Tuesday, February 16, 2010

Risks when using social networking services

This article is partially based on some text I've written earlier about the risks of using social networking services such as Facebook, Linkedin, Twitter etc. Before you continue to read, remember that this is written from a business perspective where secrets exists, both from competitive as well as from regulatory requirements. In other words, this is your employer speaking.

I decided to put this out as a blog entry here, as I've gotten into several discussions lately on security, or the lack of it, in such services. I'm registered on a wide range of such social networking services myself, using some of them more frequently than others. My mission here is not to scare away anyone from using them, but to encourage a safe introduction and usage of such services to any organization or enterprise. You have to do it correct the first time around, second chances are very rare in this world.

What are we so concerned about?
There are as many dangers as there are users of such services. It is well documented that participation in social networking services lowers our threshold for accepting messages and links to online content from family, colleagues and "friends”, because we have a higher trust in them, compared to strangers. For older services such as e-mail we have good control, with costly anti-virus / antispam solutions in place. Keeping our risk level within acceptable standards costs money, and we want value for our money.

Social network services are still in an early phase considering security. Several such services are almost regarded as being designed to avoid the "cumbersome" security checks that already exist in enterprises and organizations, such as firewalls and filtering solutions. Such services also contribute heavily to blurring the line between our personal and job related activities, creating a series of legal challenges that still stands unresolved in the courts.

First and foremost, we emphasize the danger to you personally. We frequently hear true stories from colleagues and externals that have gotten their accounts at Facebook or Twitter hijacked, or getting their computers infected by viruses. In the more serious cases we have seen bullying, threats, blackmailing, violence, illegal monitoring of individuals, money laundering, theft and so on. Several cases has been reported to the police. And probably the very worst: Internet has become a global market for human trafficking and pedophiles who grossly exploits social networking services to get in contact with children.

ID theft is booming, and yet there are rather few among us who understand the dangers. Few people knows what to do in order to clean up after having their identity stolen. (Norwegian users may visit http://idtyveri.info/ to learn more about this, and take a test of their knowledge in this area.)

Then there is a danger to you as an employee
The following example taken from Facebook illustrates the risk in a "fun" way: http://www.buzzfeed.com/reddit/this-is-why-you-shouldnt-allow-your-boss-to-be-yo

Of course, employees rights are far better in Norway than in the USA, where this example comes from. Nevertheless, the employer has a right to set limits on what you as an individual is allowed to say or write publicly on behalf of your employer. Violation of this could have disciplinary consequences that involve either oral or written warnings, eventually a termination of your work contract.

Last but not least, there is also a real danger to the organization
Imagine that a serious error occurs, and a frustrated employee writes on Twitter "ARGH, our servers just went down - AGAIN!”. A journalist sees it, calls the director of information in the organization. He/she doesn't know about the problem yet, and has no answers to the media. What will probably happen? The headlines could easily become "Services down AGAIN - we had to notify them".

A single bad sentence about downsizing, tenders, contracts, budgets, quarterly results... It doesn’t take much to get into trouble! It is also easier to misinterpret a small status message than by talking to somebody live. Most organizations has experienced events that had negative consequences, and they would naturally like to reduce the likelihood of that happening again.

All these are valid arguments for keeping a centralized control over who gets to say what, when and where on behalf of the company. No, that's not the same thing as censorship or bureaucracy, it's just common sense with a bit of risk analysis applied to it.

Finally, as a more personal note:
To all those who tells me they don't know about any incidents that have had a negative impact to either an employee or an organization... Privacy laws, common sense and personal integrity are just some of the reasons i don't talk about them. Believe me, they do exist, just be happy it didn't happen to you - yet.


  1. (Part 1 of 2 - exceeds maximum character count)

    Interesting article, and I do agree.
    From my perspective, as the youngest employee at my location, the social media's aren't the security threat. The people who use them are. Social Medias have come to stay, and will be used at work some way or another, weather the organisation likes it or not.
    It's how we connect to friends and family, colleagues and business associates. It's how my mom keeps track of what I'm up to, to know about my day, when I'm often so busy I don't have time to give her a call!

    I was made aware by your article on said social media (facebook.. at work, but off my employee's network:) ) and knowing there has been a lot of discussions regarding security measures and social media's, I had to check it out.

