What are the risks to company employees embracing new social medial applications, such as Facebook, Myspace, IM, Twitter, etc. at work?
I recently had a great discussion with Josh Bancroft, an Intel software engineer deeply entrenched in the social medial world (truth be known, Josh has been a champion in this area for a while and Intel owes much of our social media maturity to Josh and others like him). Josh recently started a blog on this topic and is getting some great responses. Check it out!
Here is my position:
Corporations institute security mitigations to control and manage risks to the corporate network, systems, data, reputation, customer goodwill, liability protection, etc. Many of these new social applications expose employees to a new set of social engineering threats. Connecting to these services from company machines across corporate networks exposes potentially critical assets as well.
The benefits are undeniably great for these tools, but should corporations embrace such potentially risky communication channels? If so how?
Anytime an employee makes a connection through the corporate firewall to an external internet location, the risk meter goes up. Email is a perfect example. Uncontrolled email, as an example, would be a huge risk. Without spam and malware filters, a corporate network connected to the Internet would surely be overwhelmed. Organizations have instituted such security controls to manage the risk to an acceptable level. But with the rapid introduction of new social tools, designed to transverse proven security controls, how should companies manage the new risks?
What is worse, these social platforms may be used by savvy attackers, to profile targets and directly go after one of the traditionally weak links in any security program, the human element. Employees can be swayed to download malware and divulge sensitive information which can lead to tremendous compromises of corporate assets.
What to do, what to do. With my security hat firmly bolted on, I say employees must comply for the greater good, which means balancing function with security. Normally, corporate information security policies are in place to control what is allowable. Policies are formal means for management to determine the acceptable level of risks, thereby defining the function/security balance.
So how do we get beneficial social interfaces integrated into the corporate computing landscape? Well, it really is a senior management decision to accept the risks. Such an effort usually begins with a risk assessment to determine where on the risk spectrum it would be and what potential cost effective security mitigations could be applied. If senior management is willing to accept the residual risks, then it is time to move forward. With the sheer number of new social interfaces being introduced, it would be unlikely all would be embraced. Some, if not many users may be unhappy, but this is the cost of effective, efficient, security assurance in the corporate setting.
But what if the end users collectively ignore these policies? What responsibility does security management have to insure due care and due diligence are maintained? Security must consistently follow their rules of engagement. It is entirely tough enough to keep the environment secure without employees subverting policies. I recommend detection and enforcement as well as collaborating with the end users to determine if a middle ground can be found to meet the business need while maintaining the integrity of security. We are all in this together. We will succeed or fail together.