Entries Tagged 'Security' ↓

Rejoice! Employee use of social networks has tripled!

Palo Alto Networks is out with its annual numbers on employee work time spent on social networks. The company’s conclusions are based on analyzing raw data from 1,600-plus companies for a seven-month period last year. Their press release on the study confirms something we already suspected: “explosive growth in global social networking and browser-based file sharing on corporate networks, with a 300 percent increase in active social networking. (e.g., posting, applications) compared with activity during the same period in the latter half of 2010.”

The press release quotes the company’s CMO, René Bonvanie, saying “Whether or not employees are using social networks or sharing files at work is no longer a question; this data clearly demonstrates that users are embracing and actively using such applications.”
But, since network security is Palo Alto Networks’ business, the conclusion Bonvanie reaches is that you’d better watch out because productivity and network security are at risk. So the reporting of the study will serve mostly to encourage the lockdown of social channels at work. That conclusion, as far as I’m concerned, misses the point entirely.

In fact, a tripling of employee access to social networks is a cause for celebration, not panic.

For example, the numbers point to widespread adoption of Twitter at work. Nobody’s playing Farmville on Twitter, but we know from the Society for New Communications Research (SNCR) study, “The New Symbiosis of Professional Networks,” that professional peer groups have moved from proprietary networks to Twitter, LinkedIn and Facebook. It’s likely that a lot of the tweeting going on from work is work-related.

In 2010, the bandwidth consumed by employees for Faceboook apps, social plugins and posting was 5 percent. In the new study it has risen to 25 percent. isn’t it interesting, though, that Palo Alto Networks includes “posting” as one of the activities driving the increase.

The numbers also point to file sharing sites as the source of a lot of bandwidth consumption. Of course, posting to and visiting Slideshare and Scribd, for instance, are good things, not something to worry about. These are places where knowledge is transferred.

The reason workers are using social networks is, in large part, that these channels are increasingly becoming a routine part of how work gets done. Yes, I understand that some people abuse their access and that companies need to address concerns over the introduction of viruses and other infections, but these issues need to be addressed without hamstringing the bulk of the population that uses social networking to improve their productivity and the company’s performance.

Social channels is exactly where employees need to be, given the results of Edelman’s 2012 Trust Barometer, which was released today. According to the Executive Summary

(As trust in CEOs dropped, trust in) “a person like me” has re-emerged as one of the three most credible spokespeople, with the biggest increase in credibility since 2004, and now trails only academics and technical experts. Regular employees jumped from least credible spokesperson to tied for fourth on the list, with a 16-point record rise. Social-networking, microblogging, and conte-thsaring sites witnessed the most dramatic percentage increase as trusted sources of information about a company, rising by 88, 86, and 75 percent, respectively.These results alone should make it clear that a tripling of employee engagement in these channels bodes very, very well for companies.

If you need more evidence that this is just the way people communicate, there’s another report from ReadWrite Enterprise that wonders whether dumping email as a channel for employee-to-employee communication might just make sense. One of the reasons online veteran David Strom cites is that, “as social media becomes more prevalent, it becomes easier to have conversations in the public eye, or at least on the corporate Intranet.” He lists activities like posting questions and replies in these channels.

There are other shifts leading to email’s demise –- the shift to mobile, and that IM, group chats and other technologies work better. Of course, email between the company and anyone outside the organization would remain a regular communication tool.

But Strom’s post reinforces the point that we’re using social nertworks at work as an important part of getting the job done because it’s just more efficient. That’s what technology is supposed to do. Of course, there are organizations that get this. CNN Money profiled nine companies from the list of the best companies to work for that have added social networks to the workplace. For example, Intuit’s @TeamTurboTax draws upon product managers and engineers to tackle customers’ problems. Intuit says that when the tax season comes around, employees throughout the pipeline volunteer to contribute to the effort to respond to customersk. So, would all those posts be counted in the Palo Alto Networks’ “posting” data? And if so, that kind of traffic needs to be viewed as a company advantage,something to be nurtured, not a cause for locking down the organization.

I posted an item to my blog last week praising Zappos for its handling of the server security breach. One of Zappos’ actions was to send an email to customers. A few of the few commentsto my post came from people who hadn’t gotten that email. It didn’t take long before someone from Zappos left a comment that apologized, explained that the emails are going to tens of million of customers in batches and that took a while. He then let everyone know what to do without waiting for the email. He signed his comment, “Jonathan, random Zappos employee.” Again, these are legitimate work-related purposes to which these channels are being used. I’d start training employees to do more of this, not make it harder.

