Policies hold key to social networking security threat

Certain personal online activities can help maintain employee productivity. The question is, when does fair use become a concern for the HR department and line management?

Social networking presents a number of challenges, writes Patrick Tarpey, head of information security for a leading UK public body, and member of (ISC)2.

Most organisations allow, to a certain extent, personal web surfing during employee lunch breaks, for example. Indeed, certain online activities, such as online banking, can help maintain employee productivity by avoiding lunchtime bank queues. The question is, when does fair use become a concern for the HR department and line management?

The answer lies within the monitoring of internet use and employee understanding of their responsibilities - namely policies.

If your security policies are well constructed and understood, internet monitoring simply provides evidence in the event of disciplinary action. The policies should cover what constitutes reasonable use, downloading of software, use of company e-mail and disrepute. The latter point of disrepute is certainly contentious. Recently I read a profile on a social networking site where the member had written disparaging remarks regarding a client placement and client personnel.

The rapid take up of social networking sites offer cyber criminals and mischief makers a new large target. Remind colleagues not to use any workplace e-mail addresses or passwords on these websites. Many of these websites do not encrypt user log-on details. Passwords and user IDs transmitted in clear text across the public internet are subject to possible interception or compromise.

Another consideration is keeping your corporate browser secure. A burgeoning cottage industry supplies third-party applications to social networking sites. The vast majority of these applications are innocuous, simply adding additional functionality and content while giving the supplier either advertising revenue or access to your private profile data. But can you rely solely on the due diligence undertaken by social networking sites? Do you want to allow third-party software unfettered access to your profile and ultimately your network?

There is evidence that unwanted software is making its way into social networking. Security company Fortinet first reported anomalies with the Secret Crush application in early January 2008. Facebook users were invited, seemingly by a friend, to find out which of their friends held a secret crush on them. While inviting five friends to download the Secret Crush application, the duped user allows access to profile data which may include e-mail, date of birth and other private details, and is prompted to download adware.

From the corporate perspective, I would consider deploying anti-spyware software in addition to standard anti-virus protection.

Of course, some employers have taken an alternate stance regarding internet use while at work and chosen to block social networking websites. This possibly is the simplest solution and pushes the onus onto the individual to keep secure.

For individuals, social networking sites certainly offer an enjoyable way to keep in contact with old friends and colleagues. But a few sensible steps can improve your security:

• Restrict viewing of your details to trusted persons

• Don't publish your full birth date

• Don't reveal your e-mail, phone number or postal address

• Question the motivation of unsolicited requests to be friends or group membership from persons unknown

• Read the small print of any third-party software installed via social networking sites.

• Never arrange to meet strangers in person.

Read more expert advice from the Computer Weekly Security Think Tank >>

Read more on IT risk management