A blanket ban on social networking sites at work will annoy Generation Y - without being effective. There are solutions, says Rob Buckley.
The headlines seem to confirm every employer's prejudices: “Twitter costs businesses £1.4bn” and “Facebook scandal – 233 million hours lost monthly as employees ‘waste time' on social networking”. Even the BBC advertises its Twitter and Facebook presence with “Say goodbye to worktime boredom”.
It would appear that the use by employees of social networking and Web 2.0 in the workplace is, in reality, an excuse for them not to work – or, worse still, to get jobs elsewhere.
For IS professionals, there's the constant fear that social networking is going to be a fresh way for malware to enter the enterprise. It's no surprise, says research by web filtering company Bloxx, that over 90 per cent of IT professionals from UK public and private organisations believe access to social networking websites should be restricted or banned.
Yet many security experts think this could be a mistake. “There are two sides to Web 2.0,” says Candid Wueest, senior security researcher at Symantec. “There's nice integration with customers and it can be used as a fast information source.”
Paul Judd, UK regional director at Fortinet, also thinks Web 2.0 is useful to businesses. “There are always those who abuse privileges, but Facebook and other Web 2.0 tools are really powerful. LinkedIn is a staple of my business.”
Taking a look at that headline figure, what would the average employee be doing with those 40 minutes a day they're spending on Web 2.0 if access were banned? Would they be working? Or would they be talking to colleagues around the water cooler, emailing friends, out on cigarette breaks, using their smartphones to access Facebook, or feeling disenchanted with their employers for making them work late and not allowing them to tell their friends? They could even be working on their CV in Word. But if they're at their computer, they could at least be working at the same time in a different window.
Gartner analyst Monica Basso recommends that companies look at social networking both as a tool for the business, and also as a way to retain Generation Y employees. “Digital natives – today's younger generations who speak natively the language of computers, mobiles, video games and the internet – are protagonists for massive technology adoption and a consequent adaptation of human behaviours,” says Basso. “Future generations will drive change in workplaces and worker behaviour, attitudes, skills and styles. Organisations will need to adapt HR programmes and management styles accordingly.”
Generation Y, accustomed to the speed of Twitter, looks on email as slow. For many, YouTube isn't just a source of comedy videos: it's also a wealth of product demos and seminars to help improve performance and knowledge. Personal and work boundaries can blur, so a tool that's useful for work can be useful for personal life and vice versa.
The social networks of Facebook and LinkedIn can be valuable business assets and banning them would look as odd to some as banning email. “If I was a sales guy joining a bank, say,” says Chris Batten, MD of Acumin, “I would expect LinkedIn to be a tool I could use for networking. If it was blocked, I would perceive that as narrow-minded.”
Ari Juels, director of RSA Laboratories, says employees who find a tool useful enough will simply work out a way round most security measures. “They'll come up with more devious and dangerous ways of getting what they want. If they work from home via a VPN, they'll turn it off. They might fire up a VM on their laptop or use proxy servers. People get very creative.” Such measures inevitably bypass security systems, a greater risk than access to the sites would create.
There are also advantages to the business in enabling employees to access Web 2.0. Some of these advantages can be as simple as perks for employees, to compensate for other problems a company might have. One large retailer, with a remote HQ, had few shops nearby. One of the perks the company decided to offer was an ‘open access' policy to online shopping and Web 2.0 sites, so that employees had something to do and could use their break times to continue their personal life. Being in a remote location became less of a problem.
Local authorities often take advantage of people's openness about their private lives on Bebo, Facebook and Friends Reunited to conduct research into fraudulent benefit claims. Salespeople use sites such as Facebook and LinkedIn to network, get new contacts and recommendations from existing contacts, and generate leads. Marketing people use Twitter and Facebook to interact with customers, promote the company, get opinions on it and make it seem more human. Some small businesses reported a surge in customers during the recession, brought in by word of mouth on social networks. “I tweet a mixture of business and home things, so I'm seen as more a rounded individual than a company twonk,” says Nigel Hawthorn, EMEA marketing VP at Blue Coat Systems.
A project on University of Leicester students demonstrated how valuable Twitter can be. The study found it a useful tool for developing peer support, with activity rising prior to assessment deadlines or exam revision; creating personal learning networks, often in situations when they were physically isolated from peers; and arranging social meetings. The researchers found Twitter attractive as a data collection tool for recording the student experience and assessing it using free online analysis tools.
Indeed, there are now HR departments using Facebook to keep employees up-to-date with information, to contact them, receive information from them, and to organise meetings. The fact that so many ‘Generation Y' and indeed ‘Generation X' employees know how to use Facebook in their personal lives can help companies effectively save on training employees how to use a new application.
However, Web 2.0 shouldn't be used by employees if it's insecure. What are the best ways of defending against Web 2.0 attacks? Web 2.0 traffic almost always comes through on port 80, the same port used by all other web traffic, so standard firewalls are of no use in blocking them.
Sending web traffic via a proxy makes it easier to forbid access to particular sites or to block certain kinds of traffic. Software and services that inspect content, such as those from Blue Coat, Fortinet and Clearswift, are a better bet.
