Social Networks' Risks for Business Security
In today's increasingly communicative world, businesses face a dilemma. They have to find ways to be more engaging and communicate more directly to their customers and the public, while retaining close control of sensitive information.
The most convenient way for both business users and their customers to share information has been through blogs. Over the last three years blogs have sprung up everywhere. It's hard to find a major corporation that doesn't have a host of blogs on different subjects all aimed at getting more relevant content out to the marketplace faster and more effectively.
The popularity of blogs has been closely followed by a wave of Web-based social networks, such as LinkedIn, Facebook and Twitter. According to Nielsen Online's article "Social Networking's New Global Footprint," time spent in "member communities" now accounts for one of every eleven minutes online.
But the distinction that used to exist between blog posting and updating your status on LinkedIn is fading. Each status update to your Twitter account becomes the latest entry in a rolling blog of your life. This interconnection is important because it is this aspect of social networks that can be cause for concern to IT departments.
If, for instance, you have linked your LinkedIn account to your Facebook account to Twitter and beyond, anything you post to any one of the services will immediately be federated or syndicated to the others. This replication and distribution of data makes it difficult if not impossible to take things back.
For the most part, the interconnected aspect of social networking is a benefit (who wants to update 10 networks with their latest status?), but it's a double-edged sword in the hands of the careless. As status updates and notes get quickly exchanged from a network intended for personal use to your business social network, it's easy to see how the mixing of the groups could cause problems. "Friends" that we once had at company X might now be the competition at company Y. When the relationships you have in your online communities get tangled you need to exercise caution in what you share or the consequences might hurt your company and/or your career.
The knee-jerk reaction to these kinds of problems from most IT departments is to implement URL filtering and block access to sites such as LinkedIn and Twitter. While this feels like it's solving the immediate problem, it is not. The thing that needs protecting is your data, not your Web access. Data protection has many forms, but all good data protection starts with solid and repetitive user education. The computer security industry is responding to this need by delivering tools for IT to help learn about important and sensitive data. By learning where data is stored, how it is handled and who has access, IT can build more effective policies to protect it more quickly.
Solutions that help support business rather than cripple it with overwhelming false positives are essential to success. Being able to look at historic data patterns will give IT the ability to prevent future data leaks. Once the patterns of use are identified it becomes easy to implement effective user education programs to start to change behavior and perceptions. That education coupled with systems that constantly monitor data as it moves around your network and provide immediate feedback to users and efficient tools to handle incidents quickly make the recipe for success.
The most effective way to prevent casual data mishandling is too raise awareness of safe data handling practices with your users rather than locking down your business by cutting off its essential access to the world which its customers live in.