    Growing up and learning computing/networking simultaneously, I've had my share of chances to infect my computer with trojan/viruses/malware and such. But not once have I been infected, nor had any viruses on my pc. From my point of view, I can not understand how people can have such a naive approach to links and other methods used to infect computers. Posting comments etc regarding downtime and failures plays on one's common sense; It's obvious one should stay away from topics like those.

    "OMG IS THIS YOU?? PUT SOME CLOTHS ON" followed by a link that any given person, that has the slightest chance of being aware and confident to wich websites are safe to visit, never would click. Often sendt automaticly by a person with no interest in viewing photos of you.

    At my young age, I'm pretty much aware of links and messages, and if they're actually sent from that particular person or not.
    My mother on the other hand, isn't.
    Lately, after explaining how trojans/viruses/malware works, and I send her a link, she asks me politely if I just sendt her something. I still have to clean her computer's software pretty much every time I visit her, though.

    That's why I often write something after the link wich she knows is personally written my me; Something other than texts wich are generated by the common security-breach-links. People need to become more aware. They should be trained/coursed before being "verified" to use social medias at work.

    I often get e-mail warnings that I have a program on my pc that is a security threat, and am demanded to removed such programs and reply when it's been taken care of.
    The program I'm warned about, is Windows Live Messenger.
    I can understand from a security managers point of view, that it COULD be an infecting program. But then again, so can every other one.

    We're told to use Skype to cut costs of phone bills and so on; Last time I logged on to Skype I was spammed full of messages with links to click witch would infect my PC; The same links witch could be sent to my Windows Live Messenger account by unaware friends and family. I find it strange that Skype is recommended.

    [continue of comment following)

  2. (part 2 of 2)

    And besides, imagine the time it takes to add every single business contact to skype? And get them to use it properly so they actually can be reached? Half the people I contact both reguarding private and business conversations, can not be added/reached to the companie's Office Communicator, or "Work MSN", as we call it.
    Windows Live Messenger has video-conference supported as well, and is a program much well known and used amongst employees; Skype has no purpose to me personally. I just use my phone.
    Firewalling social medias will also firewall the employee's moral. Social medias have come to stay; They're inevitable.

    I had a suggestion that would solve it all (I have a reputation for having solutions for everything:) ) A solution wich would keep employees far away from social medias on our computers at work, and cut my and many others phone bills in half.

    My phone bill is approx. 2500NOK per month. I use my phone mostly to contact customers for troubleshooting etc, and I've noticed the bill has increased after changing jobs to a Field Technician.

    My suggestion, was to change my phone service provider's subscription (Held by my Employer) from a regular minute-based subscription, to one with a set amount of minutes for a set price, with no-limit 3G/GPRS broadband included in the price. I call roughly 300 minutes a month, and often use web/gprs services on my phone as well. My intentions were to get a hold of an Apple Iphone, wich with the subscription mentioned above, would only cost me 1 - ONE - NOK. The subscription its-self costed 1000NOK a month, shaving 1500NOK off my bill a month; Imagine the savings total when mine alone would amount to 15000 NOK a year.

    That way I could use my phone to easily access our logging systems while working "in the field", updating and closing incidents, accessing databases etc; All wich we have accessible via web, but lack the tools to reach them if not stationed in front of our pc's.
    The Iphone is also easily made to access facebook, you have applications for twitter and MSN, IP-phones (skype) etc. The perfect tool for keeping viruses, trojans and malware off our computer networks! And how attractive wouldn't my employer become to new employees, applying for a job. "Get hired, and get an Iphone!".

    The iPhone with the mentioned subscription for only 1 NOK, a steady bill of 1000 NOK per month (unless you call more than 1000 minutes a month, after this, the taxes/fees paid for todays subscription apply from the first minute over). It would save roughly 10000 NOK pr employee pr year. It would make my employer a lot more attractive to young, smart, trained IT-people looking for a new job. And it would easily be used for social networking and medias unwanted on our computer networks by our employee.

    My suggestion was declined. Reason?
    I'd fall out of our organistation's "proffnett" part of the phone service providers subscription, meaning I'd lose the free calls to my colleagues I make. The sum of those? 22 minutes per month. 22 minutes that would add to the 300 minutes I already make, subtracted from the total of 1000 "free" minutes at only half the price of my phone bill today.
    That's tragic.


All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.