But Palo Alto Networks has an incentive to put its view out there as a press release that’ll find its way into the inbox of a lot of executives, and that’s why you’ll continue to see companies blocking employee access, like the more than half of companies in Ireland do.

Finally, remember the Altimeter Group’s social media preparedness study, which points out that companies that train their employees on policies and practices experience a far lower risk of problems arising from social media than those that bolt the doors.

If your employees aren’t among those whose use of social media at work has tripled, you have a reason to be concerned. Your competitors that understand that shift in work processes are primed to kick your ass.

I initially reported on this story on today’s episode of For Immediate Release: The Hobson and Holtz Report.” It is cross-posted from my primary blog at holtz.com

Is social media “stupid and vainglorious?”

In response to the last post, challenging Barclay Communications’ rationale for blocking employee access to social media, a blogger named Jeremy Probert, on the wordmonger’s blog (lower case is his, not mine), declared social media to be “stupid and vainglorious.” He wrote:

It’s been a long time, gentle readers, since I came across something that deserves an award for its icky, sticky, company hippy nature, its inherent stupidity and intellectual laziness and its truly horrible smug and self-satisfied tone. But today is the day – it chills my very soul to introduce this, the Stop Blocking website and it disheartens me even further to link to this, a piece entitled ‘Demolishing Barclays Communications’ Blocking Argument Point-by-Point’.

At first, I dismissed this as just another business pundit whose worldview hasn’t shifted since “The Organization Man.” But Jeremy does make points that are worth addressing debunking.

Most of Jeremy’s challenges are based on the fact that he read just this post, and didn’t bother with the rest of this blog where his arguments have been addressed repeatedly. Still, there’s nothing wrong with reiterating and reinforcing these points (which Jeremy generously calls “idiocies”):

Apparently, all workers, regardless of status or paygrade, put in extra hours and therefore compensate for any time that they may waste using social networks. Of course they do. In the same way that they all love the company that they work for, its senior management and its brands

We’re mostly talking about information and knowledge workers. And no, not every one of them put in extra hours. However, there is clear evidence from substantial, empirical, comprhensive research that Millennials do. As for those who don’t (and this point will re-emerge repeatedly), clearly communicated and enforced policies will deal with abuse.

Monitoring and addressing productivity is a supervisor’s job, not a IT’s. The consequences of blocking everybody as a means of addressing problem workers is a great way to kill engagement and drop employee trust to zero. As American Express’s vice president of communications James Lynch said yesterday at the Ragan Social Media Summit here at SWIFT headquarters in Belgium, blocking access is not a smart risk-mitigation strategy.

By the way, I’m a believer in public execution. Reward and recognition are the only way to drive culture and behavior change in organization. Announcing to the entire organization that an employee was terminated for violating the company’s policy can do more to keep employees on the straight and narrow than blocking policies that employees can override as easily as pulling out their smart phones.

Productivity suffers if employees can’t connect to social networks at work (thanks, University of Melbourne!). Apparently use of social media ‘resets an employee’s concentration’. How DID we manage to concentrate before?

First, the University of Melbourne didn’t produce the only study to reach this conclusion. Independently, for example, MindLab International conducted research that arrived at the same results. Jeremy can sniff at these results all he likes, but until he can produce research results to the contrary, I’ll continue to point to these studies.

As for how we managed to concentrate before — we didn’t. A colleague of mine — who manages a team at a global consulting firm that produces technology solutions — told me he and his team are under intense pressure to produce a high number of billable hours. Yet after five or six hours of continuous work, concentration slides so badly that work produced after that needs to be redone, so the pressure to put in the hours becomes counterproductive. And he lauds his team as the cream of the coding crop. It’s just, he says, that at a certain point without breaks, concentration declines.

If anyone believes that the workers sitting in rows of desks begins supervised by stern overseers to make sure they didn’t waste time were more productive than today’s workers who do take breaks and visit their online communities is simply deluded.

