Despite threats, companies lack policies on social media at work
Nothing has happened to change the mind of IT management in the last several years; social networks remain a major security concern. What has changed is that social media has become more established, and the ability for IT management to block access to social media is less and less likely. According to some survey work we did, there is only a 1 in 20 chance of your company blocking access to social networking sites.
Part of this is no doubt because of the rush by businesses to adopt social networking in their marketing efforts. Companies have started Twitter accounts, created Facebook fan pages, and established a presence in online communities. What’s clear from our survey is that simply having a presence on social networks is good for business. In our survey, 52% of respondents said that a company’s presence on social media positively impacts their opinion of the company. As for keeping your employees happy, 32% wouldn’t want to work for a company that banned them from accessing a social network at work. The end result for businesses is that 95% of them don’t block social media.
Forty-six percent of the people in our survey admitted that they accessed social media at work for personal reasons. Twenty-eight percent use social media three times or more each day. Some would even forego a bathroom break rather than give up their social media.* And, 13% admit to circumventing company rules around social media. (*Tongue firmly in cheek: we asked what you would do if you had five minutes before your next meeting and needed to use the restroom, but hadn’t checked Facebook all day. Two percent would cross their legs and check Facebook. Eleven percent would bring a mobile device to the restroom.)
We didn’t measure the amount of heartburn this is giving IT, but we have been measuring their concern. Two years ago we surveyed IT Security professionals and found that 77% were concerned about the security risks of their end users using social networks at work. Fast-forward to February of this year, and social media was still found to be a major concern. Eighty-four percent of CIOs and CISOs surveyed in the 2010 State of Enterprise Security Report considered social networking sites to be a serious threat to their security.
That’s a lot of concern. Here’s why: social media presents many opportunities for attackers to find personal information that can be used in social engineering to target specific individuals. Attackers can track social media activity to learn personal information such as friends, hobbies, and location information (where they work, are they on vacation, etc.). Even worse, users can leak sensitive information on social media, either on accident or on purpose. And of course social media is an active attack vector for spam and malware. Whether it’s a mass attack or targeted, when users are surrounded by friends it’s simple to get them to click on seemingly legitimate links.
What has IT done about it? Two years ago, 28% blocked social media. Today, just 5%. Given employee attitudes and the way businesses are starting to use social media, this really isn’t surprising. Banning social media isn’t really going to work for most companies.
Here are the most interesting numbers from our survey from two years ago: 76% had no company policy on social networks, and 80% of those people were not working on one. Since then, as concern has increased and access to social media has been opened up, you would expect these companies to have policies in place. Some do, many don’t. In our recent survey, 42% of employees we surveyed said their company had no policies about social media in the workplace. The companies may be worried, but they are doing nothing to educate users and guide them in the safe behavior needed when using social media. That’s shortsighted; you can’t stop social media, but you can address the risk.
Companies can significantly reduce risk by developing a social media policy that lays out either specific employee policies or guidelines, depending on the company’s needs and risk. Companies can also use technology to develop and automate IT policies. But it’s the ability to enforce a policy or continuously monitor the company’s status against the policy over time that provides the real value.
The prevalence and influence of social media cannot be denied and in many cases it can be beneficial to businesses to participate in social networking. However, a balance needs to be struck between legitimate and productive use of social media and IT security. By using a combination of policies, technology, and employee education, organizations can achieve that balance.