Social Enterprise

Are social networking solutions safe for work?

There are benefits as well as risks to using business-controlled social networking solutions. Whether the benefits outweigh the risks is a question each management team must answer, given its unique culture, industry, regulatory issues, etc.

Social networking? Isn't that something we should prevent our business users from accessing? Seems like a pretty easy solution to me. Why would I want to even deal with the risks that might be associated with something that adds so little value and might even be a threat to my business?

Does this argument sound familiar? Well, if you haven't heard it yet, you will. Social engineering is growing rapidly as one of the primary ways people entering the workforce communicate. It’s a communication medium they expect us old fogeys managing today's businesses to provide and support. According to Mike Spinney, principal of SixWeight, a communications consulting company,

"As a new generation enters the workforce, companies believe they’re on the horns of a dilemma: lock out the social networking sites and deal with discontented employees, or leave access unfettered and absorb a loss of productivity But the issue isn’t black and white. As a communications medium, there may be benefits to taking advantage of online social networking for developing valuable professional relationships. Companies need to become educated on the nuances of the various utilities and develop strategies and policies that take into account both the risks and the benefits."

Source: Planning a company social network? Don’t forget the privacy issues, Jay Cline, Computerworld, 10 April 2008

Looking at the benefits and risks is the purpose of this article. In a follow-up post, I’ll provide a list of constraints to consider and a sample policy for controlling use of a company-owned and managed social networking solution.

The risks of business-supported social networking

So if there are business benefits, why not just flip the switch? The answer contains several possible issues beyond losing talent. Like the potential for data leakage.

Unfettered access to any public information sharing site includes risk of employees posting information not meant for public view. Even if posting sensitive information doesn't include malicious intent, even if employees are just having a friendly exchange with "Internet friends," the damage is still done. And data leakage can be much more than a nick in the competitive edge.

Regulatory requirements in the HIPAA, and industry expectations like those contained in the PCI standard, clearly describe company responsibility in protecting personal information. A leak of patient or customer information to a social network might result in fines and a public relations hit.

In addition to privacy issues, organizations are also concerned about employees' comments and opinions posted to a public site while using company-owned infrastructure. This is still an evolving area of the law. The potential for future cases in which organizations are held responsible for employee participation in online discussions when company services are used is still a concern I hear discussed when attorneys are involved in planning meetings.

Another concern I heard recently referred to employees writing about work methods, potentially creating discoverable ESI. Sharing information might be a way to exchange best practice and new ideas for handling common business challenges, but the threat of discoverability, the threat that management or a plaintiff might be made aware of questionable practices in satellite offices, is too great.

Finally, there is the question of productivity losses. What is the hit on the bottom line if employees are allowed to spend time networking instead of completing assigned day-to-day tasks?

These are all good points, and I've heard them discussed at several meetings recently. But there is another side to the social networking challenge.

The benefits of business-supported social networking

We've already reviewed one of the benefits of social networking: meeting the expectations of new workforce entrants. The old ways of communicating, of heads-down focus on daily tasks with minimal interaction with coworkers, are not necessarily the best approach to attracting and keeping the best and the brightest. Regardless of what we might believe, or the way we've worked for years, the workers who will one day take our place have their own ideas about how technology should be used. Failure to integrate communication methods that are part of their lifestyles will make organizations that do appear to be better work environments.

In addition to keeping employees satisfied, properly managed social networking can also please shareholders or customers. Two good examples are collaborative workspace projects implemented by the Institute for Johns Hopkins Nursing (IJHN) Leadership Academy in End-of-Life Care, and an employee assistance and sharing site created by Sabre.

IJHN wanted to provide a post-conference method for nurses to stay enthused about what they learned. Further, administrators realized the need for best practice sharing. Nurses across the U.S. sharing information about how they deal with specific issues would help provide better palliative care for all patients. Another reason they considered a collaborative workspace approach was the desire to unite the profession around common goals. Their solution was the deployment of online workspaces. Each workspace focused on the needs of the group accessing it. These weren’t freeform, public social networking sites. Using Microsoft Windows SharePoint, the workspaces were for authorized users only.

More information about the IJHN project can be found in Microsoft’s case study of the project.