Because the US Department of Defense has opened its networks to social media, does not mean that LargeCorp Industries LLC (in the business of profit, not homeland security) should – it’s not a question of risk from cyber-attack, it’s a question of perceived need and value. (In any case, I would ask whether the ‘private in the field in Afghanistan’ is free to change his status willy-nilly (‘Safe behind a wall’ to ‘In a ditch with blast concussion’) or to share any sort of geographic or temporal information)

Jeremy, I have to ask if you read Barclay Communications’ argument at all. The very point they made is that opening networks to social media puts networks at risk to cyber-attack. That was their entire point. That’s what I was responding to.

And no, Jeremy, of course not: The Department of Defense, once it decided that social media was a “field of maneuver” rather than a “fortress to be defended” implemented training to ensure soldiers kept both themselves and the unit safe. As DoD senior strategist Jack Holt put it, the military teaches soldiers to be safe in the desert, on the seas, in the skies; they can train them to be safe online. Should you be interested, Jeremy, you can listen to my interview with Jack here or his interview with Eric Schartzman here.

Clearly, I never suggested that companies should simply open their networks. They need to implement policies and guardrails so employees can protect both themselves and the company, and the organization can ensure that they reap the benefits of employees’ online activities while mitigating the risks.

(Doesn’t all of this just sound like common sense? Somehow this escaped Jeremy. Sadly, he’s not alone.)

Company ‘confidentiality can be violated anywhere, even an elevator’. True – but your average elevator holds 12 people and Facebook holds a potentially eavesdropping audience of 450 million. Go figure

I’m not aware of any Facebook account with 450 million friends. Are you? And a privacy violation is a privacy violation. The HIPAA fine won’t be any larger for violation on Facebook than it would be for a violation in an elevator.

The point is that closing off access to Facebook doesn’t solve the problem; educating staff about privacy does.

Of course, Jeremy ignores the rest of Beth Israel Deaconess Medical Center President and CEO’s larger point: blocking Facebook shuts down the ability for employees to build community, and it closes off the communication channel of preference among younger employees. Paul notes that he often gets useful suggestions and ideas from employees who don’t use email. (If you have children who are teens or in their twenties, you know this.)

‘Many employees carry smartphones – or they can (access social media) from home after work’ – again, true. But what they do on their own time is their own business – unless it contravenes company policy on how they may represent themselves as employees, or the laws of the land – in which case they get fired. In the workplace – well, the clue is in the name – ‘work’place. Not ‘fun’place or ‘do-your-own-thing’place

I am frequently accused (as Jeremy does) of being some kind of employee rights advocate. I’m not. I’m a business advocate. Understanding that Millenials (and, to a great degree, GenX) operate in what they call the “weisure” world — the cross-over of work and leisure — is vital. Work happens where it makes sense, whether it’s in an office or at the beach. Why? Because they have grown up as hyperconnected individuals where proximity is not required for work to be done. The idea that proximity is a requirement for knowledge/information workers is a relic of the era from which Jeremy has failed to move.

A study noted by American Express’s Lynch noted than39% of Millennial employees won’t work at companies that block Facebook — or will leave if a new block is implemented. That’s not because they want to have fun, but because Facebook is how they communicate and collaborate. Consider, for example, the results of the study, “The New Symbiosis of Professional Networks,” conducted by SAP in conjunction with the Society for New Communciation Research (SNCR). The study found that organizational decision-makers who have access to their social media peer groups make better and faster decisions. Where, primarily, do those professional peers reside, according to the study? Facebook, LinkedIn, and Twitter. Seventy-six percent of those professionals visit these networks once or more per day, where they…

  • Access thought leadership and information unavailable inside the walls of the company
  • Showcase the company (building brand recognition and supporting organizational goals from recruiting to sales)
  • Increase the speed of collaboration
  • Research business decisions

Another study showed that 40% of IT professionals use social networks to seek advice from peers on technology purchases. Clearly a stupid and vainglorious activity.

As for the whole “fun” thing, no, the workplace doesn’t need to be fun. But employees do need to be engaged (which means they make discretionary effort on the company’s behalf). Companies with large populations of highly engaged employees produce greater growth by far than others. It’s hard to imagine engaged employees in organizations where the first message they hear is, “We don’t trust any of you as far as we can throw you.” It’s also hard to imagine companies blocking access showing high levels of job satisfaction.

