Risks associated with employee use of Facebook, Twitter and other social media websites social media shouldn’t really be considered the primary responsibility of the IT security department, a Gartner analyst said Tuesday.
National Harbor, Md. -- Risks associated with employee use of Facebook, Twitter and other social media websites social media shouldn't really be considered the primary responsibility of the IT security department, a Gartner analyst said Tuesday.
There are many risks in social media, including loss of reputation and possible liable suits when employees blab or posts photos and videos about what they shouldn't. There are also risks of malware, identity theft, phishing and privacy breach of sensitive data.
But after posing the question "Is it the job of the security organization to manage those issues?", Gartner analyst Andrew Walls answers that the risks of social networking are tied to individual behavior that takes place outside the infrastructure boundaries of the organization and carries with it issues related to content and freedom of speech.
"People say inappropriate things in these environments, so clearly we have some security problems here," Walls said, speaking on the topic at the Gartner Security & Risk Management Summit 2010. But setting policy guidelines related to the conversations of others from an organizational perspective is not the job of IT security but of business managers, says Walls. "It's a personnel management issue."
Walls said IT security managers are probably making the wrong move when they rush into a business manager's office warning about the dangers of social media and the need to block it. That business manager probably has four e-mail accounts and uses Facebook, and will be wondering why the IT security manager doesn't want to support it.
But the larger issue is that the burden of determining policy should fall to personnel managers, who should be looking at social networking in the same context as they do when it comes to talking to the press, says Walls.
"It all starts with governance. Social media posts are public speech, governed by PR, marketing and human resources, not security," says Walls. He advises extending corporate communication policy to cover not just the press and media, but social networking. He added it may take a corporate lawyer to make sure the policy is in accord with local laws.
In all likelihood, though, it will be the "most valuable people in the organization" who will demand and need social networking the most, Walls argues.
Blocking social networking through policy and technical means such as Web security gateways appears to still be the predominant practice but may be easing. "About 60% of people I talk to block," says Walls. "But a year ago it was 75%."
After that, the question is, can technology play a role in carrying out the corporate policy?
Blocking use of social networking on corporate PCs obviously doesn't prevent anyone from using alterative means, such as home PCs or mobile devices, to go out and make the same outrageous mistakes that could harm the company. So it's necessary, from the company's perspective on social media and employees, to monitor the wide world of social networking, says Walls. "You've got to monitor. Otherwise, how do you know the effect of your policy?"
Monitoring outside the corporate infrastructure can be carried out through SaaS middleware from Facetime, Socialware and Teneros, or social-media monitoring vendors such as The Internet Archive, RightNow, Radian6, Alterian and Scoutlabs, he points out. There are even a few tools still considered quite new that could run on social-networking sites, such as Defensio, acquired by Websense.
Putting surveillance software, such as SpectorSoft or NetVizor, on a desktop machine can be done but may be legally questionable in some countries, he warns.
But wholesale blocking of social media is only going to buy a little time because social networking is only going to get bigger, Walls says.
And if there are incidents that erupt in the social media sphere that hit the organization hard, be open to the fact that it may not be IT security or anyone else in the organization who first notices and warns about them. "Increasingly, the big security incidents will be noticed by users and customers," says Walls.