Sabre runs must of the world’s airline flight reservation systems. Its goals were similar to those of IJHN. Sabre wanted to improve business processes, enhance service delivery, and improve the bottom line. The company used its own legacy software to implement an online community, Sabre Town, for all its employees. Sabre Town allows users to post a question to the entire organization. A unique feature in the application sends the question to the 15 employees most likely to provide an answer. The 15 are selected based on what they entered in their online profiles, blog postings, and other Q & A participation. The alleged results are impressive, including:

  • Sixty percent of questions are answered within one hour
  • Each question receives an average of nine responses
  • The system has led to over $150,000 in savings

More information about the Sabre Town project is found in the case study.

There are two important characteristics shared by these two solutions. First, there is a limit on scope. Both collaborative workspaces achieved employee interaction and business performance objectives with private, access controlled, social networking sites. This approach helps meet many data leakage and productivity concerns.

Second, employees are provided with a familiar approach to information sharing. No, it isn't uncontrolled access to Facebook, but it does tap skills employees learned on it and other social networking sites.

Balance

As you can see, there are benefits as well as risks to using business-controlled social networking solutions. Whether the benefits outweigh the risks is a question each management team must answer, given its unique culture, industry, regulatory issues, etc. However, it should be possible to achieve a balance between risk and benefit, especially if the solution is designed around a solid policy. This is the topic of Part 2.

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

8 comments
markidgconnect
markidgconnect

The problems regarding social networking don't just start and stop with the distrust of the worker. This article: http://bit.ly/h9Jylr covers the widespread problem of malware/virus mass infection and the fickleness of bandwidth management. Mark at IDG Connect.

royhayward
royhayward

Over time I think that we are all becoming comfortable with the technology of the internet. And then I read this. Is this still a question? Long before the internet, we were told in how to get a job lectures, to network. "Talk to people that you know." This hasn't changed just because Monster.com and flipdog.com got a hold of your resume. "Ok, so why do you need to social network now, you have a job. Are you leaving?" Asks the dinosaur, I mean manager. Well sir, you ask me to refer people to work here when there is an opening. How will that happen if I have no network of people to refer? Next, many of these networks group people by their discipline for support purposes. I belong to TR because I find information here that I use in my job. There are other sites. I am on LinkedIn.com for the purpose of maintaining contact with coworkers, and to meet new people in my field. Finally I maintain a blog about my work. (jobwork) TheIntegrationEngineer.com This blog does not expose company secrets, it just lets me share my expertise, and toot my own horn a bit. Blogging, IM, network and social sites are part of what make me a valuable employee in the tech sector. Hiring someone that does not participate on these would be to me, like hiring an editor that had poor grammar or who was illiterate. At work or not? This is a silly question. As, "The Network is the Computer," so is "The Social Network is the Employee." Do our employers want the whole employee resources, or just the small portion that fits in our heads?

CharlieSpencer
CharlieSpencer

I'm as unmoved by social networking as most of my generation. That said, I'll point out that none of the security issues raised in the 'Risks' section are unique to online social interaction. These same data security breeches exist with IM, e-mail, blogging, and other forms of electronic communications. If an employee doesn't know when to keep his / her mouth shut, the only difference between these is a matter of scale (or 'scalability' for you Buzzword Bingo players). TR Feedback - as I was submitting this and selecting the tags to apply, I noticed the 'e-mail' tag option. In light of this topic I'd like to suggest the 'e-mail' tag be replaced. Perhaps something like 'e-mail / other messaging' or something else that reflects the different ways people communicate electronically. Just a thought.

CharlieSpencer
CharlieSpencer

"Blogging, IM, network and social sites are part of what make me a valuable employee in the tech sector. Hiring someone that does not participate on these would be to me, like hiring an editor that had poor grammar or who was illiterate." Would you mind expanding on how you feel these help you? I've regarded these utilities as little more than toys. I made a limited try at blogging but stopped since I felt nothing I posted was of interest to me or anyone else, and that it took longer to write about something than to actually do it. I never got the job lecture about networking and I'm absolutely no good at it. I find social networking of no value to me simply because I have no one to connect with. To me, social networking web sites are about building a electronic version of your existing 'real world' network. I don't have one; I'm definitely not saying this is a good thing, just that without one I have no starting point in building an online network. I have about as limited an exposure to IM as it is possible to have without being comatose. I don't see the advantage of it over e-mail or telephone, especially since the same hardware is often capable of all three functions. I have an IM client at work, but I haven't found the circumstances when it would be useful. Don't get me started on Twitter. (Jason, you still out there, buddy?) My primary point is that I don't think my lack of experience in any of these areas keeps me from being a productive IT employee. IT is a very wide field and growing, and the tools you mention are a very tiny portion of the field. But I'm still trying to learn how these technologies could benefit me, and I'd like to hear another person's outlook.

