Social network sites: Block or not?

Surveys show most companies don't let employees access social network sites such as Facebook, ostensibly for risk reasons, but probably also because they fear a productivity drain. But proponents say allowing access benefits corporations in everything from market intelligence to recruiting. What's more, the next generation of workers will require it. Top 10 social networking threats

The Experts
Chris Poulin
Chris Poulin

Chief Security Officer at Q1 Labs Q1 Labs says allowing access to social network sites influences user behavior in a way that increases corporate risk. View debate

Shel Holtz
Shel Holtz

Principal of Holtz Communication + Technology Holtz Communication + Technology argues that there is no need to block access to social network sites, that the risks can be easily addressed and the downsides of blocking are greater than potential problems. View debate

Chris Poulin

Social Networks are a Keyhole for Advanced Persistent Threats

How does playing Farmville or Mafia Wars on company time affect the business? At a minimum it's a waste of resources, while at the worst it exposes the company to unnecessary risk.

Yes you can draw a distinction between personal and professional social networking sites: Facebook is a different beast than LinkedIn, and attracts different types of users for different reasons. Any geek who's been asked by a friend or family member to fix a slow PC understands the average home user doesn't grok the concept of contextual trust: they'll happily click any link, accept any friend invitation, and even install software from just about any Web site.

In contrast, users of LinkedIn and other professional networking sites tend to be more discriminating. One of the differences seems to be what's in it for the user: to the business user, if there's no professional benefit, it goes ignored; whereas, to the home user it's all about entertainment, and any invitation or link offers that promise.

But the problem is most of us aren't good at separating our personal and professional lives. Chances are we use the same password for our Google Buzz account that we use for the corporate Active Directory login and even SalesForce.com.

We also tend to employ the same habits when we use the same applications, whether in a personal or professional context. When corporate security guidance warns us not to open e-mail from people we don't know, it improves our e-mail habits on our home computer. If the sites we visit are primarily for work, we bring a healthy dose of suspicion along; but bring Classmates.com into the workplace and recreational browsing habits cross over into our office browsing.

The bad guys know e-mail protection is mature at this point and it's easier to entice users to click on links in social network sites than it is to evade e-mail content filters. And they can use this for more than just identity theft. Drive-by downloads can infect personal and business computers alike with all types of malware. Viruses, the perennial favorite, are now somewhat passé, and being replaced with custom, targeted malware that is much more dangerous and amounts to what is being called advanced persistent threats.

Aurora, the exploit that compromised hundreds of computers in over 20 big companies, including Google and Adobe, is believed to have been delivered to the target computers via spear phishing and drive-by download. It's possible that the victims were lured with targeted e-mails at their corporate account, but it's just as easy to lure victims through social network sites.

Another danger of social networking isn't one we normally think of in the private sector, but is drilled into every Department of Defense employee with a secret security clearance and above: operations security.

Take the US Marine Corps, which has banned social network site access from military networks, according to a  Computerworld story. "You can't have someone posting, 'Hey, we're leaving on this date and at this time,'" says 1st Lt. Craig Thomas, a Pentagon-based spokesman for the Marine Corps. "Believe me, the enemy is checking out what you guys are reporting and what service men and women are saying online."

Troop deployment schedules may not be the concern of your company, but leaking intellectual property is. "Working late—AGAIN. Man, can't wait until we solve the hydrogen matrix reticulation problem so I can see my wife & kids," is the kind of Tweet that can clue your competitor into your new product technology.

Of course, there's nothing stopping employees from posting the same thing at home. Employees have a responsibility to be discreet whether at the office, at home, or on a safari in Kenya, and employers have to set the expectation by providing security awareness training. Companies should also be monitoring employee usage of social media/networking sites – for personal and professional use – in order to comply with internal policy and reduce external fraud.

As with all things, there's a gray area. Some sites, like LinkedIn, are harder to target because they have a low tolerance for unsolicited contacts or mechanisms in place to vet relationships before allowing communications between the parties. In general, it is fine to allow employees to access these sites with appropriate security awareness training and a clear acceptable use policy to give it teeth. Conversely, businesses can use Facebook and Twitter to promote themselves, but this access should be closely controlled, relegated to public relations staff and certain executives.

The Marines in that article summed up the risks of social network sites nicely: "These Internet sites in general are a proven haven for malicious actors and content, and are particularly high risk due to information exposure, user generated content and targeting by adversaries. The very nature of [social networking sites] creates a larger attack and exploitation window, exposes unnecessary information to adversaries and provides an easy conduit for information leakage ..."

That said, the Marine Corps went on to say the key is finding a balance between security and a way to use new technologies. Every business should evaluate the Marines' philosophy in the context of their own environment, potential benefits and risks.