As for “do your own thing,” perhaps you’ve heard of a concept called “innovation.” Google practices it, with employees required to spend a certain amount of time innovating based on their own ideas. Have you checked Google’s valuation lately? I’d also point you to the book “Empowered,” by Forrester analysts Josh Bernoff and Ted Schadler, which promotes the idea that employees “own thing” ideas of how to use social media to better serve customers can produce a significant marketplace differentiation.

‘If normal use of bandwidth (this refers to employee use of social media) is slowing (your) network to a crawl, get more bandwidth.’ Just go to your finance guys and ask them to approve an increase in your budget, to purchase bandwidth to allow your employees to update their Facebook statii. That’s bound to work. Job done

Jeremy, please allow me to introduce you to the notion of “making a business case.” This concept involves demonstrating that the investment will produce results that exceed the cost.

All of this is hopelessly Utopian – the ideals of an imaginary world where everyone is nice, contented, loyal and trustworthy. Well, here’s the wake-up call. They’re not, and you need to bear that in mind when thinking about social media use in the workplace.

If your hiring practices result in bringing in employees who don’t embrace the preferred culture of the organization, that’s your fault. You can dismiss all this as “utopian” all you like, but companies like Cisco Systems and zappos.com seek culture fits above all else in their recruiting, and they reap the benefits. Hiring people you don’t trust is an archaic practice. If you engage in it, you have nobody but yourself to blame. To suggest that it’s simply not possible is nothing more than lazy.

Social media is wasteful and vainglorious.

First, this seems odd coming from somebody writing on his blog. But still…

This is the lynchpin statement that showcases the author’s stupendous ignorance. I hear it repeatedly from people who have not made the slightest effort to explore the research that proves precisely the opposite. General Motors is selling cars by allowing employees to talk about their driving experiences on Facebook from work. Sprint is solving customer problems it identifies through employee volunteers on Twitter. Best Buy is driving customers to its stores via 2,500 employees who answer consumer product questions posed on Twitter — from the floor store. Home Depot’s staff can produce videos or test results to respond to home improvement questions posed through social media channels. Through the employees’ social networks, companies are improving recruiting, identifying competitive intelligence, sourcing subject matter expertise, obtaining training…the list goes on.

There are thousands upon thousands of case studies, and hundreds of research studies, that prove the stupidity of such throwaway statements as “social media is wasteful and vainglorious.” The simple fact is, supported by policies and processes, employee engagement in social media can drive growth and profitability.

What is stupid and vainglorious is leaders who dismiss social media despite the avalanche of quantifiable evidence to the contrary.

Demolishing Barclay Communications’ blocking argument point by point

An article by Barclay Communications appearing in a tech publication from Northern Ireland is strident in its insistence that blocking employee access to Facebook is a requirement in the face of so much risk.

“According to a recent MyJobGroup study, over half of the UKs workforce could be trying to check and update their social networking sites in work,” the article asserts. “As a result social networking has become one of the biggest and most dangerous time wasting activities in the workplace.”

With glee, I’m going to destroy every argument Barclay’s IT services manager, Stephen McPeake, makes. After all, the four “biggest risks” McPeake cites are exactly the four I’ve been shooting down for the last couple years. (In fact, I’m developing an 11-part video series that covers these — along with the benefits organizations can accrue from employee engagement in social networks — that I’ll upload to YouTube as I complete them.)

Productivity

McPeake says: “Consider an employee on minimum wage, working an 8 hour day, but wasting two hours of that on social networking. In the end that one employee could cost a company up to £3,000 a year in lost working hours.”

True enough, if that employee…

  • Only puts in eight hours in the office. He doesn’t come in early, he doesn’t stay late. He clocks in at 8 a.m. and leaves at 5 p.m.
  • Never works away from the office. He never takes a conference call, responds to email, or does any other work at home, at the beach, at the park, on vacation. Increasingly, this is a ridiculous assertion, particularly as the Millennial generation enters the workforce with its concdept of “weisure” — the blending of work and leisure both in the office and at home.
  • Engages in online activities that produce absolutely no value to the organization, such as evangelizing product, sharing competitive intelligence, or seeking subject matter expertise that can’t be found inside the organization.

The fact is, productivity stands to suffer if employees can’t connect to Facebook or other networks. The University of Melbourne has produced research that shows productivity increases 9% among employees who are able to acccess the Net for fun during work. That’s better research than the insipid back-of-the-envelope calculation McPeake (and his ilk) has produced.

