Does Social Networking Require User Policy Changes?

IT security administrators have had a fairly easy case to make against such social networking sites as Myspace in the past. Myspace in particular tends to be a place for the mostly personal, and some profiles are simply front companies for online mobsters and malware pushers.

Malware pushers are also alive and well on such sites as Facebook and Twitter, but these sites present a special challenge for IT security execs. Both applications, along with the likes of LinkedIn, are used heavily for business networking.

And while LinkedIn is almost all business, Facebook and Twitter straddle an increasingly squishy line between the personal and professional. Online outlaws understand this and are trying to do on these sites what they have done on Myspace.

These developments have security practitioners like Robert Fitzgerald -- a Boston based digital forensics investigator and president of The Lorenzi Group LLC -- pushing the corporate world to update policies for what employees can and can't do when using company computers online. Since most company user policies don't mention the growing array of social networking sites specifically (there's typically broad language forbidding things like surfing porn sites), Fitzgerald believes companies are opening themselves to lawsuits where the plaintiffs can successfully claim that users weren't expressly forbidden from trolling Facebook on work machines.

"Most user policies are 100 years old, with language like 'no personal e-mail and no surfing the Web,'" Fitzgerald said. "Well, today it's impossible to conduct business without being on the Web. The Internet has hit employees like a tidal wave, and if you put rules in place it'll help people understand what not to do online and make everyone more aware more quickly of data breach risks."

Of course, others believe it's a mistake to get too specific with user policies. A big reason is that technology is constantly changing, and tweaks made for today's social networking craze may become obsolete in a year or two as some new gray program comes along.

With that in mind, CSOonline conducted an informal poll -- ironically via LinkedIn -- asking security pros if it makes sense to update user policies as Fitzgerald suggested.

The question: Does Twitter/Facebook/LinkedIn etc. require a change in company policies for network usage?

Page Break

The response:

"Yes, too much information can be gained from the data users post." Joey Hernandez, senior consultant at Delta-Risk LLC, reserve consultant at Jacobs Technology and communications officer for Information Operations at Texas Air National Guard, San Antonio, Texas

"Yes, policies need to be created that lays ground rules for employee use while at work and when representing the company outside of work." Phil Agcaoili, Information Security, Risk, Privacy, & Compliance Executive, CISM, CISSP, Austin, Texas

"Yes, it has been my experience that most & were written years ago and are not current with technology. Unless an institution has an aggressive program of policy review, they rapidly fall out of relevance to the current environment." Robert Myles, director, information security, CISO at Texas Health Resources, Dallas.

"Policies ultimately represent the corporate culture and will either be loose, tight or as most companies are somewhere in between. The underlying theme I have seen with most policies is 'The network is company owned, monitored and to be used for business purposes.' Therefore it is pretty broad and allows individual employees to define whether new toys or tools should be classified as a business purpose or not. My take on this is that organizations should not be changing their policies as policies should be able to with stand new faddish toys/tools that enter the market place. Yet I do believe organizations should change their enforcement procedures to meet to current impacts to the organizations. For example blocking social sites is not a bad thing if productivity loses is great enough to impact the output of the organization. This very well could be a culture change where Internet usage was loosely allowed, but due to a high demand on the network and loss of productivity from social sites they need to be blocked. The counter to this is that it could be a productivity increase if someone updates one the social sites stating they are working vigorously on a very important project that will show enormous returns for the company. This may result in fewer walkups, phones calls and distracting text messages as people will recognize the individual is hard at work. My conclusion is that if the culture already exists and the policies reflect the culture then there should be no need for change in policy and only change in enforcement actions. Yet if the culture and the policies have a degree of disparity then I would say there is a need for a change." Michael Leigh, owner, BrokenArrow Security, Austin, Texas

Page Break

"Having worked with many organizations, I agree there's a broad range of policies and enforcement, which reflect the culture of the organization. There is also a broad range of abilities to detect usage down to the individual level. It is best to have a broad high-level policy that should be changed as little as possible. Use of tools you mention, Twitter and Facebook, can be invaluable for recruiters and can also be used by managers. There are many warnings out to individuals that information can and is used by companies for screening potential candidates and for understanding current staff. Some companies use these tools to keep up with customers, both contact and desire, to help modify strategic plans or marketing programs. Therefore these tools are considered business use. Many organizations permit reasonable personal use as a productivity enhancer. If a person can get there errands done online from their desks they are less likely to take long breaks and can be readily reached should the need arise. There are tools that can be configured to block or allow based on roles or timeframes. With these tools a very broad policy can be implemented and enforced, such as: It is the policy of the company that computer resources are company owned, monitored, and usage is restricted to business purpose (can be added that reasonable personal use is allowed as approved by management). This broad type of policy is already in place for most organizations meaning that no change is required to policy, again as Michael mentioned. This is then backed up with awareness training and consistent enforcement. Should problems arise that impact resources, then the company must determine if more stringent detection and enforcement capabilities must be implemented. The cost of these tools and processes must be weighed against potential or realized risk. Once shown to be cost effective, implementation of role and time-based filtering/blocking tools along with appropriate processes and awareness training would then be the change resulting from the introduction of these online tools." Patricia George, independent security executive, former corporate information security director at Harley-Davidson Inc., Washington D.C.

"There is a lot to consider when companies tweak their social networking policies. We want to embrace social networking, but there has to be a balance. We need to protect our clients, our employees, and our reputation as a company. They previously did not permit even anonymous blogging about their company. I personally think that enforcing a policy on this with your users would be challenging. Rather, I feel that the company should be using this information -- and more importantly, meta-information and trending -- from these tools as an internal tool. Consider this another metric or barometer for employee health and welfare. As the data in this profile changes and develops -- consider conducting internal reconnaissance as if you were a competitor, just like recon for a social penetration test. Determine what information is available and posted." Dan Holt, co-founder and CEO of HEIT, Inc., Fort Collins, Col.

Page Break

"I think how you use it is more important than when, though I can imagine there are folks who may need structure. The how: Making the distinction clear as to when you are speaking for yourself or on behalf of your employer is a most important nuance. And of course, you get to own your words (forever), as they will come back to visit you downstream, in any number of contexts." Christopher Burgess, senior security advisor, Cisco Systems, Seattle area

"The crew at the DataPortability Project - Share and remix data using open standards]] are working on universal EULA and TOS language for portable data, so perhaps pinging them might help. In my opinion, social networks are a valuable component of the working world today. I agree that they're too new to be fully understood (and secure), but it's hard to ignore them until they are. I see engagement along the lines you're exploring as being a significant part of the dialog." Trent Adams, outreach specialist at Internet Society, officer at dataPortability.org, Boston area

"How are the problems it poses significantly different from Web forums or even BBSes before them? It seems like it's the same as any public forum -- know your company's IP policies and know how far you can trust a person is who they say they are." Chuck Meyer, independent Web app security specialist, New York area