March 09, 2009, 10:38 AM — Facebook, LinkedIn and Twitter, once viewed as high-risk, productivity-sucking applications, seem to have wiggled their way into the hearts of security teams nationwide. In fact, most organizations no longer block the popular web sites and allow employees to access these Web 2.0 applications at work, according to a new survey from the Security Executive Council.
The research, which was released this week at the CSO Perspectives conference, reveals 86 percent of organizations who responded to an open poll on the council's web site said they do allow workers to use Web 2.0 applications, such as Facebook, LinkedIn and Twitter, while on the job and/or with a company-issued computer (See also: 3 Ways Twitter Security Falls Short).
The topic of social networking and work access was the subject of a spirited discussion among professionals who attended CSOP, a three-day event in Clearwater, Florida. Some in attendance pointed to Web 2.0 access as a necessary recruiting and retention tool.
"We talk about Web 2.0, but there is also a concept I call Employee 2.0," said Mark Small, vice president of enterprise sales with Websense, a security software provider based in San Diego."If you go out and try to hire some kids now, they ask: 'Can I have access to Facebook at work?' If you say no, they will go and work for someone else."
Small, in a presentation on Web 2.0 applications, noted among major employers in the United States, IBM currently estimates the company has 33,000 Facebook accounts among employees (See also: Slapped in the Face: Social Networking Dangers Exposed).
CSOs and CISOs that allow access to Facebook, LinkedIn, Twitter and other social networking sites were the majority voice in a panel discussion on the topic. Leslie Lambert, CISO of Sun Microsystems, said social networking sites have become a standard part of her hiring process.
"How many of you have hired someone recently without looking them up first on LinkedIn?" she asked the audience. Very few hands went up in response.
Those who restrict access in their organizations were also vocal on their reasons for holding out. Chief concerns included a potential hack or breach of company information because social engineering scams have become common on Facebook, Twitter, MySpace and other similar sites (See also: Dirty Tricks: Social Engineers' Favorite Pick-up Lines).
Derek Benz, CISO of Honeywell, said another concern is potential damage to the company's reputation.
"Many people form groups associated with their company on these sites and the company can not necessarily control what is said in those groups."
Lambert said Sun Microsystems was also concerned about what employees might do or say as a representative of the company on social networking sites. As a result, Sun has crafted an 'electronic discourse' policy that all workers sign before they start with the company. Policies, however, can only go so far in mitigating risks.
"I have a lot of policies," said Lambert. "But I don't run a police state."
Jerry Nolasco, a vice president of global information security with Franklin Templeton Investments in St. Petersburg, Florida, said he has opened up access to Facebook, Twitter and LinkedIn on a limited basis to select employees, such as human resources, who have a clear business need to access the sites. While only a small number can access the sites now, Nolasco admits he will likely open them up to all eventually.
"We are looking at re-engineering and investing in tools that will allow employees to securely use Facebook and Twitter at work," he said.