But productivity from the use of Facebook goes beyond the Melbourne rationale — that spending some time on the Net for fun resets an employee’s concentration, bolstering his ability to get work done efficiently. Last month, a Gartner representative predicted 20 percent of employees will use social networks rather than e-mail as their business communications hub by 2014. Paul Levy, President and CEO of Beth Israel Deaconess Medical Center, also sees the importance of Facebook as a channel of staff communication, writing that blocking Facebook “creates a generational gap, in that Facebook, in particular, is often the medium of choice for people of a certain age. I often get many useful suggestions from staff in their 20′s and 30′s who tend not to use email.”

So much for productivity. Let’s move on to McPeake’s second risk:

Attacks from hackers

MckPeake says: “Social networking is one of the newest and most effective ways for hackers to gain entry into peoples’ computers. They pose as trusted friends or connections and then send you a private message recommending a site, video or link. Since they are your ‘friend’ you think nothing of viewing, opening or even downloading whatever they are recommending.”

Tell it to the Marines, Mr. McPeake. After all, this past February U.S. Secretary of Defense Robert Gates issued a directive opening social networks on all of the Department of Defense’s networks, enabling everyone from a member of the Joint Chiefs of Staff to a private in the field in Afghanistan to participate on Facebook and other social channels. The rationale was simple: The DoD decided that the Net was a field of maneuver, not a fortress to be defended. (That’s my favorite metaphor for this whole issue, by the way.)

So how does the DoD protect its network from hacker attacks? After all, whose networks require stronger security than the military’s? Multiple approaches are taken, including strong network protection from infection. According to my contacts in the DoD, there hasn’t been a serious infection since the decision to open the network so soldiers and staff can participate in social networks.

If the U.S. Military can do it, so can your organization.

Frankly, Mr. McPeake’s recommendation to shut down access is nothing more than the easiest, laziest way to protect a network. It’s (obviously) not the only one.

So with network security behind us, it’s time to shift gears and address Mr. McPeake’s third risk:

Data Leaks

The article points to multiple instances of employees compromising intellectual property using social networks, then points out: “Last month many German companies, such as VW and Porsche were so afraid that their employees would give away trade secrets and be less productive with social networking sites that they completely blocked them.”

The stupidity of this argument is so deep it’s difficult to know where to begin. But let’s start with Beth Israel’s Paul Levy who, in the same post cited above, notes that confidentiality can be violated anywhere, even an elevator. Employees don’t need Facebook to do it. That reminds me of the instance of the Coca-Cola employee who stole a vial of liquid and some papers from a filing cabinet and tried to sell them to PepsiCo (which, to its great credit, turned the employee in; she’s now doing time).

Facebook and other social channels are nothing more than one more channel through which company IP can be distributed — and it’s not much different than email, when you get right down to it. And let’s not forget that employees don’t need the company’s network in order to disclose IP. Many employees carry smartphones with access to social channels, or they can do it from home after work. Blocking access does nothing to stop this bad employee behavior. Training, education, and enforcement of policies will do far more.

And it’s also worth noting that Porsche, as clueless as its blocking effort is, opted to keep YouTube open because of the wealth of training material available through the video sharing network.

That leaves only one more argument from Mr. McPeake:

Slows a company’s internet connection

Barclays Communications argues, “Streaming videos, constantly updating news feeds, playing games and downloading pictures will utilise a large majority of a company’s broadband speed.”

Technically speaking, this is true. I know one hospital that reluctdantly locked down staff access to Pandora, the music streaming service, because so many people were using it and leaving it on all day that vital patient data was moving slowly through the network.

But consider the parallel situation 25 years ago when communication was largely print-based rather than digital. Did you ever here of one of those organizations proclaim that they wished they could send out an employee newsletter but, damn, they just didn’t have enough paper.

The notion is absurd. Companies bought enough paper to meet their communication needs.

Bandwidth is the paper of the digital age. If normal use of bandwidth is slowing the network to a crawl, get more bandwidth. It’s easy to make a business case for this bandwidth, particularly as organizations begin to recognie the substantial business value that exists when employees (adhering to policies) can access social media from work.

That’s business value to which Mr. McPeake is blind. Instead, he says, “We would recommend that you completely block social networking sites with a Firewall such as Smoothwall.”

Do you get the feeling Smoothwall is a Barclay Communications client?

