these systems and their privacy policies leave a bit to be desired. FaceBook, for example, only disables an account after someone wants to leave rather than deleting it."

Ken Munro, managing director at penetration testing house, Secure Test, agrees. He says, "People have always disclosed too much information on the internet but sites like FaceBook have made the problem much worse in that the standard configuration allows anyone to view your profile."

The concern is that snippets of information made available here and there can all too easily be pieced together and linked back to individual organisations using profiling tools such as Paterva's Maltego.

Moreover, if a staff member puts their work e-mail address on such sites, it means that there are clues to the account name, so that malicious individuals can probably work out the password or use social engineering to get the information, leaving the corporate network vulnerable to attack.

So what can IT directors do about these worrying scenarios? According to Donal Casey, there are two options, both of which generate their own pros and cons - the first is simply to ban access to such sites outright and the second is to introduce acceptable usage policies.

One company that went down the former route is Graypen, an agency that looks after the interests of ship and tanker owners when their boats are in port. The organisation employs about 135 staff in 24 offices around the UK, but was experiencing bandwidth problems even though it had just invested heavily in upgrading its network and Citrix-based server infrastructure and had also introduced ADSL broadband links.

David Scott, IT manager at Graypen, explains, "People were saying that their systems were running slowly, but we couldn't understand why because everything was brand new. After we'd checked the servers though, we realised that it was down to internet activity. The problem is that if half the office is downloading videos from YouTube and the other half is working, everyone gets frustrated."

Unfortunately, however, he found acceptable usage policies ineffectual. "Even though we had a policy, we had no way of enforcing it. People just delete their cookies and history and, as soon as you walk through the door, they get off the site. So you can have all of the best practices in the world, but if you've no way of enforcing or controlling them, they're worthless."

As a result, following a conversation with a colleague at another company, he decided to trial Bloxx's web filtering technology for 14 days. But after as little as 24 hours, Scott had enough activity data to do something about it, and took a report to the managing director.

The most frequently accessed web sites were eBay, the MSN Hotmail e-mail system, the Paypal ecommerce payment system and social networking sites, "which were the killers" because "people were downloading videos and big pictures that were taking up bandwidth and degrading our terminal services".

Scott says, "Nearly 100 people were involved at all levels of the company and after looking at the results, the MD just said 'block the lot'. It was a short, sharp shock and it wasn't a popular move, but it really worked. If people complained, we just pointed out that they weren't happy if the network ran slowly and this was the only way to sort it out, which they accepted."

While such action is understandable given Graypen's particular set of circumstances, Casey points out that this approach would not necessarily work for all organisations.

"A lot of companies use social networking sites for recruitment and supply chain activities these days so there are acceptable business uses being made of this technology, particularly by young folk coming into employment who are used to it. So you have to be careful with blanket bans," he says.

Such considerations also apply to professional networking sites, such as LinkedIn, which are likely to diverge increasingly from their social networking counterparts, believes Ian Blatchford, a partner at consultancy RSM Bentley Jennison.

But another point to bear in mind, says Jeffreys, is that the Trades Union Congress and the Chartered Institute of Personnel and Development have both issued statements indicating that banning access to such sites is not a fair bargain to strike with staff - although excessive usage should not be permitted either.

"Staff don't have any legal rights to use their employer's computer system for personal ends and it's not a human right. But not to allow any usage at all isn't very reasonable so what we're talking about here is staff undertaking such activity during their breaks," he says.

As increasing numbers of personnel continue to work long hours under pressure, it becomes important to ensure that they are able to strike some form of work-life balance. The danger in this context is that "banning usage entirely may upset them and end up being counter-productive", Jeffreys adds.

If such advice is taken, however, it means that acceptable usage policies and user education become paramount and potential loopholes and wording must be considered carefully.

One organisation that is working through this process at the moment is Tewkesbury Borough Council, where IT manager Quint is currently in discussion with the organisation's legal and HR departments as well as the unions over an initial policy draft, which, after it is agreed, will be issued to all staff to sign.

"There'll be a grace period when staff will be expected to sign and if they don't, they'll be given one extension. If they don't sign by the end of that period, we'll disable their account and won't re-enable it until they've handed the signed sheet agreeing to comply. It's all good practice really," he says.

To date, however, Quint says he has spent "a good wadge of time looking at all the possible attack vectors and routes to policy abuse". He says, "If people don't feel something is appropriate, they'll work around it so you need to cover all angles. You also have to ensure that there's no legal ambiguity or holes because it can end up in a disciplinary or ultimately with the police if it's something serious. That's why HR and legal have to be involved."

Although abuse of social networking sites has not proved to be a problem as yet beyond the activities of one or two "youthful employees", Quint believes that, in many ways, the issue is more of an educational and management one than an IT matter per se.

"There's an ICT solution to many things, but at the end of the day, this is a business issue and, if productivity is being lost, it's up to line managers to address the issue with staff," Quint concludes.

Considerations around acceptable usage policies:

Establish what the organisation is trying to achieve and what it feels is appropriate to sanction, limit access to or even to ban.

Employees should always be made to sign the policy to prove that they have read and agreed to abide by it and this process must be recorded.

Policies should be reissued for signing at least annually or they may not be considered legally valid if a case goes to court.

Key policy elements:

Staff can only use social networking sites during lunch breaks or outside of formal working hours - although this can be difficult to enforce, particularly in a flexible working culture.

Personnel should be prohibited from including corporate e-mail addresses in their personal profiles.

They must actively log out of sites like Facebook when they have ended a session - this does not take place automatically and as the link is not encrypted, network traffic becomes vulnerable to sniffing.

Employees need to understand that downloading or accessing inappropriate content or making libellous or defamatory comments on social networking sites could lead to disciplinary action.

Ask staff to ensure that only friends - rather than just anyone - can see their profile.

Read more on IT risk management