Our public website contains videos from YouTube, photos from Flickr and we also have a Twitter stream. All open to the public so that they can see what fabulous work we do. But if you’re a member of staff, you don’t have access, at least not from the workplace desktop. C’est ridicule!
The same applies to blogs, microblogs and other social networking sites such as Facebook (where a number of government departments already have pages.) Inside the enterprise, we don’t have a policy for managing the risk of accessing such sites; we have a blanket policy that prevents staff from accessing the sites.
If I want to research some blogs or do any kind of sentiment analysis about what people are saying about us on microblogs, then I have to write a business case. IT security perceives social networking sites as bad and dangerous. Any benefit to be had from such sites is seemingly outweighed by the risk of using them.
But the blanket policy of blocking sites does not work. If IT security think that blocking access from a desktop computer will stop staff accessing these sites, they are wrong. We have iPhones and Blackberrys. Also within the building there are a number of standalone computers for internet access. So we are going to access the internet one way or another, unmonitored by IT security.
Risks
What are the IT security risks? Malicious software, leaking information, identity and phishing attacks. All valid risks when using the internet and interacting with other people. And similarly, all valid risks of using email, which staff are allowed to access by default.
It is not the technology itself that poses the risk; it is how people use the technology.
Recommendations
Instead of simply blocking access from the workplace desktop, we should educate staff. Point out the risks and dangers of using social networking sites, of interacting with strangers and posting personal information. Highlight privacy issues. Implement an acceptable use policy for online social networks and trust staff to be sensible. Manage the risks instead of ineffectively attempting to block the risks.
We’ve all completed our mandatory information assurance training which covers use of email. Perhaps the training could also be extended to cover how to interact with social networking sites.