In any case, my advice to Mr. McPeake is to stick with IT and leave business decisions such as these to people who understand that the risks he cites are no risks at all when properly addressed. You have to wonder if Mr. McPeake ever read a quote from Allan Seckel, Deputy Minister to the BC Premier and head of Public Service, who has spoken widely about opening access for all BC employees. Social media, he said, is playing a more and more important role in the everyday work of public employees. Blocking access can impede the ability of employees to do their work, leading them to circumvent blocks and use their own equipment.

And, as an article in the Pittsburgh Post-Gazette noted, “Email as we know it will soon give way to a more fully networked form of communication, which companies will learn to adopt. The only question is whether they will do so early or late.”

It’s time to chuck recommendations and arguments like Mr. McPeake’s into the trash, where they belong, and begin looking ahead to the networked realities of the world of work.

The futility of blocking social media

Tuesday at Gartner’s Security and Risk Management Summit, research director Andrew Walls told attendees that although infosec pros may worry that social networking will lead to uncontrolled malware outbreaks, phishing, breaches of confidentiality and trade secrets, and even damage to the corporate reputation, trying to take control or even block its use is akin to monitoring employees’ home phone calls and rifling through their postal mail.

“All this message traffic is not in your infrastructure,” Walls said. “It all takes place out there in the cloud,” plus it can be accessed from anywhere, and users’ privacy settings can make monitoring nearly impossible. “At the root of it is staff productivity, and security isn’t responsible for monitoring and managing the productivity of the organization.”

Some believe social media represents a growing platform for malware distribution, but Walls countered that argument, noting that antimalware vendors he’s spoken with say social networks are being victimized by the same malware plaguing email and websites. “So if I’m going to block social media on the basis of malware distribution,” Walls asked hypothetically, “why not block email?”

via searchsecurity.techtarget.com

The article goes on at some length to chronicle Walls’ arguments against blocking social media in the workplace, even making a vital point that has been at the heart of my argument: Organizations will, he said, come to realize the value of hiring someone who possesses a vast social network. “The most valuable people,” he told the audience, “are going to be the ones who demand social media the most.”

The entire post is well worth your time particularly if you’re trying to make the case against blocking in your organization.

Blocking isn’t the only way to maintain security

Cross-posted from my primary blog, a shel of my former self

In a comment left recently to a post I wrote for Stop Blocking back in October 2007 about malware on Facebook, David Jones with CommerceMicro wrote:

Stupid, out dated information.

We have users that repeatedly get infected with viruses and spyware no matter what level or type of antivirus and antispyware software we install. It’s rather odd that ONLY THOSE particular users get re-infected day after day and that they all have MySpace accounts, FaceBook accounts, or whatever. Their employers have to continually pay us to come and clean these infections.

My reply was a bit terse. I asked Jones if he believed all the companies that don’t block access were lying about not encountering the problems he cited. (And no, I wasn’t snarky enough to point out that “outdated” is one word.)

The security issue does, however, appear to be supplanting productivity concerns as the main reason companies block access to Facebook and other social media sites. Among the dominant social networks, Facebook presents the biggest risk to company security, according to 60% of the respondents to a survey of 500 companies conducted by Sophos, an IT security organization. No other network comes close. MySpace ranks second, with 18% of companies identifying it as a concern, followed by Twitter (17%) and LinkedIn (4%).

The concerns are not illegitimate. The incidents of reported malware and spam attacks through social networks has jumped 70% since April of last year. Social networks have become common launching pads fore a couple of particularly nasty worms. The risk of infection, though, is not the only security issue that keeps IT staff up at night. Employees’ individual behavior represents a risk, particularly as web-unsavvy employees fall prey to phishing and other devious ploys. And then there’s the fear that employees will share information they shouldn’t.

Sarah Perez goes into considerable detail on the Sophos report in her post on ReadWriteWeb. Perez also notes that even Sophos isn’t advocating an outright block, despite the study’s findings:

Unfortunately for those in charge of enforcing corporate security, simply blocking Facebook and other social networks via URL is not a realistic solution anymore. The networks are often a large part of a company’s marketing and sales strategies, notes Sophos, meaning they cannot be blocked outright. Instead, companies are encouraged to use a unified approach for mitigating threats that combines data monitoring, malware protection and granular access for their employees.

