Protecting your "Social" Security - Part 2
Survey results from Symantec have shown that half of all social networking at work is conducted for business purposes. Although bosses may cringe to hear that 50% of social networking done in the office is for pleasure, it may come as a surprise that personal social media in the office actually increases productivity (we'll get to that in a second). Although this is good news, many organizations don't have security policies in place to safeguard company activity conducted on social networks.
The Good
A recent article in the Boston Metro reported findings from a study conducted at the University of Melbourne. Researchers found that typical 9 to 5ers who spent about a fifth of their workday using the web for personal browsing were actually more productive than those who were on the web for strictly business purposes.
The article also stated that workers should "batch" their personal activities - recommending a twenty minute session per every two hours of work for optimal productivity.
InformationWeek posted similar findings. A report from Forrester Research (conducted this past January) found that 70% of IT personnel viewed Web 2.0 and social media as having a beneficial impact on their organization's productivity. 78 % believed it helped their organization provide improved customer service. 80% thought social media had a positive impact on their company's innovation.
The Bad
According to the InformationWeek article, many organizations don't have a policy regarding social media usage. Some (about 5%) outright block access to sites such as Facebook, Twitter, and MySpace. A policy to this extreme could result in less productivity, decreases in customer service, and create a sour workplace atmosphere.
Instead, companies should provide guidelines for employees and create a way to monitor how social networking is being used during office hours.
The Ugly
Without any policies in place, an organization is susceptible to a number of attacks including clickjacking, worms, spam, and phishing that can enter their internal network via social media websites.
The Bottom Line
If your office is in the Twitterverse, using Facebook, or posting pictures to Flickr, you need to have a set of rules or regulations in place to protect not only your employees' privacy, but your organization's privacy as well.
Tips on Password Security
Never give out your password.
This has been briefly mentioned previously, but it is worth reiterating. Unless a court order specifies otherwise, you should never, under any circumstances, give you password to anyone. This surprisingly, but especially, includes your help desk or IT staff. One common trick employed today by attackers to get your password is to just ask you for it. This takes advantage of the natural desire most people have to be helpful and is known as social engineering.
Using social engineering, an attacker can call you, tell you they are with the IT help desk, and voila! Most people will hand over their password without hesitation. The truth is that the real help desk and real IT staff should never need your password. If they need access to your files, they have the administrative ability to gain access with their account.
The same is true of e-mail and anything else to which you have access. When they use those administrative privileges, it leaves an audit trail which ensures that their activity is legitimate. By using your password, there is no audit trail. All actions on your account with your password are, in most places, legally your actions. By handing over your password, you are, in effect, granting whoever has your password power of attorney for your account.
The only reason anyone would need your password is if he is too lazy to do his job correctly, inept and unaware of how to do his job correctly, or up to no good. In conclusion, the next time someone asks for your password, ask yourself if you trust someone who is lazy, inept, or up to no good with what could be your career.
Written by:
Ben Howard - MCSE, Security+, CCNA Security, NSA 4011
Senior IT Associate - NSK Inc.