They're a productivity sink and a bandwidth suck. They're a vector for malware and a gift for corporate spies. They're a data spill just waiting to happen. And like it or not, they're already inside your enterprise.
Meet the Social Network. No, not that movie about Mark Zuckerberg -- the real social network, from Facebook and MySpace to Twitter and Flickr, used by your coworkers and colleagues every single day, whether they're officially allowed to or not.
[ Find out how to assemble an IT special ops team in "A-Teams of IT: How to build a crack strike force." | For a humorous take on the tech industry's shenanigans, subscribe to Robert X. Cringely's Notes from the Underground newsletter. ]
But social networking inside the enterprise is not only inevitable, it's essential. Used correctly, social media can help your company solve problems, burnish its public image, recruit top talent, and generate ideas. Implemented poorly -- or worse, ignored -- and it can create a world of pain.
You can get on the social bus, or you get dragged behind it -- your choice.
Taming the social network: With friends like these, who needs enemies?What could go wrong with giving unfettered access to social networks at work? Plenty. Even if you manage to keep employees from spending all day milking cows and harvesting crops in Farmville, a host of other potential threats lurk just below the surface.
Take bandwidth, for example. Social media is consuming ever increasing amounts of network resources, according to Palo Alto Networks' Application Usage and Risk Report. While the number of social media apps found on corporate networks has remained relatively stable over the past year, the bandwidth these apps consume has more than doubled and is expected to grow even more.
"Social media traffic is massive," says Rene Bonvanie, vice president of worldwide marketing for the network security vendor. "We see the bandwidth demands going up substantially through social media apps. In many cases, it does conflict with business systems in these organizations, which could lead to continuity issues."
Worse, because they're based on trust, social networks have become very effective vectors for spreading malware, says Sarah Carter, chief strategy officer for FaceTime, a maker of Web 2.0 security tools -- much more so than, say, email.
"We're well trained in the email and traditional Web world," Carter says. "We don't click on .exe attachments or URLs that look suspicious -- heck we probably don't even see them anymore because of our spam filters. But in the world of social networking, where the person we're receiving the message/notification from is inside our trusted network of people, we're more susceptible to just plain clicking on that link and infecting ourselves."
According to Panda Security's Social Media Risk Index PDF, one-third of small-to-midsize businesses have suffered a malware infection initiated through social media, with Facebook as the leading source. Malware threats once thought of as nearly extinct have made a rousing comeback in business environments, thanks to overly trusting social networkers.
Yet the biggest threat is probably the accidental data leak, wherein well-meaning employees tweet details of secret projects they're working on, "check in" to meetings between two companies on a verge of a confidential deal, or post status updates that mention internal problems at the company. It's not quite on the scale of, say, losing a prototype iPhone in a bar, but employee social media gaffes can cause your organization everything from public embarrassment to legal liabilities.
"I can't begin to tell you how many times companies come to us because they've discovered their employees were using social networks that compromised sensitive data," says Mike Logan, CEO of Axis Technology, a vendor of data masking products. "A P2P network or a social network like Facebook that collects info is pretty much the equivalent of digging a tunnel right into a company's data center."
In Proofpoint's seventh annual study of outbound communications security, conducted by Osterman Research in July, one in five organizations reported losing confidential or sensitive information via social networks -- a figure Osterman acknowledges is probably lower than the actual number. In the past 12 months, 20% of companies surveyed have disciplined employees for violating company policies on social networking, while 7% have terminated people for their actions on social nets.
It gets worse. If your employees post proprietary information on a site like Facebook, whose legal terms claim ownership over any data shared on its network, you may lose control over your company's intellectual property.
"It all boils down to what is written in the terms of service," says Carter. "These differ between the different social networks, which creates its own problems. Having proprietary data residing on a social network should absolutely create concerns for enterprises, especially if that data is not stored anywhere else. Enterprises should look at their record retention policies and not rely on Facebook, LinkedIn, or Twitter to store that data for them."
Taming the social network: Block social media at your perilFrom an IT perspective, an understandable response to social media is to block it and forget about it. Depending on the survey, some 30 to 50% of organizations polled say they ban employees from using Facebook, Twitter, LinkedIn, and other popular social media sites at work. Simply add facebook.com and twitter.com to your list of forbidden URLs and get back to the real work at hand, right?
Wrong, says Palo Alto Networks' Bonvanie. Most companies are in denial about how much their employees are using social nets, as well as what they can do to stop it.
"You ask some IT people about social media and they'll say, 'Nobody's using Facebook on our network,' or, 'They can't use it because we're using IPS or URL filtering to block it,'" Bonvanie says. "In both cases, those IT people are completely wrong. We see massive penetration of social media in the enterprise."
How massive? Palo Alto Networks has detected Facebook use on 92% of the 347 enterprise networks it surveyed last spring. Twitter was detected on 87% of corporate nets; LinkedIn and MySpace, 83 and 82%, respectively.
When IT has taken steps to block access to Facebook and other social sites on the network, users invariably find a way around those barriers, says Bonvanie.
