There are a number of security awareness initiatives that take place throughout the year such as Privacy Week, Global Security Week and most recently e-Security Awareness Week. These programs all contribute to raising awareness of IT security risks among businesses and consumers. However, everyone, especially larger organisations need to be aware of daily changes within the myriad IT security threats that their businesses face.
One of the most significant security challenges organisations face today is the increasing use of social networking sites. Whether it be Facebook, MySpace, LinkedIn, YouTube or Twitter, social networking is fast becoming a way of life for millions of people to share information about themselves, for personal or business reasons.
But it comes with huge risks that range from identity theft and malware infections, to corporate reputation damage.
What are the risks?
Chances are several of your employees are some of the roughly 200 million active users on Facebook alone. Research shows that staff spent on average of 3.74 hours a week on social media or user-generated content sites in 2008 compared to 3.26 hours in 2007 - a 15 per cent annual increase. It is anticipated that this growth rate will continue to escalate in 2009.
With so many staff spending so much time on these sites, what are the risks of social networking practices to your business?
Identity theft: Identity thieves can easily dupe users into downloading an application and entering their personal details. In doing so, the thieves can access their private details and use the information to steal the user's identity for fraudulent purposes.
Data leakage: Most staff understand that it is a criminal offence to disclose their confidential company data. However, many staff sometimes give away little pieces of information about their company that can be reconstructed and combined with other information to reveal sensitive company data, such as payroll, financial results, sales strategies and product development information.
Legal ramifications: If your staff are using social networking sites, you should be aware of the legal implications on you, the employer.
Cyber bullying: If staff make derogatory comments about other work colleagues these could be used as evidence against the employer and any individual respondent in discrimination lawsuits in terms of the attitude and culture of the workplace. Any inappropriate online dialogue could also be used to support claims of bullying in the workplace.
Discrimination: From an HR perspective, employers may be held in breach of The Employment Practices Data Protection Code if they use social networking sites for gathering information for recruitment purposes. If information on social networking sites impacts on an employer's decision to recruit an individual, then discrimination issues may arise. Organisations may be charged with discrimination based on information about an individual's sexual orientation, age, race or religious beliefs.
Reputation damage: The risks to an organisation's reputation range from a staff member posting inappropriate photos from a recent buck's party to a disgruntled former employee openly badmouthing his former employer and divulging sensitive company information.
Recently a Telstra employee was caught impersonating Communications Minister Stephen Conroy on Twitter, causing the organisation significant embarrassment and negative press. He used the fake profile to lampoon the Government's proposed mandatory internet filtering scheme.
The prolific use of social networking sites and the ease with which one can use them means there are even greater chances of a reputation-maligning act spreading fast, if left unchecked.
Internet threats: Some of the biggest threats come from viruses, spyware and malware. If a company allows these sites on their network, there are chances of network-wide jeopardy. Ads and banners now have hidden codes behind them that can wreak havoc on a system.
Given all these potential threats and breaches to corporate security, some organisations choose to ban staff access to these sites outright. While this might be safer, it is not the best way to nurture employee relations.