Betty White stated on SNL that Facebook was a big waste of time. Having teenage children I find it is fun to them, a waste of time though, but also an opportunity for dad to teach them about protecting confidential information. They don't realize what they put out there is visible to the world and there to stay.
According to a Gartner Inc. social media security expert, banning Facebook, and other social networking services like LinkedIn and Twitter, is an exercise in futility. To boot, securing social media in the enterprise is not a responsibility that should fall to information security teams.
Tuesday at Gartner's Security and Risk Management Summit, research director Andrew Walls told attendees that although infosec pros may worry that social networking will lead to uncontrolled malware outbreaks, phishing, breaches of confidentiality and trade secrets, and even damage to the corporate reputation, trying to take control of, or even block its use is akin to monitoring employees' home phone calls and rifling through their postal mail.
Do you agree with that assessment? I believe if an organization wants to block direct access to these sites is can be done, but should they? Each CEO has to ask his/her self what benefit does allowing your employees access to these sites bring, or what benefit blocking them brings. At the root of it is staff productivity, and security isn't responsible for monitoring and managing the productivity of the organization - right?
Some of these same arguments exist in organizations around if employees should have access to the internet. Employees shop online at work, follow sports, and the list goes on. This again is around staff behaviors, not security. I say most viable strategy for managing social media is a governance policy that clearly defines what an enterprise wishes to control and what behaviors are expected. Ultimately, it's a communications policy, which can be enforced by security teams, but must be defined by other business groups like marketing, communications, public relations or the CEO's office.
Risk management really needs to address this topic. Clarify the ownership of the risk - you might manage it, but you're doing so on behalf of someone else. Define the deliverables, metrics … define current usage patterns. These social media networks needs to be monitored though - who is going to do that? Who is going to find what your employees are posting out there about the company, or company secrets? When you do find something out there in violation of the policy - what is the action required? I don't see many organizations that have a clear defined social networking policy for the workplace.
Do you find Facebook of value to the company? Allowing employees to have access to this media really a game changing value? Does it give you a competitive advantage? Perhaps those employees that argue the value are the biggest users of these sites?
If you don't have a written acceptable use policy for social media sites, and you manage to that policy - block them. If you don't have the means of monitoring them, if you don't have data leak prevention tools - block them. You need to have the safe guards in place before letting enterprise users go wild on Facebook. Security is a concern with these sites. Malware, viruses, identity theft, and the list goes on. I know of several friends that had their accounts compromised on Facebook, is it worth it?
Personally - I find Facebook a big waste of time.
About Me
- Scott Arnett
- Scott Arnett is an Information Technology & Security Professional Executive with over 30 years experience in IT. Scott has worked in various industries such as health care, insurance, manufacturing, broadcast, printing, and consulting and in enterprises ranging in size from $50M to $20B in revenue. Scott’s experience encompasses the following areas of specialization: Leadership, Strategy, Architecture, Business Partnership & Acumen, Process Management, Infrastructure and Security. With his broad understanding of technology and his ability to communicate successfully with both Executives and Technical Specialists, Scott has been consistently recognized as someone who not only can "Connect the Dots", but who can also create a workable solution. Scott is equally comfortable playing technical, project management/leadership and organizational leadership roles through experience gained throughout his career. Scott has previously acted in the role of CIO, CTO, and VP of IT, successfully built 9 data centers across the country, and is expert in understanding ITIL, PCI Compliance, SOX, HIPAA, FERPA, FRCP and COBIT.
There is no legitimate business need for employees to have access to FaceBook, Twitter or MySpace. This craze for social media is a productivity drain in the organization. The risks far out weigh the value to the company, employee or customer. There are some consumer based technologies that need to remain just that - consumer only.
ReplyDeleteBlock it all and focus on business - making a great product at a fair price with high quality and value. Anything that takes away from that is waste.