A Deloitte LLPsurvey echoes those results. Only 15% of 500 executives polled said that the risks of social media are being addressed in the boardroom, although 58% said they agree that it's important to do so. But even those that do have policies may not effectively communicate them. Of 2,008 employees that Deloitte surveyed, 26% said their employers had guidelines regarding what they could say online, 24% said they didn't know if their employers had such a policy, and 11% said that there was a policy but they didn't know what it was.
Not that a policy covers every base, says Ira Winkler, a Computerworld.com columnist as well as the author of Spies Among Us (Wiley, 2005) and president of Internet Security Advisors Group, an IT security firm whose services include espionage simulations. But certainly a hands-off approach is no longer an option, nor is blocking the use of social sites at work.
"Too many companies want to say, 'That's your private life, so I won't bother you,' " he says. "But people's insecure behavior at home proliferates insecurity in the business."
The concern isn't just that employees will divulge sensitive data outright. It's that they'll reveal enough information about themselves or their workplaces -- either in one profile or distributed over several -- to enable an imposter to assess their personalities and gain their trust, figure out responses to their password-reset questions or convincingly pretend to be a co-worker, business partner or customer (see "How Hackers Find Your Weak Spots").
"Little pieces of information put together the big picture," Winkler says. Valuable tidbits include birth dates; the names of children, pets and best friends; facts about employers or comments about how projects at work are going; lists of hobbies; updates about vacations or life-changing events; and links to friends. The information is simple to find, either by using reconnaissance tools such as those available at sites like Maltego.com and Pipl.com or by simply doing searches on Facebook or LinkedIn.