A Financial Times article (free registration required) has the same advice, noting that organizations have too much to gain from employee interactions on social networks. The article, penned by the head of an information risk management and e-discovery firm, rightly notes that leetting employees access social networks from work gives them “the ability to locate the right people, information and expertise quickly, but they also greatly aid external networking, sales and marketing activities.”

The article (which I discovered on the Idea Peepshow blog, notes thyat 89% of businesses in the UK have no policies governing employee use of social networks and calls for companies to establish and enforce such policies.

As I’ve noted before, protecting the company is a matter of ensuring the proper network safeguards are in place (such as anti-malware/spyware software and the latest virus definitions) and that employees understand their responsibilities.

It works in a lot of companies that don’t block access. It can work in yours.

There are solutions to security issues other than blocking

I spend a fair amount of time on StopBlocking.org debunking the myth of lost productivity so many people fear will result from employee access to social media. Productivity is just one of the two big fears expressed about employee access, though. The other is security; specifically, the prospects for the introduction of malware and viruses.

Nobody claims visiting Facebook or Twitter, in and of itself, will result in infection. The worry is that employees will load a seemingly innocent but actually malicious third-party app or click a shortened URL that leads them to page crafted to infecvt computers or relieve employees of confidential information.

I have no intention of minimizing the risks ever-present on the web. There’s no shortage of scumbags who want nothing more than to exploit you.

But let’s be clear: Simply blocking access is the lazy, easy way out. By taking steps to protect the company’s networks — steps that take a bit of work — your systems can remain pristine while your company can reap the benefits of employees who network with prospective customers and recruits while building higher levels of engagement with existing customers.

There are plenty of resources online that outline how to protect a network. One of the best I’ve seen appeared on ReadWriteWeb, authored just a couple months ago by Sarah Perez. She lists eight ways to keep your networks safe:

  • Don’t assume a link is “safe” because it’s from a friend.

  • Don’t assume Twitter links are safe because Twitter is now scanning for malware.
  • Don’t Assume Bit.ly Links are safe.
  • Use an up-to-date web browser.
  • Keep Windows up-to-date.
  • Keep Adobe Reader and Adobe Flash up-to-date.
  • Don’t assume you’re safe because you use a Mac.
  • Be wary of email messages from social networks (because email addresses can be “spoofed” by hackers).

Perez provides a lot of detail on each of these points — the post is well worth reading — but it all comes down to two workplace realities for companies that want to do business in the networked world:

  • Employees need to be educated and held accountable.

  • IT departments need to keep systems updated.

I’m routinely surprised by the number of companies I visit where every employee desktop is running Internet Explorer 6, where employees can’t update Flash or the Adobe Reader, where updates to software aren’t pushed out on a regular basis. I know IT departments are stretched thin and devote an inordinate amount of time to maintaining legacy systems because their budgets have been slashed. But failsing to keep employee computers updated is like the manager of a corporate auto fleet failing to change the oil or the air filter and letting employees drive around on bald tires.

As for employees, both IT and internal communications need to undertake an effort to educate employees about their own obligations when using the web — for work or no-nwork purposes. It’s incumbent upon companies to make their employees security-literate so they don’t follow unsafe shortened URLs (show them how to find out where the URL actually goes first) or respond to questionable emails.

As this blog has pointed out repeatedly, there are tremendous benefits that can accrue to organizations that encourage their employees to interact on social networks. The solution to the risks involved is not to simply shut off access, but rather to minimize the risk through good, old-fashioned hard work.

What employees see vs. the truth

A colleague sent this screen capture to me. It’s what he got on his work computer after he tried to access this site, StopBlocking.org:

That’s right. Websense — maker of site-blocking tools — blocked this site. Now, Websense could have been truthful in its explanation for why it blocks access to StopBlocking.org. It could have said, “We’re not providing access to this site because if you read it and agree with it, you may no longer want to pay us for our products.” Instead, Websense resorts to dishonesty. In case you can’t read the small print, here’s what it says:

“Security risk blocked for your protection. This Websense category is filtered: Proxy Avoidance. Sites in this category may pose a security threat to network resources or private information, and are blocked by your organization.”

Let’s be clear: This is a WordPress blog and a WikiMedia wiki. It’s nothing but text and graphic images. There is no software to download, no forms to complete. You need a password to edit the wiki, but that’s just to keep spammers out. No personal information is collected as part of the password process. And you don’t have to be a wiki editor to read the wiki contents, so there’s no need to even get a password if you don’t want to contribute to the contents.

