www.canadiansecuritymag.com

Features Opinion
Fear not the online social networking generation

Online social networking sites (OSNs), whether you love or loathe them, are here to stay. But finding an easy balance between employee autonomy and corporate security can be difficult — particularly without an understanding of how the majority of OSN users think.



June 25, 2008
By Carolyn Yates

Topics

At the recent International Association of Privacy Professionals (IAPP)
Canadian Privacy Summit, held May 21-23 in Toronto, presenter Dr. Avner
Levin, of the Ted Rogers School of Business Management at Ryerson
University
, spoke on the security risks associated with OSNs. The crux
of his discussion seemed to be along the lines of, “Look, these people
on Facebook don’t know anything about security! And they’re a marketing
gold mine! Ha!”

Dr. Levin failed to recognize a few things. Whether or not you know
anything about OSN security, the users sure seem to — or at least think
they do. Additionally, 90 per cent of Canadians between the ages of
18-24 are on Facebook, according to a 2007 study by the Privacy and
Cyber Crime Institute
at Ryerson University, and the number of older users is only
increasing. A scary thought: the users that aren’t already in the
workforce will be soon, and they’ll be working for you.

Problems arise when, instead of recognizing that social networking is
both widely used and not going away any time soon, experts such as Dr.
Levin insist on scrutinizing from a distance, referring to statistics
of users as “these people,” presumably meaning the greater force of
18-24 year olds who all of course have unfortunate clothing taste and
facial piercings. Making the assumption that OSNs are anything but
prevalent and on the rise is to encourage a close-mindedness which can
only be detrimental to the effectiveness of any security plan.

Beyond that, it’s exactly the wrong way to approach OSNs. Most
non-users or casual adult users can’t understand why anyone would
possibly want to post their personal information for the world to see.

Which, of course, misses the point entirely.

OSNs are used the same way the over 30 age bracket uses e-mail or the
phone. Imagine only getting e-mail once a day — or not at all at work —
and only making a handful of calls: total communication breakdown.
Trying to stop that age bracket from accessing their OSN of choice
during downtime at is going to be more difficult than ever and, despite
those users who like to keep work and life separate, stopping casual
comments about the workplace will be even harder.

For both the user and the security manager, privacy should be an issue
with OSNs. Assuming, of course, that that person knows their way around Web 2.0. Like anything else, if the people using the network and
creating that security/privacy risk have more knowledge than the guy
trying to manage those risks, someone’s going to have a problem. And it
won’t be the users.

There is undeniably a self-policing aspect to online social networking
— regardless of the network in question. Any access to information that
makes users personally identifiable is a risk — particularly when that
information contains full names and addresses. While users are called
upon to provide that information themselves — along with hobbies,
favourite bands, books and movies, and education and work history, the
choice to provide that information is ultimately theirs. Which is a
scary thought. After all, it’s those users who are gleefully handing
over their personal information online, and some of them are your
employees, which presents yet another problem.

Information extends to discourse in a public forum, whether on a wall
or blog, and includes both written and photographic content, the
disclosure of which can range anywhere from meaningless to catastrophic
on the Scale o’ Corporate Disaster. And while, according to the Ryerson
study, 71 per cent of users adjust their privacy settings to restrict
access to their profile, those restrictions don’t always hold up to
testing.

At the end of last March, a hacker exploited a privacy
update on Facebook to access and repost several restricted-access
pictures on Paris Hilton’s profile. And while the woman is hardly a
corporation, damage can still be done. If she had been a company, and
there had been financial information or trade secrets instead of
drunken photos, things could only go downhill from there.  

As China is discovering, there is no truly effective way to police the
Internet, and while policy or site blocking may prevent employees from
accessing OSNs at work, there is not yet an effective means of
controlling what they do at home, unless violating rights and privacy
is an option.

Carolyn Yates is a McGill Univeristy student and intern with Canadian Security. She falls in the 18-24 age bracket. She is also accepting requests to join her OSN.