Social Insecurity

04/30/2009 10:29

Every day, our communications are becoming more interconnected. Whether it's receiving work and home email on your phone, updating your Linkedin status at work, or accessing work files from home, the line between home life and work life is more blurred than ever. While all of this interconnection can make our lives easier, we must be aware of where sensitive data is being accessed and stored, and the information security implications.

As an employer, the first step in preventing any issues with social websites, or internet communications in general, is to decide on clear policy to let the everyone know what they can and can't do. The policy can be as relaxed or stringent as is appropriate to your working environment, but should be clear, concise, and in plain English (avoid legalese). Then of course, the decided policy needs to be uniformly enforced. Contact your network security provider for guidance on written policies and enforcement.

Let's adopt a security mindset, and take a look at a common scenario: you get into work on Monday morning, and log into Facebook to tell your friends and family about your weekend.

1. Does this violate any workplace policies?
Organizations have (or should have) written polices to let their employees know what is acceptable to do with the organization's time, computers, and internet connection. Computers and internet connectivity can be expensive, and employees are generally not hired to socialize. Depending on the policy, this may be just fine or may be grounds for dismissal. Regardless of the policy content, the policy should be in writing and clearly understood.

2. Is any work being discussed or communicated over this site?
Some of our online “friends” may also be our co-workers, and it is possible to communicate with them through social networking sites (Linkedin, Myspace, Facebook, etc.). If your are communicating work related information, you should be very conscious of a few issues.

First, are there any laws regarding disclosure, archival and retrieval of the communications? If so, using a private, third party communications medium may be in violation of these laws. Your organization loses control of the information once it's been posted. In other words, do you know Myspace.com's archival and backup policies, and do they comply with the regulations for your industry?

Second, the security of the connection to the web site must be taken into account. This is true both while information is being uploaded and after it has been posted. Anytime I post anything online that's not meant for public consumption, I always try to do so over any encrypted connection. In fact, many social networking sites allow an encrypted connection. Change the "https://" portion of the site's URL to "https://" and see if you can connect. The extra "s" indicates that SSL (Secure Sockets Layer) encryption is being used, the same as when you make a purchase online.

Third, and perhaps most important, there is a truism regarding the internet: "You can't take something off the Internet - it's like taking pee out of a pool." (https://www.quotegarden.com/internet.html) In other words, once posted, that information is beyond our control. Default access to communications can vary on social networking sites, but usually access is granted to anyone designated as a "friend". If one of these "friends" re-posts the information, you have just lost control of it as any of their "friends" can now see it and re-post ad infinitum.

NOTE: many of the above considerations also apply for any communications not controlled by your organization including texting, instant messaging, personal email accounts, video conferencing, internet phones, etc.