Employees using Twitter? Facebook? Study says blocking social networks does more harm than good
Corporate efforts to block or restrict employee access to social networks like Facebook may end up backfiring, according to a study released recently by Telus and the Rotman School of Management.
By Neil Sutton
The study, a 43-question survey with 523 organizational respondents, was conducted in summer 2010 and the results were released in November.
Approximately one in four organizations block access to social networks but they experience little or no benefit to their security landscape. In fact, blocking access may have negative repercussions.
Social networking has become so ingrained in the public consciousness in recent years that employees may try to circumvent internal security practices in order to access their favourite social network sites, said Yogen Appalraju, vice-president, Telus Security Solutions.
Some of those that aren’t able to access these sites on their corporate networks will turn to other means, such as viewing them on personal smart phone devices.
Established social networking sites don’t inherently pose a security risk, said Ben Sapiro, research director, security practices, Telus Security Labs — it’s how they are used. The key to safe use of social networks is education, he said. Currently, the biggest threats posed by social networks are employees who either by accident or through carelessness reveal sensitive data that could negatively impact their employer or say something that could damage their employer’s reputation.
There is growing evidence to suggest that time-wasting — employees devoting inappropriate amounts of work time to visiting social networking sites — is not as big a problem as some companies are led to believe, said Walid Hejazi, professor of business economics, Rotman School of Management.
The lines between personal access and work access are blurring so much that the typical understanding of 9-to-5 may no longer apply. In fact, allowing employees greater freedom at work may encourage them to stay in the office longer.
Sam Marafioti, CIO, Sunnybrook Health Sciences Centre, says his organization is still trying to figure out the best way to handle social networking and employee expectations.
He said he is trying to determine appropriate use both inside and outside of the workplace and set policies accordingly, since it affects branding.
IT security is of particular concern to Marafioti since he is responsible for safeguarding his patients’ health-care data.
“IT security has jumped to No. 1 of what keeps me awake at night,” he said. “An ever-increasing priority that requires commitment and leadership.”
Managing employee use and misuse of corporate networks is a growing challenge, he said. As a teaching institution, Sunnybrook is staffed with researchers who are constantly testing the limits of the organization’s internal security. Some breaches that come from within are inadvertent, he said; some from sheer “cheekiness.”
Marafioti said he is in the midst of retooling Sunnybrook’s risk strategy. As a health-care organization, “we live the risk mantra everyday,” he said.
Marafioti doesn’t believe the number of incidents and breaches at Sunnybrook has increased but there is a lack of detection and accurate reporting.
The organization is not currently quantifying breach losses but will formerly set up detection, monitoring, reporting protocols.
“We expect that we need to get the basics right and go from there.”
Other key conclusions from the Rotman-Telus study include:
• In the private sector, the number of breaches has leveled out
• There is a shift towards more targeted attacks tailor made to steal personal and corporate data
• Attacks are more stealthy and can go unnoticed by IT security departments for months or longer — well after damage has already been done
• Despite the severity of some attacks, survey respondents indicate that losses due to breaches have declined sigificantly
• IT security budgets are still well below 2008 levels — a reflection of budget cuts carried out in 2009
• Security budgets tend to range between three and nine per cent of overall IT spend