This article is partially based on some text I've written earlier about the risks of using social networking services such as Facebook, Linkedin, Twitter etc. Before you continue to read, remember that this is written from a business perspective where secrets exists, both from competitive as well as from regulatory requirements. In other words, this is your employer speaking.
I decided to put this out as a blog entry here, as I've gotten into several discussions lately on security, or the lack of it, in such services. I'm registered on a wide range of such social networking services myself, using some of them more frequently than others. My mission here is not to scare away anyone from using them, but to encourage a safe introduction and usage of such services to any organization or enterprise. You have to do it correct the first time around, second chances are very rare in this world.
What are we so concerned about?
There are as many dangers as there are users of such services. It is well documented that participation in social networking services lowers our threshold for accepting messages and links to online content from family, colleagues and "friends”, because we have a higher trust in them, compared to strangers. For older services such as e-mail we have good control, with costly anti-virus / antispam solutions in place. Keeping our risk level within acceptable standards costs money, and we want value for our money.
Social network services are still in an early phase considering security. Several such services are almost regarded as being designed to avoid the "cumbersome" security checks that already exist in enterprises and organizations, such as firewalls and filtering solutions. Such services also contribute heavily to blurring the line between our personal and job related activities, creating a series of legal challenges that still stands unresolved in the courts.
First and foremost, we emphasize the danger to you personally. We frequently hear true stories from colleagues and externals that have gotten their accounts at Facebook or Twitter hijacked, or getting their computers infected by viruses. In the more serious cases we have seen bullying, threats, blackmailing, violence, illegal monitoring of individuals, money laundering, theft and so on. Several cases has been reported to the police. And probably the very worst: Internet has become a global market for human trafficking and pedophiles who grossly exploits social networking services to get in contact with children.
ID theft is booming, and yet there are rather few among us who understand the dangers. Few people knows what to do in order to clean up after having their identity stolen. (Norwegian users may visit http://idtyveri.info/ to learn more about this, and take a test of their knowledge in this area.)
Then there is a danger to you as an employee
The following example taken from Facebook illustrates the risk in a "fun" way: http://www.buzzfeed.com/reddit/this-is-why-you-shouldnt-allow-your-boss-to-be-yo
Of course, employees rights are far better in Norway than in the USA, where this example comes from. Nevertheless, the employer has a right to set limits on what you as an individual is allowed to say or write publicly on behalf of your employer. Violation of this could have disciplinary consequences that involve either oral or written warnings, eventually a termination of your work contract.
Last but not least, there is also a real danger to the organization
Imagine that a serious error occurs, and a frustrated employee writes on Twitter "ARGH, our servers just went down - AGAIN!”. A journalist sees it, calls the director of information in the organization. He/she doesn't know about the problem yet, and has no answers to the media. What will probably happen? The headlines could easily become "Services down AGAIN - we had to notify them".
A single bad sentence about downsizing, tenders, contracts, budgets, quarterly results... It doesn’t take much to get into trouble! It is also easier to misinterpret a small status message than by talking to somebody live. Most organizations has experienced events that had negative consequences, and they would naturally like to reduce the likelihood of that happening again.
All these are valid arguments for keeping a centralized control over who gets to say what, when and where on behalf of the company. No, that's not the same thing as censorship or bureaucracy, it's just common sense with a bit of risk analysis applied to it.
Finally, as a more personal note:
To all those who tells me they don't know about any incidents that have had a negative impact to either an employee or an organization... Privacy laws, common sense and personal integrity are just some of the reasons i don't talk about them. Believe me, they do exist, just be happy it didn't happen to you - yet.