Social media use in the workplace
As tempting as it may be to block employee access to social networks and social media sites, it's not a long-term play. IT departments across many industries are under pressure to relax bans and enable access to sites such as Facebook, LinkedIn and YouTube.
The pressure is coming from multiple fronts. Sales and marketing teams want to engage and sell to customers through social computing. Users want more freedom to access personal accounts from the workplace. HR teams want to be able to recruit, hire and retain social media-savvy employees, yet they feel hampered by overly restrictive usage policies.
"A lot of businesses, small and large, are moving away from the more restrictive model of blocking social media to a more liberal access model," says Chenxi Wang, vice president and principal analyst at Forrester Research.
The challenge is finding a balance that lets companies use social media to their advantage, keeps employees productive, and ensures the network is safe.
Experts recommend starting with a plan. While many companies have adopted acceptable use policies that address appropriate e-mail and Internet usage, far fewer have adopted procedures related to the use of social media during business hours and while on the corporate network.
"The first thing organizations need to do is to look at extending their existing acceptable use policies to cover all types of Internet communications," says Bradley Anstis, vice president of technical strategy at M86 Security (which recently published a white paper with tips on how to extend usage policies to accommodate social media and networking sites).
Acceptable usage policies should address issues such as the level of access allowed. Not all employees need to post videos to YouTube, for instance, or download Facebook applications. For some groups of employees, read-only access may be prudent. Educating users about the risks associated with social media and providing guidelines related to content sharing are also critical components of an acceptable use policy.
"We need to shift away from being the fun police, blocking access to all the new tools and capabilities. We need to instead become the trusted security adviser to our organization," Anstis says. "We need to talk to the organization about how to safely enable the use of these tools and resources."
That's happening more and more -- but it hasn't always been the case. As recently as a year ago, many in IT were unaware just how pervasive the use of social computing tools at work had become. (12 tips for safe social networking.)
Wildly divergent views emerged when FaceTime Communications surveyed 1,654 IT managers and end users in early 2010. In the study, 62% of IT professionals estimated that social networking was present on their networks, while the actual data from deployed FaceTime appliances showed social networking present in 100% of cases. File sharing tools were found to be present in 74% of locations, although only 32% of IT professionals estimated that they were in use. Web-based chat was also found in 95% of locations, with only 31% of IT professional estimating that it was in use.
Going forward, the challenge for IT is to address security risks such as the introduction of malware on the corporate infrastructure via an employee's social media activity, or the inadvertent disclosure of business-sensitive information.
In addition to pure Web-based threats (malware, botnets, phishing attempts, targeted attacks), there are governance, risk and compliance (GRC) issues to consider, says John Vecchi, head of product marketing at Check Point. "Web 2.0 adds a whole new dimension of challenges to IT GRC efforts, especially as it pertains to data protection," Vecchi says. "It allows more channels for corporate information to leak out."
To regulate social media activities, IT needs to be able to enforce user- or group-specific policies (typically through integration with the corporate directory) at the application level. Web filtering tools that don't have user-level visibility would not suffice, Forrester notes. The ability to detect and block script-based malware is also important, as is the ability to analyze not only downloaded content but also posted content to ensure data policies are not violated.
At Duval County Public Schools, the school district has defined several levels of Internet access as part of its acceptable use policy. Principals and school resources officers have the widest access, including to social networking sites, says Jim Culbert, information security manager at the school district, which operates 172 schools and serves approximately 123,000 students in the Jacksonville, Fla., area.
Access controls are much tighter among other groups. For instance, staff members are allowed access to outside e-mail applications, but teachers aren't because the district wants to ensure all teacher communications with students and parents are conducted through its internal e-mail system.
The school district's content-filtering policies are tied to its Active Directory deployment and enforced via M86's Web filtering and reporting technologies. "As student or staff accounts are created and deleted or moved around, they're placed into groups and the content filter knows what these groups are," Culbert says. "We have about 400 or 500 kids move around every day in this district, so that account automation piece is critical."
While it's important to take steps to safeguard social media, IT also needs to be mindful that employees' use of sites such as Facebook, Twitter and LinkedIn can't be controlled or locked down like other aspects of the corporate infrastructure. Employee behavior and judgment can't be automated.
"Keep an open mind about what your employees are doing online," Wang recommends. "I would make users aware of the risks, and give them the tools to assess the risks associated with social media, but I would let them make their own decisions."