boxfiddler
boxfiddler

That's good, I like that. Thanks. :D

royhayward
royhayward

I regret that my words imply that not using IM or the others makes one illiterate. My intent was to express that the value of these resources should be recognized. Reading the quote of my own words, I recognize them as being a bit arrogant. Sorry about that. Here are some expanded expressions and illustration of how they are useful to me. Social Network sites: I have worked in IT for a while. Over this time I have accumulated a lot of former co-workers. I would not be able to contact most of them now as I don't know where they are. But, sites like plaxo and Linkedin help you find these people again by showing you people that say they worked where you worked. You can connect up with them if you both agree. I am working at my current job due to this. I wanted to make a move, and emailed a couple of buddies that I had lost track of and then found again on these sites. One of them knew another former co-worker that had contacted him looking for people like me. We connected the dots and I found a new job with some people that I had worked with 7 years earlier, but now at a new company. I am not talking about face book or the like. I do have a profile there, but mostly because my nieces and nephews are on it and I want to be the "cool" uncle. But there are professional networking sites like the ones I mentioned above. And they are for more than job searches. Last year I had a question regarding shipping internationally. I haven't really done any of that, but needed more than I was getting from google. So I searched on those sites again for people that had commented on the related issue which is well out of my normal field of friends. I found two people in my group that I asked, a question to, one responded with the information I needed. We talked a few times and if I ever need more help, or if he does, we have a contact to draw on. These are just me, there are lots of examples of how these sites get used. Bloggin: TR is an example that I would think would be self evident since you are here. But in case you are new to TR, there are more than just pithy discussions. There are white papers and downloads that you can find. Most of the time these are pretty basic, but I find that when I am looking for how-to docs or hints on something I don't remember how to do, that TR shows up in my search. I click on these first as I feel a sense of loyalty and trust as opposed to someDudesBlog.com Blogging yourself is a choice. I wrote my blog because I wanted a place to showcase some of my skills and because I started giving advice to people over and over and wanted a place to park the knowledge and resources. Being familiar with blogging technologies is helpful. Blogs are different than forums are different than wikii. You navagate them differently, and they present users with a different feeling when they are used. IM or email: IM and email are not interchangeable. I use IM daily. Some of the IM 'buddies' are just over the cube wall from me. We mix verbal and IM conversations. I ask for the constraint name on a table, and the DBA on the other side of the wall IMs it to me so that I don't have to type it. It is immediate. Sure the same thing could be done with email, but then the constraint name email is cluttering up my inbox. I think it is kind of like people not getting the value of a post-it. Email is a document, IM is a post-it. They are not the same. But people find uses for both. I know that I didn't do much IM'ing when it first came out, but once I started really getting value out of it, I started to really like it. also, in the middle of the night, when I am helping support a server, the IM taping on the keyboard doesn't disturb my wife as much as talking on the phone. But it is much more immediate than email and is cheap to have a chat-room conversation compared to opening up a conference call. Anyway, I feel like I am ranting. Anyway, at least for me, working were my social network sites, blog communities and IM is blocked or discouraged would seem to be working somewhere that I could only used one hand. This is probably not the case for everyone. But I would think that based on the size of the user base of these tools that I am not the only one to find them useful. To each there own.

CharlieSpencer
CharlieSpencer

Hundreds of office workers filing into a large auditorium for an employee meeting. One guy at the door is surreptitiously passing out copies of a 5 x 5 grid with various buzzwords on it. Every time the speaker uses a trite business-speak phrase, the employees would search their grids to see if the term was on their sheet. Great ad; I'll bet the agency will be disappointed to learn I can't remember what they were selling. Say, there's an idea for an off-topic discussion...

jmgarvin
jmgarvin

Back when I taught college, my students used to play Garvin Idiom Bingo. Good times...Good times....

Editor's Picks