LAKE BUENA VISTA, Fla. -- Social networking sites, from LinkedIn to Facebook, offer a fresh set of data security and privacy threats to an organization, but trying to keep them out of the enterprise is futile, said Sandy Bacik, principal consultant at Knoxville, TN-based Enernex Corp.
During a session at InfoSec World 2010, Bacik urged companies to improve their employee training programs and create an enterprise statement that addresses the risks of social networking environments.
Bacik did not ignore the benefits of social network sites to the enterprise. Collaborative Web 2.0 tools are used frequently for professional purposes: to publish one's expertise, find talent, make personal connections with peers, accelerate communications and self-promote, for example. Employers can use the social networks to research a possible new hire, too.
Attendee Perry Sullivan, systems security engineer at Saskatchewan-based telecom company SaskTel International Inc., admits he has used Google to research new hires. "You can find out a lot about people, good and bad," he said, noting that with today's social networks, an employer can see if a potential employee is active in the community, a partier, or even a member of a judo club.
Social network sites offer more risk, of course, than just serving up an unprofessional image of an employee. Throughout the session, Bacik stressed the many privacy issues of the social tools, including how the policies of various social networks will not necessarily address exposure of important data.
"It's not just the information you put out there. It's what your 'friends' use from your profile, what your group uses from your profile and spreads elsewhere." It's up to security professionals, Bacik said, to teach employees about validating who's communicating with them, and rejecting connections that don't seem legitimate.
To combat the many risks of social networks, Bacik emphasized the importance of an enterprise statement, one that should be written and incorporated into an employee's individual security awareness training program. "You should have an enterprise statement saying … We understand that you go to [social network sites] and use them. We're going to give you guidelines on how to use them and how not to use them. From a security perspective, we cannot say anymore 'No, we're going to block this.'"
In today's Web 2.0 environment, halting social networks may challenge marketers who use the tools to do research, R&D employees who need to ask questions about an ongoing project, or executives who use the sites to demonstrate their presence and activity in the online community.
Bacik also spoke about the importance of guiding users, employees and even contractors on the enterprise-related information that they send out on social network profiles.
"Within the Western view, we think when we set up profiles online, they are private. Only our friends that we've connected with can see them. But if you go outside the U.S., many Eastern countries think it truly is public information -- sociable, free information to distribute and disseminate wherever they want," adding that users need be given guidance on what information can and cannot be posted online.
Bacik's recommendations for what should be part of an enterprise statement included announcing a clear company philosophy, a definition of social networking, terms of service, copyright and legal issues, production impact, and possible disciplinary action.
Sullivan, who works at a company of about 3,500 people, believes social networking concerns can be addressed in his own basic security awareness training that is offered to the company's employees. "I think it's probably something you need to do when you first hire them, probably as part of your code of conduct."
Sullivan admitted that social network sites have been a struggle for his organization, especially considering he has a younger generation of employees who enter the workforce expecting the use of their favorite Web 2.0 tools. His employees take advantage of Facebook, other navigation sites and even YouTube to do research.
"We're seeing a lot of the security issues as much as it's a productivity or HR or corporate affairs issue… we think we have to open it up. We have to give [employees] the guidelines to tell them, "Yeah, you can do it, but you have to be careful how you use it."
Sullivan has also had to adapt to his employees' need to share documents. His employees have used Google Docs tools, for example, to exchange ideas about company functions, but that information is out in the open and subject to Google's policies.
Like many attendees in the session, Sullivan looks to achieve a balance between providing the social network function that his employees desire while also protecting his company's important information. Sullivan's company, for example, now has an internal blog site where the president of the company can announce updates and answer employee questions.