How to manage the risks of social networking so that you can utilise this valuable business tool. By Gary Cantrell, VP & CIO, Textron Information Systems
Virtually all businesses are faced with some form of geographic sprawl. This sprawl supports global efforts and provides access to fresh talent and resources while also creating new risks for the corporation and employees. Collaboration tools and social networking services are sites focused on building internet-based communities of people who share common interests.
There are many benefits to bringing this new wave of technology into the corporate world; however, the risks to the corporation can outweigh the benefits if these tools are not carefully managed. Exploring the technological and data risks associated with the utilisation of social networking sites and services is essential to determine if this technology is appropriate for your organisation.
Technological risks
Social networks can be compared to mass gatherings of people in train stations or airports where it is easy to transfer the common cold. Quite similarly, computer viruses can be transmitted electronically through social gatherings online. Malware, Trojans and other types of spyware can be transmitted without the user’s knowledge.
Data leakage risks
There are three very important data leakage risks that corporations must be aware of before adopting social networking sites into the corporate culture. These risks include:
• Innocently posting personal information that can be used to commit identity theft, such as DOB; e-mail; job or marital status.
• Sharing corporate information, such as employee lists, department names, user names and passwords.
• Trusting an unknown person who could potentially be unsafe or misleading.
These risks can be segmented into three primary areas: policies and awareness, virus protection and content filtering/monitoring.
Policies and awareness
Policies need to be developed to document the corporation’s position on social networks. Employees will assume that it is authorised without a corporate policy governing acceptable use of the technology.
Awareness training should include:
• How to register correctly and choose proper preferences
• Only establishing online relationships with appropriate people
• Specifying what information should never be discussed or shared in a social network environment.
Virus protection
Utilisation of a multi-layered, redundant approach to virus protection has prevented the malware risk from impacting corporations. It is necessary to ensure that your corporate virus protection is robust enough to protect against the increased exposure due to social networking.
Content filtering and monitoring
Another effective control protecting your company from the risks associated with social networking is the utilisation of content filtering and monitoring technology. Current technology allows for limiting access to these sites to only those users that may need those sites in order to perform their daily jobs. Current data loss prevention software vendors provide the capability to identify incidences of posts of company information to external locations.
There are numerous risks that exist through the utilisation of social networking, although, there are controls that can be put in place to mitigate risk so that corporate access is permitted. The potential value of these networks justifies the effort and risks, but be prepared to perform a risk assessment to determine what is appropriate to your corporate environment and control capabilities.
