Social networking? Isn't that something we should prevent our business users from accessing? Seems like a pretty easy solution to me. Why would I want to even deal with the risks that might be associated with something that adds so little value and might even be a threat to my business?
Does this argument sound familiar? Well, if you haven't heard it yet, you will. Social engineering is growing rapidly as one of the primary ways people entering the workforce communicate. It's a communication medium they expect us old fogeys managing today's businesses to provide and support. According to Mike Spinney, principal of SixWeight, a communications consulting company,
"As a new generation enters the workforce, companies believe they're on the horns of a dilemma: lock out the social networking sites and deal with discontented employees, or leave access unfettered and absorb a loss of productivity But the issue isn't black and white. As a communications medium, there may be benefits to taking advantage of online social networking for developing valuable professional relationships. Companies need to become educated on the nuances of the various utilities and develop strategies and policies that take into account both the risks and the benefits." Source: Planning a company social network? Don't forget the privacy issues, Jay Cline, Computerworld, 10 April 2008
Looking at the benefits and risks is the purpose of this article. In a follow-up post, I'll provide a list of constraints to consider and a sample policy for controlling use of a company-owned and managed social networking solution.
The risks of business-supported social networking
So if there are business benefits, why not just flip the switch? The answer contains several possible issues beyond losing talent. Like the potential for data leakage.
Unfettered access to any public information sharing site includes risk of employees posting information not meant for public view. Even if posting sensitive information doesn't include malicious intent, even if employees are just having a friendly exchange with "Internet friends," the damage is still done. And data leakage can be much more than a nick in the competitive edge.
Regulatory requirements in the HIPAA, and industry expectations like those contained in the PCI standard, clearly describe company responsibility in protecting personal information. A leak of patient or customer information to a social network might result in fines and a public relations hit.
In addition to privacy issues, organizations are also concerned about employees' comments and opinions posted to a public site while using company-owned infrastructure. This is still an evolving area of the law. The potential for future cases in which organizations are held responsible for employee participation in online discussions when company services are used is still a concern I hear discussed when attorneys are involved in planning meetings.
Another concern I heard recently referred to employees writing about work methods, potentially creating discoverable ESI. Sharing information might be a way to exchange best practice and new ideas for handling common business challenges, but the threat of discoverability, the threat that management or a plaintiff might be made aware of questionable practices in satellite offices, is too great.
Finally, there is the question of productivity losses. What is the hit on the bottom line if employees are allowed to spend time networking instead of completing assigned day-to-day tasks?
These are all good points, and I've heard them discussed at several meetings recently. But there is another side to the social networking challenge.
The benefits of business-supported social networking
We've already reviewed one of the benefits of social networking: meeting the expectations of new workforce entrants. The old ways of communicating, of heads-down focus on daily tasks with minimal interaction with coworkers, are not necessarily the best approach to attracting and keeping the best and the brightest. Regardless of what we might believe, or the way we've worked for years, the workers who will one day take our place have their own ideas about how technology should be used. Failure to integrate communication methods that are part of their lifestyles will make organizations that do appear to be better work environments.
In addition to keeping employees satisfied, properly managed social networking can also please shareholders or customers. Two good examples are collaborative workspace projects implemented by the Institute for Johns Hopkins Nursing (IJHN) Leadership Academy in End-of-Life Care, and an employee assistance and sharing site created by Sabre.
IJHN wanted to provide a post-conference method for nurses to stay enthused about what they learned. Further, administrators realized the need for best practice sharing. Nurses across the U.S. sharing information about how they deal with specific issues would help provide better palliative care for all patients. Another reason they considered a collaborative workspace approach was the desire to unite the profession around common goals. Their solution was the deployment of online workspaces. Each workspace focused on the needs of the group accessing it. These weren't freeform, public social networking sites. Using Microsoft Windows SharePoint, the workspaces were for authorized users only.
More information about the IJHN project can be found in Microsoft's case study of the project.
Sabre runs must of the world's airline flight reservation systems. Its goals were similar to those of IJHN. Sabre wanted to improve business processes, enhance service delivery, and improve the bottom line. The company used its own legacy software to implement an online community, Sabre Town, for all its employees. Sabre Town allows users to post a question to the entire organization. A unique feature in the application sends the question to the 15 employees most likely to provide an answer. The 15 are selected based on what they entered in their online profiles, blog postings, and other Q & A participation. The alleged results are impressive, including:
- Sixty percent of questions are answered within one hour
- Each question receives an average of nine responses
- The system has led to over $150,000 in savings
More information about the Sabre Town project is found in the case study.
There are two important characteristics shared by these two solutions. First, there is a limit on scope. Both collaborative workspaces achieved employee interaction and business performance objectives with private, access controlled, social networking sites. This approach helps meet many data leakage and productivity concerns.
Second, employees are provided with a familiar approach to information sharing. No, it isn't uncontrolled access to Facebook, but it does tap skills employees learned on it and other social networking sites.
As you can see, there are benefits as well as risks to using business-controlled social networking solutions. Whether the benefits outweigh the risks is a question each management team must answer, given its unique culture, industry, regulatory issues, etc. However, it should be possible to achieve a balance between risk and benefit, especially if the solution is designed around a solid policy. This is the topic of Part 2.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.