Posted by Chenxi Wang on December 1, 2009
To Facebook or not to Facebook? Forrester recently received a flurry of inquiries concerning social network access inside enterprises. Many firms are reluctant to deny their employees’ access to social networking sites but at the same time are worried about consequences such as malware threat, data loss, and the loss of productivity.
More specifically, risks associated with social networking come in three flavors:
- Malware and phishing: Social networks have become a hot bed for malware and phishing activities. As such, allowing access to sites like Facebook, MySpace, LinkedIn, etc., does carry a certain amount of security risks.
- Data loss: Employees post content to social networking sites pose a potential threat of data loss, which has many up in arms about the use of social networks in enterprises.
- Damage to corporate image: There is no reliable way to ensure that no one can set up a fake corporate page in LinkedIn or Facebook, and that no one takes your official promotional video and repost it to YouTube after unauthorized edits.
Should you allow access to social networks and social media? The answer is “yes”. Even if you do not currently allow access to social networks, you will have to soon — access to social networks is approaching the status of a “must-have” at work places. Competitive pressure will sooner or later make you rethink your restrictive stance on social network access. One question we often get asked is: “How many firms out there are allowing access vs. denying access to social networks?” We do not have an accurate answer to that. A small survey we conducted in the beginning of this year indicated that today nearly 40% of companies (enterprises and SMBs) allow access to social networking sites like Facebook and LinkedIn.
What best practices should you follow in regulating access to social networking and media sites?
First, you need to establish an acceptable-usage policy with respect to social networking and media access. Consider these aspects when writing your policies:
- Does everyone need the same level of access to social networking sites? The answer is often “no”. For instance, the marketing and sales team may need to post video and other media files for legitimate business purposes. But for other parts of the company, there isn’t such a compelling need. Perhaps a read-only policy is adequate. Of course, this would depend on the general company culture — how liberal or how restrictive you are in terms of personal computing at work plays an important role in these decisions.
- Be vigilant about software downloads. Remember that malware travels via software downloads over the Web, a prudent policy might allow users to access Facebook content but will block any software installation as a result of visiting Facebook pages. This will of course dilute the social networking experience, but in many ways, it is an acceptable compromise for workplace access.
- Should you allow access any time any where? Again, the answer depends on how liberal your company culture is. On one hand, you do not want to place unnecessary restrictions. On the other hand, there has to be a balance between personal uses of social media vs. workplace productivity. So, the acceptable-usage policy may state that employees should use their best judgment when it comes to the amount of time they spend on Internet social networking sites. Or, if the company culture allows, you may enforce time or bandwidth-based limitation on access to social networking sites.
- Acceptable data posts. Social networks allow data posts, which may pose a data leak threat to enterprises. In your usage policy, make it clear what kind of data/content is considered non-appropriate in data posts to public social networking sites. For example, some companies prohibit their employees from posting endorsement or commenting on the company on LinkedIn.
Second, you need to clearly communicate the policies to your users and educate them on the risks of social networking and acceptable usages with regards to data posts and software downloads. Make it clear that these security threats are not just against individuals, but also have the potential to compromise the security posture of the corporate environment.
Lastly, if you decide to enforce your policies (if any) technologically instead of simply stating the policies and hoping for compliance, you need to employ a Web filtering product (you probably want one regardless for anti-malware reasons). You may also want the product to collect and report usage statistics on your users. For any outlier population, e.g., the a few employees who spend an exorbitant amount of time on social networks, his/her manager can be made aware of the situation and deal with it in an appropriate way. Often, just the knowledge that access to social networks is monitored would curtail such behaviors. Be mindful that not every Web filtering product is equipped to deal with script-based Web malware. The ones that come with an antivirus engine but no script processing capabilities do not fit the bill. Finally, it is imperative that the Web filtering product comes with data leak prevention (DLP) capabilities to enforce acceptable usage policies for data posts.