Q1 Labs is a global provider of high-value, cost-effective next-generation network security management products. The company's flagship product, QRadar SIEM, integrates previously disparate functions - including risk management, log management, and network and application activity monitoring - into a total security intelligence solution, making it the most intelligent, integrated and automated Security Intelligence Platform available. QRadar provides users with crucial visibility into what is occurring with their networks, data centers, and applications to better protect IT assets and meet regulatory requirements. Q1 Labs is headquartered in Waltham, Mass., and customers include healthcare providers, energy firms, retail organizations, utility companies, financial institutions, government agencies, and universities, among others. For more information, visit Q1Labs.com, e-mail info@Q1Labs.com, or call 781-250-5800.

Shel Holtz

The Case for Open Employee Access

Blocking employee access to social media is unnecessary, short-sighted and counterproductive. Yet, according to one study, some 54% of U.S. companies restrict employees from visiting sites like Facebook, Twitter and LinkedIn.

Blocking employee access to social media is unnecessary, short-sighted and counterproductive. Yet, according to one study, some 54% of U.S. companies restrict employees from visiting sites like Facebook, Twitter and LinkedIn.

The concerns that lead to blocking access are easily addressed. The most commonly raised fear is loss of productivity. Fueled by back-of-the-envelope calculations by vendors that sell blocking software and hardware, companies are convinced they are losing productivity whenever employees log on to a social network.

In fact, multiple studies report productivity actually increases when employees are able to connect to their networks, by as much as 9%, according to research by the University of Melbourne.

But the premise that productivity suffers is flawed at its core. It assumes employees work only eight hours and that time spent online eats into the limited time available for work. It also assumes employees never work away from the office, an absurd (and disproven) assumption in the world of 24/7 connectedness.

Ultimately, productivity is not a technology issue. Will the small percentage of workers whose productivity suffers because of the time they spend online suddenly become paragons of productivity when that access is removed? Most likely they will just find other ways to avoid work. Productivity is a supervisor's job, not IT's; companies need to train supervisors to identify abuse and manage by exception.

Companies also worry about what employees will say in social networks, from violation of government regulations to exposure of company secrets. These concerns are addressed by clearly communicated social media policies (which most organizations still don't have). In any case, there have been precious few reports of such incidents.

Network security is next on the list of worries, with IT departments insisting that blocks are necessary to prevent the introduction of all manner of digital infections. Blocking may be the easiest way to keep networks safe, but it is not the only way. Consider the U.S. Department of Defense, which has introduced a policy allowing users of Pentagon servers to access Facebook, Twitter, MySpace, Flickr and other social sites. Defending against malicious activity is now a more granular activity.

"This directive recognizes the importance of balancing appropriate security measures while maximizing the capabilities afforded by 21st-century Internet tools," according to Deputy Defense Secretary William J Lynn III.

The downside of blocking

Blocking access can hamstring a company in a variety of ways. Studies have shown that highly-qualified Millennials simply won't work for companies that don't allow them to network. Besides, as Beth Israel Deaconess Medical Center CEO Paul Levy noted, "Limiting people's access to social media in the workplace will mainly inhibit the growth of community and discourage useful information sharing. It also creates a generational gap, in that Facebook, in particular, is often the medium of choice for people of a certain age. I often get many useful suggestions from staff in their 20s and 30s who tend not to use email."

On another level, blocking simply doesn't work. Employees find routes around restrictions that can have a more significant impact on productivity than allowing access, according to Ontario (Canada) Privacy Commissioner Ann Cavoukian. And employees don't even need the company network to access social sites: Cell phones have overtaken computers as the most popular means by which people connect to social networks.

Most important, though, is the notion of employee engagement. Most CEOs crave a large population of highly engaged employees as a proven means of fueling growth. But engagement is built on trust, and few employees will want to deliver discretionary effort for organizations that don't trust them to do their jobs and play by the rules.

Missed opportunities

Companies that block access also inhibit the organization's ability to reap benefits from employees' social networks. Companies like General Motors and Sprint have removed any barriers to access so employees can evangelize products to friends and family (which drives sales) and solve customer problems (which builds loyalty and word-of-mouth). Recruiting becomes easier when employees can tap into their professional networks, and research shows managers make better and faster decisions. Competitive intelligence is more readily obtained, subject matter expertise more easily sourced and relationships with key stakeholders strengthened.

As Denmark's Peter Sondegaard – senior vice president of research for Gartner – recently told an audience, innovation today happens at the user level; it's an unstoppable trend, and policies that try to inhibit access to the Internet are losing strategies.

In his consulting practice, he has worked with companies like PepsiCo, Johns Hopkins Medicine, Symantec, Ford Motor Company and Intel. He has written or co-authored six books on communication, most recently "Tactical Transparency." He speaks worldwide on online communication and social media. He is a Fellow of the International Association of Business Communicators (IABC) and a Founding Fellow of the Society for New Communication Research (SNCR). His podcast, "For Immediate Release," which he co-hosts with the U.K.'s Neville Hobson, is the longest-running public relations-focused podcast. He blogs at http://blog.holtz.com. You can reach him on Twitter. Shel maintains the Web site, Stop Blocking, which provides more information on this topic.

Want more Tech Debates? Check out our archive page

Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies