Security Professionals and Social Networks
Security professionals understand the risks of social networks better than anyone. So, given the concerns they may have, do they actually use social networks? Earlier this year we surveyed 87 security administrators from companies in North America and Europe, from both large companies and small, in order to find out.
Our first discovery was that security administrators are not much different than anyone else-they do use social networks. In our survey, only 30% say they do not use social networks; however, they are cautious about them. They are concerned about the ability to separate work and private friends (60%). They want to make sure that "coworkers don't see my personal contacts." Some only use business related sites. Or, as once security admin put it: "I never mix anything like serious work and my social network."
It is not surprising that the vast majority will refuse an invitation they receive on a social network (70%). Why do they refuse a "friendship" or "connection" from someone? Mostly they refuse invitations from people they have never met. If they don't know who the person is they decline the invite. But, they will also reject people they know. Security administrators are concerned about the implied endorsement of someone when you bring them into your online circle of friends. Sometimes a past employee should stay right where they are, in the past. And, they don't want other people to have access to them through colleagues. A friend of a friend is not necessarily my friend. But if I connect with a friend, I get all his contacts in the bargain. And the people they seem most concerned about connecting to them this way are recruiters. Many administrators do not want headhunters to approach them through social networks.
What are the security concerns about social networking usage among end users in their organization? No surprise here, it's the big three: malicious code attacks (43%), data leakage (48%), and in fact, lost productivity was the biggest concern of the three at 53%.
We wanted to know what they and their companies were doing about this concern. Surely this was leading them to taking decisive action on the use of social networks at work-well, actually the answer to that is "no." The vast majority don't block access to social networks at work. They usually have no company policy on end users accessing social networks and they are not working on one.
At first blush that seems a little surprising. As one of our survey participants said, "The content on social networks is dubious - not the content we want users visiting from work." Another said "too many worms, malware" on social networks. There is also the threat from the loss of intellectual property; "Confidential information [is] being shared." And the phrase "time waster" came up again and again.
So, why are they not taking any action? 77% are concerned about the security risks of their end users using social networks at work, but 72% do not block social networks. Sixty-seven percent have no company policy on social networks, and 80% of those people are not working on one. There are a few very logical reasons for this. Here's what one security administrator says: "The largest security issue is malware; however, that threat is there with social networks at work or not. If employees take their laptops home they may inadvertently infect themselves and bring it back in. So, blocking the sites from the workplace doesn't really gain any advantage." Here's another: "I would not aim just at social networks. There are limitless vectors for malware attacks, espionage, and productivity loss, besides social networking. I think a comprehensive data leakage model would be best instead of looking at a few specific methods."
And finally, one more reason. Many companies are embracing social networks as a way to market themselves and their products. What if your company blocked access to a social network while the marketing department was using the same social network to promote an event? It happened to one of the companies surveyed: they had to reverse their policy. Their own employees couldn't access the networking group created by the marketing team.
Social networks are one more tool/application in the company network. Instant messaging (IM) generated many of the same concerns when it first crept into the business world. Ultimately, the vendors added security features, 3rd party security tools became available, users became knowledgeable of the risks, and consequently IM became accepted as a legitimate business tool. Will the same thing happen to social networks? It seems likely. And while security administrators remain concerned about the security risks, they seem to be taking it all in stride. For them, it's been there, done that.