“The big difference between Web 1.0 and 2.0 is that Web 1.0 was one-way. We monitor both ways. We can look at the content going out and make sure it doesn't contain confidential information,” says Richard Turner, Clearswift's CEO. “We can protect against downloads, and work at a fine-grain level.” In Facebook, this can include restricting the use of apps, the changing of profile pictures and preventing uploads. Companies can also set up policies so that only specific users can perform certain tasks and access be only allowed at certain times.
With Web 2.0 being a browser-based technology, focusing on browser security is one of the key requirements of adoption. “It's the common mantra – keep patched and up-to-date,” says Mike Shema, security research engineer at Qualys. “AV companies are starting to look into browser-based attacks.”
Rick Caccia, VP of product marketing at ArcSight, says using Google Chrome has its advantages, since Google has designed it for web apps and it has better measures to prevent cross-site scripting – although no single browser is better than others. The important thing, says Tim Orchard, principal consultant at Activity IM, is that the desktop be locked down, and the user isn't using admin privileges, so if there is a problem, the computer won't be taken over. “It's all about defence in depth, not about firewalls. You have to look at the architecture of the network in general.”
Fortinet's Fortigate Fortimanager will analyse logs for auditing. “It correlates all information in a human-usable interface, and it will hook into AD user names,” says Fortinet's Paul Judd. With details of 1,300 applications that can be controlled at a granular level, the Fortinet software allows MSN messenger, for instance, to be blocked from using too much bandwidth or sending files. At the very least, it's possible to monitor who has been using certain sites, for how long, and how actively. “One client we had was distinctly underwhelmed. Employees were being considerably less than productive. But people have been laid off, there are now fewer people doing the same work and most don't have the time to be unproductive,” says Judd.
With many Web 2.0 security threats coming from redirects, software and services from companies such as Blue Coat and Sunbelt that can prescan URLs or malicious behaviour can be extremely useful.
Alexandru Catalin Cosoi, senior researcher at BitDefender, suggests simple education may be the best way forward. “Make them aware. Tell them to stay on Twitter and not to click a URL from anybody. If you're worried about Facebook productivity, tell them they can play games, but only for ten minutes at a go.”
Rules also need to be drawn up for less obvious aspects of Web 2.0 usage. With the personal and professional blurring on such sites, usage for work of Facebook, IM et al requires some thought about the implications of personal information being drawn into the professional world.
“One woman was providing customer support from her personal IM account. However, her screen name was something like Sexygal123. It didn't appear very professional,” says ArcSight's Caccia. Fortinet's Judd says companies need to work with employees to make sure they understand how to ensure messages are appropriate and that information they post won't compromise the company.
Despite most companies' policies, total bans on Web 2.0 are only likely to turn people away, rather than stop infections.
With more liberal attitudes reinforced by acceptable usage policies in contracts, education and technology, Web 2.0 technologies can be largely secure tools for business.
Do social networking sites take security seriously?
While undoubtedly there is malware being spread through Web 2.0, that's also true of email, instant messaging and other systems. These are all rightly regarded as suitable for enterprise use, provided precautions are taken. But are site hosts doing enough to ensure their systems are secure?
Says Simon Axten, privacy and public policy associate at Facebook: “We devote significant resources to helping users protect accounts and information. Facebook was named one of the top ten most trusted companies in an independent survey by TRUSTe and the Ponemon Institute.”
Axten says the company has built numerous defences to combat phishing and malware, including automated systems that detect and flag Facebook accounts likely to be compromised. These work by looking at anomalous activity such as large numbers of messages sent in a short period of time, or messages with links known to be bad. Once a phony message is detected, Facebook deletes all instances of it across the site.
Axten adds: “We also block malicious links from being shared and work with third parties to get phishing and malware sites added to browser blacklists or taken down completely.”
The company is also working with others: it collaborated with Microsoft to push a solution to the Koobface virus to users through Windows Update. “Most of these defences are invisible to users, and while malicious actors are constantly attacking the site, what you see is actually a very small percentage of what's attempted.” Facebook has dedicated security and legal teams to investigate spam, phishing, and malware campaigns. In October, it won $711 million in a suit against spammer Sanford ‘Spamford' Wallace.
When a security issue involving an application is reported, Facebook notifies the developers and works with them to get it fixed. Depending on the severity of the issue and the responsiveness of the developer, Facebook may also remove the app's access to the site until the issue is resolved.
Most security companies agree Facebook and others are making reasonable efforts to combat attacks and to respond quickly to weaknesses. Muktadir Khan, European sales engineer at Sunbelt Software, says most threats coming through Web 2.0 are links to other, compromised sites. URL shorteners such as bit.ly obscure the nature of these sites, and Facebook et al should be encouraged to resolve these – or prevent postings.
How cybercriminals take advantage of web 2.0...
Although many ISPs regard Facebook, Twitter et al as inherently dangerous, there have been very few vulnerabilities found in the sites themselves. Instead, Web 2.0 sites are generally used by scammers to find out information or to direct the unwary to sites that do have problems.