In other words, in absolutely no way is StopBlocking.org a security risk.

I can’t say I’m surprised. Any company that would make up numbers about lost productivity would make up excuses to mask the real reason they don’t want you to read the contents of a website.

TUC offers up workplace advice for social networks

The UK’s Trades Union Congress has published a three-page brief outlining its position on how companies should deal with social networks like Facebook. THe PDF document covers four main issues…

  • Productivity – “We believe that good employers should consider allowing their staff personal use of the internet in general at the workplace, during break times, provided this is used responsibly and doesn’t interfere with work or could compromise the employer’s reputation.”
  • Personal conduct — “Employers may have some valid concerns about the way their employees conduct their personal lives, such as breaches of commercial confidentiality or damaging the company’s reputation by slandering co-workers or clients…(but) we’re concerned that some companies may be over-reacting to this increased level of knowledge about what their employees say about their work.”
  • Recruitment — Any employer who takes equal opportunities in recruitment seriously should not be considering this. As only a minority of potential staff will have public profiles on social networks, using information from this source can give an unfair advantage or disadvantage to certain candidates. ”
  • Security – “If employers help staff with training on IT security and identity theft, those staff will also have a better idea of how to minimise security risks to themselves and their company on social networking.”

These are just excerpts; read the entire document. I have to disagree with the TUC’s recruiting stance. After all, if I have a Facebook profile that helps me win a job over somebody who doesn’t, all I’ve done is exercise some initiative to make myself more marketable than the competition. It’s not the candidate’s problem that others haven’t figured out that a solid online presence can help you get hired.

Malware on Facebook? Guess again

The irrational urge to block employee access to online content often results from a kind of mass hysteria: Somebody makes a claim and others blindly accept is as fact — especially if it was reported in the mainstream press.

Such is the case with one of the most oft-cited reasons for companies to block access to Facebook. No, not worries about lost productivity (which still ranks as most frequently cited rationale), but worries about the risk Facebook poses for infecting a company’s servers. It was reported that Facebook’s open API is leading to the development of apps that contain malware.
>p>
Well…not exactly. It’s actually “scareware.” And it’s not coming from any of the third-party apps, but from Facebook’s own “Facebook Flyers” application. As noted in a piece from Mashable:

These ads that show up on your Facebook pages in a similar manner to content-specific Google Ads has been found to be scamming folks left and right. Some of the discovered ads are posing as a dating service, redirecting you to a site that says “Your machine could be infected” and then onto a site for a product called Malware Alarm.

The people behind such marketing are still scum, but let’s be clear: This is a far cry from downloading a virus, yet that’s exactly the reason cited for blocking employee access to Facebook.

It would be nice if the IT powers that be would check their facts before falling in lockstep behind these ethically-challenged marketers.

Nearly half of companies block Facebook access

An article in SearchCIO.com asserts that the hoopla over companies banning Facebook access may be overblown. Citing a study by the InfoTech Research Group in Canada, the article by Shamus McGillicuddy contends, “Despite security and bandwidth worries, fewer than half of IT managers recently polled ban employee use of consumer-oriented social networking Web sites such as Facebook and MySpace.”

While it’s great to hear that 54% of companies aren’t blocking, the fact that nearly half are restricting access should cause jaws to drop. Nearly half of employees are kept from these services, resulting in lost business  opportunities and reduced employee engagement. It’s also hardly reassuring to learn that the main reason companies aren’t blocking is because they have other priorities and not out of a recognition that the benefits of providing access outweigh the risks.

The article also cites an American Management Association study that finds:

65% of U.S. businesses block connections to inappropriate Web sites, such as pornographic or sports gambling sites, a practice called URL filtering.The chief reason businesses block access to Web sites is to prevent the spread of spyware and other forms of malware, said Lawrence Orans, an analyst at Gartner Inc. in Stamford, Conn. He estimates that about 20% of commercial organizations block social networking sites.

Hmm. Malware and spyware are of greater concern than the Human Resources issues that could arise from such behaviors. But again, such filtering often inadvertently blocks inoffensive and useful content. Keeping employees away from porn and gambling — and malware and spyware — should be a management issue, not a technical one. (I don’t block anything from myself at home and my reasonably priced anti-spyware and anti-virus packages have kept my computer from becoming infected. )

Some may take comfort from these numbers. I find them alarming.