Concerns over social media sites are not new, even before these sites existed there were major concerns that the inappropriate use of e-mail was a major factor in sensitive business information being “leaked”. Some of the issues have been and perhaps always will be the naivety of staff, slack security systems and polices and the general lack of training and security awareness about these newer methods of communicating. This is particularly true where organisations have seen the use of these sites by their staff outside of working hours as beyond their scope and remit. Organisations have concerns on several levels, at the basic level it is about staff abusing the access to the Internet provided at work and using social web sites whilst they should be working. This is a work culture issue and one that has been dealt with in a variety of ways, some have banned access to these sites completely, some have monitored activity and used disciplinary action against those that abuse the system and others have restricted access to lunch and break times. In all cases it is likely that staff are using these sites out of work and organisations should be concerned as much with what staff may be putting on those sites as they are about the time spent at work accessing them.
It is prudent to provide them with some basic security advice for home and work use of such sites. Nobody has 3000 “friends”, saying something on these sites could be deemed similar to walking down a busy street with the words on a bill board - the bottom line is if you wouldn’t want everybody to know about it consider whether you should write it, say it or put the photograph/video on the site at all? Sites are not as private as they appear and can be used to judge your staff and your organisation. Whether these are silly comments, discussion about company business, jokes about mates or work colleagues or being offensive in anyway will change the way that person is viewed.
Think of all of those people who have been made redundant or been sacked from their jobs during the recession, ex-employees, whistleblower, disgruntled employees – what are they likely to say and how could that harm the organisation’s brand and image. In sensitive, Government and high security establishments loose words can be even more serious providing information that is valuable to fraudsters, thieves, activists and terrorists. In terms of the individual, of course this is critical when seeking a job because many organisation now use the Internet to see if they can find out more about the person.
These concerns are supported by a new report from Sophos which shows that nearly two thirds (60 percent) of businesses believe social network site Facebook poses the biggest threat to security, in its Security Threat 2010 report MySpace was voted second with 18 percent, closely followed by Twitter with 17 percent of votes whilst only 4 percent named LinkedIn as a security threat. Graham Cluely (Sophos) said “Facebook is by far the largest social network — and you’ll find more bad apples in the biggest orchard”. Cluely added that the security team at Facebook works hard to counter threats on their site, it’s just that policing 350 million users can’t be an easy job for anyone. However, he pointed out that when Facebook rolled-out its new recommended privacy settings late last year, it was “a backwards step, encouraging many users to share their information with everybody on the internet.” He also warned users that while LinkedIn is considered to be the lest threatening social network, it still provides hackers with “a sizeable pool of information.” The report also found that incidences of malware and spam increased 70 percent on social networks in the past year. According to Sophos’ study, 57 percent of users say they have been sent malware over social networking sites. Cluely said “Computer users are spending more time on social networks, sharing sensitive and valuable personal information, and hackers have sniffed out where the money is to be made.”
Norman Mortell, Director at Agenda Security Services said “This report does not come as a surprise, it is difficult for organisations to manage what staff get up to out of work but we should take our responsibility for the safety and security of our staff outside of the traditional organisational limits”. He went on to say “By providing the staff with training, advice and policies on how to best protect themselves and also the organisation your are reducing the threats of identity theft, malware and spam, staff inappropriately representing themselves or the organisation and are also creating a safer online environment for everybody. We should embrace technology but need to be sensible, particularly in the wake of the Sophos survey!”.