"It's very easy for someone to go around those blocks using a public proxy," he says. "Five minutes later they're back on Facebook and you've lost all control. Believe me, employees are very motivated when it comes to getting on Facebook."
Even if you did manage to somehow keep all your employees from accessing social networks at work, there's little you can do to keep them from tweeting their little heads off about company secrets when they head home at night. And social media blocker beware: Employees are more likely to rip into your company on social sites after hours if they can't get to those sites at work, Bonvanie adds.
"The motivation for someone to log on to Facebook and go off about their company is a lot higher if you block their access at work than if you allow them," Bonvanie says. "If you piss them off at work, that's what they're going to do when they get home. If the culture at work is to allow social media but be smart about it, tell people how to act and what not to say, they're not likely to do it at home."
A partial solution is provided by tools like FaceTime's Socialite or Palo Alto Networks' next-generation firewalls, which offer granular controls over which features each employee can access on the social network. For example, a company might allow full access to Facebook, but block usage of third-party apps like Farmville or native features like chat. Granular control could enable employees in the marketing or customer service departments to use Twitter to promote the company and solve user problems, while keeping those with access to sensitive information offline. Or it might allow some employees to simply read but not write -- so they can scan LinkedIn profiles for recruiting purposes, but not spend valuable company time updating their own résumés.
Some of these controls can extend outside the company as well. If an employee posts something they shouldn't from an off-network home PC or an Internet cafe, for example, Socialite can identify and archive the new posts the next time the user logs in to their accounts via the corporate net, notes Carter.
Another potential solution is data leak prevention software. About 70% of all data leaks are the result of an employee accidentally or intentionally spilling the beans, says Alexey Raevsky, CEO for Zecurion. DLP suites like Zecurion's can monitor all outbound communications -- email, chat, and social media updates -- and block anything deemed confidential or proprietary from leaving the company's network. But using DLP means keeping a close watch on what information your company deems sensitive and updating those filters regularly as it changes.
"Social media makes it easy to say things you shouldn't," says Bonvanie. "The technology needs to do more than a simple binary block or allow."
Taming the social network: Warning: Stupidity ahead, please exercise cautionThe problem with using software tools to combat social media ills is that they lack a "stupidity filter," FaceTime's Carter notes. The world's best social media security or DLP suite can't keep employees from posting something dumb or embarrassing to their walls.
"What's most important is education," says Carter. "Educate, re-educate, and educate again. Put technology coaching solutions in place, where you can remind users of the risks regularly and remind them also of your company policy about visiting sites that are not relevant to business."
Every company needs to address social networking and create comprehensive policies governing how they can and can't be used. Yet four out of five enterprises lack such policies, says Kurt Underwood, managing director, global risk leader for IT for Protiviti, a risk management consultancy. That can lead to major legal and regulatory problems down the road.
"You can try to ignore social networks, but the legal and reputational dangers will still be there," he says. "If employees are using business resources -- network servers, desktops, or laptops -- to access a social media site or using any portion of it for business purposes, the data being shared on it needs to be viewed just as you'd view information shared across the company's email system. That's a big eye-opener for most CIOs."
Creating social policies doesn't have to be an ordeal. Sites like Social Media Governance or Social Media Today are designed to help organizations create workplace policies for social media. But the best source for laying the rules of the social road may be sitting in the corporate cafeteria.
When IBM needed to create Internet guidelines for its 400,000 global employees, it turned to the most logical source: the employees themselves. IBM published its first set of guidelines around blogging in 2005, which was created via an employee-driven wiki. Those rules have been overhauled twice since then to reflect changes in technology, including a 2010 version that deals explicitly with social networks.
The guidelines are filled with commonsense advice; for example, they recommend not posting anonymously, trying not to pick fights, always writing in the first person, identifying yourself as an employee when posting about company matters, and making it clear the comments you post are your own personal opinions, not those of IBM.
What you won't find: heavy-handed warnings or details about the punishments meted out for social media misconduct.
"One thing that's critical and built into both our guides about social computing and about proper business conduct is the notion of trust," says John Rooney, program lead for innovation and collaboration at IBM. "We have a culture where we want our employees to understand they're trusted to act professionally and to represent the best interests of IBM. If potential conflicts do come up, we have ways to manage that. But we've had very few cases where we had to take any action in that regard."
The key to creating policies employees will actually follow is achieving the right balance between formal rules and gentle encouragement, says Scott Gracyalny, managing director and global lead of risk technology services at Protiviti.
"Generally speaking, the policy should be comprehensive but not so rigid that it causes employees to try to circumvent your security controls," he says. "It should be written in a positive tone that creates a feeling of empowerment, as opposed to 'don't do this' or 'you can't do that.'"
Another solution: "Don't hire stupid employees," says Jan Aleman, CEO for Servoy, a developer of hybrid SaaS and on-premises software with 108 employees. "At Servoy people already know what they can and cannot say on Facebook. As an open source company we don't have a lot of secrets. You can already see everything our tech guys are doing, because we commit our code to a public place. But if you had a bigger company or less intelligent people working for you, you'd probably want some guidelines in place."