Secure social networking in the corporate world

There are a number of security awareness initiatives that take place throughout the year such as Privacy Week, Global Security Week and most recently e-Security Awareness Week. These programs all contribute to raising awareness of IT security risks among businesses and consumers. However, everyone, especially larger organisations need to be aware of daily changes within the myriad IT security threats that their businesses face.

One of the most significant security challenges organisations face today is the increasing use of social networking sites. Whether it be Facebook, MySpace, LinkedIn, YouTube or Twitter, social networking is fast becoming a way of life for millions of people to share information about themselves, for personal or business reasons.

But it comes with huge risks that range from identity theft and malware infections, to corporate reputation damage.

What are the risks?
Chances are several of your employees are some of the roughly 200 million active users on Facebook alone. Research shows that staff spent on average of 3.74 hours a week on social media or user-generated content sites in 2008 compared to 3.26 hours in 2007 - a 15 per cent annual increase. It is anticipated that this growth rate will continue to escalate in 2009.

With so many staff spending so much time on these sites, what are the risks of social networking practices to your business?

Identity theft: Identity thieves can easily dupe users into downloading an application and entering their personal details. In doing so, the thieves can access their private details and use the information to steal the user's identity for fraudulent purposes.

Data leakage: Most staff understand that it is a criminal offence to disclose their confidential company data. However, many staff sometimes give away little pieces of information about their company that can be reconstructed and combined with other information to reveal sensitive company data, such as payroll, financial results, sales strategies and product development information.

Legal ramifications: If your staff are using social networking sites, you should be aware of the legal implications on you, the employer.

Cyber bullying: If staff make derogatory comments about other work colleagues these could be used as evidence against the employer and any individual respondent in discrimination lawsuits in terms of the attitude and culture of the workplace. Any inappropriate online dialogue could also be used to support claims of bullying in the workplace.

Discrimination: From an HR perspective, employers may be held in breach of The Employment Practices Data Protection Code if they use social networking sites for gathering information for recruitment purposes. If information on social networking sites impacts on an employer's decision to recruit an individual, then discrimination issues may arise. Organisations may be charged with discrimination based on information about an individual's sexual orientation, age, race or religious beliefs.

Reputation damage: The risks to an organisation's reputation range from a staff member posting inappropriate photos from a recent buck's party to a disgruntled former employee openly badmouthing his former employer and divulging sensitive company information.

Recently a Telstra employee was caught impersonating Communications Minister Stephen Conroy on Twitter, causing the organisation significant embarrassment and negative press. He used the fake profile to lampoon the Government's proposed mandatory internet filtering scheme.

The prolific use of social networking sites and the ease with which one can use them means there are even greater chances of a reputation-maligning act spreading fast, if left unchecked.

Internet threats: Some of the biggest threats come from viruses, spyware and malware. If a company allows these sites on their network, there are chances of network-wide jeopardy. Ads and banners now have hidden codes behind them that can wreak havoc on a system.

Given all these potential threats and breaches to corporate security, some organisations choose to ban staff access to these sites outright. While this might be safer, it is not the best way to nurture employee relations.

Web 2.0 and social networking is now an important part of the communication mix, and companies that don't engage via these channels will lose their competitive advantage.

So how do you embrace social media while ensuring your business is protected from the myriad of threats that come with it? Developing and enforcing an Acceptable Usage Policy (AUP) for staff internet use is critical.

Creating a work environment with acceptable email and Internet use
Historically, many organisations were forced to develop draconian email and internet AUPs to protect their network resources and proprietary information.

Today, there are advanced internet and email security solutions available that enable organisations to develop and enforce highly customised and flexible AUPs that enable staff productivity rather than inhibit it.

So how do you create an AUP for today's office environment that provides maximum protection and security for your organisation's assets while enabling staff to leverage social media to build business relationships and opportunities?

Email, web and endpoint security technology enables organisations to enforce AUPs that are flexible and customised to meet the requirements of different individuals and/or user groups.

Defining acceptable internet usage
Today's AUP needs to be flexible, particularly when it relates to internet usage. Some users need full access to the web for research and day-to-day tasks. Others only need access to a few pages.

Companies can now define acceptable use of the internet for different user groups by incorporating the following:

- Blocking access to websites known to contain damaging, offensive or non-work-related content, for example, websites containing malware, pornography, gambling or offensive content.

- Browsing quota management. Organisations can now set limits to web access for specific user groups by total bandwidth or total active browsing time. Quotas can vary for specific user groups, applications, file types, URLs, and times of day. They can even apply flexible policies that prevent personal use during work time but allow personal use during lunchtime and out-of-hours.

- User-defined keywords: selected user groups can be prohibited from visiting web pages containing certain key words.

- Upload or download of specified file types or file sizes, for example, marketing staff may be permitted to download large BMP or EPS files while other user groups cannot.

Achieving AUP compliance
Including staff in the development of the AUP is a great opportunity to ensure the policy has been suitably customised to meet individual user group needs. It is also a good way to win their support for the policy.

Informing and educating staff about the AUP is critical if an organisation intends to enforce it. If people understand the need for a responsible security policy, they will be much more inclined to comply.

The use of technology to enforce rules and help educate users helps to embed AUP into the corporate ethos. Using the right security solutions will assist you in training users to adopt best practice information security policies.

Security is a journey, not a destination. Larger organisations need to be vigilant and proactive in their management of e-security. Daily maintenance and enforcement of security policies is required to ensure the ongoing protection of critical network resources and data.

Jeremy Hulse is responsible for Marshal8e6's sales, marketing, channel and business development strategy in Asia-Pacific.