Security risk or marketing win? During a recent SC roundtable, a number of industry gurus gave their opinions on the dilemma of giving employees access to social media.
Paul Fisher, editor, SC Magazine
I guess it might be an idea to find out if any of you use – or sanction the use of – Web 2.0 or social networking.
Neil Jarvis, CISO, DHL Supply Chain
Principally, it is controlled by HR, which sets the Internet Acceptable Usage policy. Some policies say ‘no', some do not say anything. There is a drive by corporate commerce to make more effective use of social networking, but where is the benefit? I can see, from our external case supervisions, there being good reasons. But, from an internal ‘staff perspective', having them using social networking – that is still not quite understood.
Russell Poole, sales director, 2E2
Speaking to our customers, what we are seeing is a phase where people are automatically restricting access to social networking sites. But people are using hand-held phones to access these. Twitter and Facebook are also being used as marketing tools by business and it slowly creeps out into the workforce from that.
Bronwyn Boyle, director, information risk management, Barclays
Some parts of our business are really active and are using social media to foster communications with customers and to build social networks around our core sponsorships. We have a Barclays football page on Facebook with 23,000 fans. That is being used to build up the football community. We have developed a policy to state how users should behave when engaged in social media. Apart from the business element, the problem is that most employees are using social media outside work, and it can always be linked back to Barclays, so we need to manage the risk from that perspective.
Caroline Ikomi, technical director, Check Point
We do not want to do anything to damage our reputation. There is a lot of positive stuff but, by the same token, there is a lot of fear. Getting a policy out seems to be a really big thing at the moment, just getting a policy.
Rick McConnell, chief security officer, Euroclear
You cannot stop people using these social media. The point is getting people to articulate, precisely, what it is that they are bothered about. It is just another medium. Are we simply overreacting? If you try and say ‘no', you'll find Generation Y is brighter and smarter than you are. You cannot walk round as if you are in some gulag. It is like going back to school and fussing about the length of a skirt or a haircut. It's not going to happen.
Paul Fisher One issue often mentioned is employees bringing the company into disrepute on the social sites. There will be comments that are, perhaps, inappropriate. For an organisation focused on its image and its media, having anything like that is a real challenge. Education is key: you must use that completely separately. It has nothing to do with the work environment.
Rick McConnell The division between work and home is eroding now. People like me first encountered technology in the workspace. Now, my granddaughter has got Facebook and Twitter at home. She is only two! OK, I am joking, but I am sure it will not be long before she has a page on Facebook. You cannot draw a boundary for those people, or at least, one that you can control.
Paul Fisher Some people are using Facebook and Twitter to humanise the public face of a business. They actively encourage people to send out marketing messages that say, ‘Oh, I am late for work', or some trivia to make it look as if this company has a human face. Is that something any of your businesses would do? And is it a good thing?
Rick McConnell For the marketers, the classic argument would be that you have to exploit every route to market. You have got to use it.
Paul Fisher The marketers and the PR community are the ones leading the charge, are they not? That might not gel with what you, here, are trying to do.
Neil Jarvis Who are the marketers trying to target? The general public or the business users? The majority of people who are tweeting are doing so from home or from their personal devices. Who are they pitching their messages at? Is this selling corporate technology?
Paul Fisher It's a bit of both, isn't it?
Bronwyn Boyle It is not necessarily just about selling. It is also about building communities. Some of our sites are really about helping customers help each other. It is a forum for customers to share their experiences and help each other out.
Caroline Ikomi We have done a lot of that, setting up forums for people to join, which we do not control in any way. Obviously, we will not let anything that is completely defamatory go out on them, but they are not moderated as such. If somebody comes along and says ‘You are not delivering a service', we will not stop or alter that. Internally, we will go and look at why they are saying that, but it is about setting up communities for our users to be able to communicate through.
Bronwyn Boyle It would be interesting to find out what proportion, at senior management level, are engaged in social media themselves. It has not permeated all tiers of the organisation. If they rolled their sleeves up, mucked about with it, and familiarised themselves with the operation of it, it might be easier for them to understand the opportunities it offers.
Rick McConnell There is some really interesting work being done by the OSCT (Office of Security and Counter Terrorism), in their attempt to counter radicalism. Anything that is government or official is rejected, but they do brilliant stuff on Twitter and Facebook, precisely to get to the kids in a way that allows them to, at least, listen to the message.
We are guilty, as part of the security profession, of not paying enough attention to what other professional communities are doing. We have perhaps slightly closed minds. We talk to each other, as opposed to someone in a child protection agency, for instance.
Paul Fisher We are seeing this as something that should either be stopped or allowed. What are the dangers of Facebook and Twitter? As security professionals, what concerns you?
One is the obvious issue of bringing your company into disrepute. But also there is still a channel for information to leave the organisation, or, indeed, for information to come into it that we do not want to come in. If you look at most sites, they have the ability to have embedded email and attachments.
Bronwyn Boyle Because the whole premise of the networking side of social media is all based on trust relationships, once one link is compromised, suddenly there is a minefield of information that is available. Even just general security practices, like making sure people do not use the same passwords for multiple social networking sites, and ensuring that they are diligent about how they run security, are really important too.
Neil Jarvis While the perception is that social networking is similar to email, you can filter an email to make sure it does not go to 10,000 people. If you have 10,000 followers on Twitter, you have got 140 characters that instantly go to 10,000 people. The impact of that is far larger than sending an email to six people.
Paul Fisher Could virtualisation help mitigate threats? Could you use a virtual desktop to access Facebook, Twitter etc?
Neil Jarvis It does not prevent the information leakage necessarily, it could almost ‘air-gap' the social networking application from the corporate desktop. A technology like Citrix or Windows Remote Desktop could be deployed on a server in a demilitarised zone. The users run a browser session on this server, and access their social media app from there.
Paul Fisher Ultimately it's a balancing act between security, which is vital, and treating your staff well, which is desirable. Some companies have a highly mobile workforce. If people want to get access to personal mail when they are using corporate systems, that exposes the company significantly. They want to give staff the capability to pick up their personal mail because, when they are in Ulan Bator, say, it is difficult for them to run their normal lives without that access. It is basically about giving them that access in a secure manner. It is about the organisation recognising that people do have lives. A scary thought, but…!