“People are sharing information that's sensitive and private,” says Candid Wueest, senior security researcher at Symantec. Although this information can be restricted, Facebook applications, for example, ask for access to all personal information before they can be installed. An application that's harmless in and of itself could be a Trojan Horse for a social engineer's data mining operation.
Some people also put up information in their Facebook statuses or on Twitter that seems harmless but gives attackers vital information. “If someone says they're off on a firewall course by vendor X, you know what brand of firewall they have,” said Wueest. An RSA researcher scoured LinkedIn and correlated when people updated profiles to problems with particular companies.
Malware is more likely to come from other sites than from the likes of Facebook and Twitter, which have so far proved remarkably secure. Scammers now try to propagate links throughout the Web 2.0 world that lead to infected sites. The most famous attack via Facebook so far, Koobface, sent messages from PCs infected with the worm to anyone who was friends on Facebook with the owner of the PC. This message claimed to link to a video, which would pretend to require an update to Adobe's Flash Player. If the user clicked to download it, their machine would be infected with Koobface. Koobface variants have propagated through MySpace, hi5, Bebo, Friendster, myYearbook, Tagged, Netlog, Badoo and fubar.
While Facebook and MySpace will let people know when they are leaving the site, this won't stop people from clicking the links. The arrival of Twitter with its 140-character limit has made things worse, since URL shortening services such as tinyurl.com and bit.ly have become popular, and users are now used to clicking on links they don't recognise. As a result, most organisations don't allow Twitter apps on corporate desktops.
...and how corporates get flexible but stay secure
It seems everyone wants an iPhone. If not, they want a netbook, either from Tesco or free with a contract for a 3G dongle from a mobile phone company. Once they experience the internet everywhere, people tend to want that flexibility in their working life as well. How best to give it to them, while remaining secure?
David Emm, senior technology consultant of Kaspersky Lab, says “the key issue is that smartphones are easy to mislay or be stolen. Transport for London finds 100,000 mobiles left on tubes and buses.” He advises authorising a specific range of models of phones and laptops. If an employee wants to use their device for work, they can do, provided it has a standard corporate build or set of apps. This build may include anti-virus and other security software, although cloud-based technologies may make that unnecessary. Encryption should be mandatory. “You should also be able to lock the data and decrypt remotely as well,” Emm says.
Organisations should also look into software and devices that support ‘smart policies', such as Fortinet's FortiClient, which enforces corporate security policies for working remotely. If a device isn't being used on corporate property, it should be governed by stricter security measures that are triggered automatically. When returning to the business, the devices should go into a ‘quarantined' area to be checked for malware.
There are alternatives. Depending on the device's sophistication, it may be possible to run a virtualised desktop on it. By running the desktop on a server that can be accessed remotely, no data ever leaves the company and ends up on the device and malware can't be passed onto the corporate network. With Citrix, for example, offering its Receiver app on iPhones, BlackBerry, Symbian smartphones, Macs, Linux and Windows PCs, laptops, netbooks, smartphones and thin clients, almost any device can be used with corporate systems with minimal security risks.
Keyloggers and over-the-shoulder monitoring (“shoulder surfing”) are the only real security issue. Anti-spyware should prevent keyloggers, while training should make employees monitor what's going on around – or behind – them.
Case study: BT's cautious welcome for Web 2.0
There are few people who can boast of having as many as six CSOs reporting to them, but Ray Stanton, global head of BT's business continuity, security and governance practice, is one. BT's IT infrastructure is among the largest outside the US Department of Defense.
Stanton says allowing employees to access Web 2.0 is important to BT. “Our perspective is that we are invested in the principle of innovation and that requires the enablement of our people.” Web 2.0 enables BT's employees to stay connected and negotiate their social life at the office while still working – which can help with the long hours.
Says Stanton: “We have instant messaging with Communicator, which gives us the ability to connect with external parties. But my wife works at IBM and I can contact her via IM.”
BT's research division saw the advent of Web 2.0 a number of years ago, Stanton says, so was able to plan what it needed to do. Part of the decision was to invest in cloud-based anti-virus as well as Bluecoat technology that allowed filtering of specific apps. “What we've done is layered up the technology. So you can't video, file transfer or do voice calls to other organisations” using IM, but are still able to use it for communication. Similar techniques are applied to Facebook, Twitter etc.
BT also ensures that mobile and home workers are able to use Web 2.0 technology securely. It has a policy-enforcement system called e-census on all BT property. Anyone wanting to use their own equipment is allowed to do so, provided they have a standard BT build installed on it.
To ensure everyone understands the security implications of using Web 2.0, there is an education programme. All staff have to complete an online test each year, on what to do, and what not to do. Employees are reminded not just of the effect on the company of security breaches, but also on themselves.
The usage of applications is governed by employee contracts, with agreed punishments for breaches of rules. The terms are agreed between unions, the company's legal department and HR to ensure they're relevant. User groups provide feedback. “It's all about fuzzy boundaries, and how you work with them,” says Stanton.