Social networking: corporate risks, individual risks

As a result of the strong human desire to connect, social networking websites have encouraged online behaviour where security and privacy are not always the first priority

As a result of the strong human desire to connect, social networking websites have encouraged online behaviour where security and privacy are not always the first priority, writes Andrea Simmons, consultant forum manager at the BCS Security Forum.

A survey by YouGov revealed that employees are being distracted by the use of social networking sites to the tune of some three hours a week, outstripping online banking, shopping or music downloads.

However, the key cause for concern is the late realisation of the open nature of the web and thus how much personal information has been left exposed to any passing stranger.

The work and the personal world is extremely blended at the edges, so there is cross over between the two sets. However, the anonymous feeling of online transactions seems to leave the user capable of dropping their "real-time shields".

With this in mind, an employer is more than likely to do a check on some of the social networking sites to see whether you have an avatar or online presence and, if so, how you are behaving and how you conduct yourself and thus, whether, by your actions, you are the kind of person that they, as an employer, want to join their organisation.

The risks of social networking to the individual continue once they are in employment. This is illustrated by the case of a disenfranchised Waterstones employee who critcised his managers in his blog. The story illustrates the issues on both sides - the individual needing to apply caution to their online activity, and the employer's need to be cognizant of blogs and encourage people to be careful in their online transactions.

Similarly, Oxford University trawled Facebook for evidence of students behaving inappropriately - including "trashing" each other.

Another example worth noting is an NHS organisation that has set up its own Facebook site inviting users to chat with patients and staff.

The South West Yorkshire Mental Health Trust offers people the opportunity to discuss the stigma suffered by those with mental health. This might seem like a good idea, but the nature of the information being exchanged may, in all likelihood, fall into the category of sensitive personal data, which needs to be carefully protected from risk of inadvertent disclosure.

The bottom line is that the social networking site you are using is a third party and you need to be happy that you would trust that third party with your personal information.

Addressing these issues, IBM has a code of conduct that extends into virtual worlds. It warns employees to back away from inappropriate people, behaviour or transactions. Participation must be approved by a manager, and the avatar's appearance should be "appropriate".

Identity theft

Trade in online information is now at a significant level and invariably in the hands of criminal organisations. Too many individuals are experiencing what is wrongly termed "identity theft" (your identity itself cannot actually be stolen but information relating to you can indeed be used to create another identity). "Caution" needs to be the watchword.

In October 2007, ENISA launched a position paper identifying threats and giving policy recommendations for "safer social networking". The paper emphasises the commercial and social benefits of a safe and well-informed use of social networking sites.

From initially feeling that the sites should be considered to be frivolous, there are obviously those who can see that, if used and managed in the right way, social networking sites can be a useful business tool.

Read more expert advice from the Computer Weekly Security Think Tank >>

Read more on IT risk management