Sidewinder on unsocial networking
Social networking is all the rage right now, but what are the security implications of poking* in the workplace? Davey Winder investigates…
On the face of it, using Facebook (or MySpace or similar social networking sites) does not appear to be the greatest security risk in the world.
Indeed, the arguments that are often put forward for banning the use of social networking sites in the workplace usually revolve around their reason for being: they encourage users to make friends, chat, socialise and generally waste away the hours.
Although there are no statistics that cover just the NHS in this regard, a recent poll by Global Secure Systems suggested that these sites are costing UK businesses somewhere in the region of £6.5 billion per year in terms of lost productivity.
Concern about this potential productivity drain has caused some trusts to ban social networking. Medway Foundation trust did this recently, arguing the sites have “no work related elements.”
Very popular
However, a simple search for “NHS” on Facebook quickly shows that such sites are very popular indeed with NHS staff. The search revealed more than 500 NHS related “groups” covering many NHS trusts and containing more than 100 members each on average. “I suspect that the lost productivity argument is something of a red herring. IT managers should not let themselves be sidetracked by it from the far more important issue of security.”
So are trusts right to be worried about staff using NHS time and resources to socialise in this way? The TUC suspects that organisations are over-reacting. It ran its own survey and found that only 17 per cent of the employees questioned actually access Facebook while they are at work.
There is also an argument that policy is a better policeman than a padlock – that it is more important for staff to understand what is acceptable behaviour and what is not online than to try and keep them off social networking and other sites altogether. Ask Human Resources and they will probably tell you that a happy workforce is a more productive one.
What they probably won’t tell you about, however, are the myriad - and growing - dangers that social networking can represent from the IT security perspective.
But not that safe
Without wishing to be a party pooper, I suspect that the lost productivity argument is something of a red herring. IT managers should not let themselves be sidetracked by it from the far more important issue of security.
The first problem with social networking sites is their “conversation down the pub” atmosphere, which can lead to the accidental publication of confidential information - and drop employers firmly in the data protection mire.
Then, there is malware to deal with as well. Malware aimed at social networking sites exploits the double whammy of people feeling safe with their mates and developing the habit of downloading web-based applications known as widgets to “enhance” their site experience.
At the start of the year, for example, threat researchers at Fortinet uncovered a malicious widget called Secret Crush, which spread itself by emailing friends in a user’s social network (ostensibly in order to reveal which of those friends had the hots for the user).
Human nature being what it is, around 3 per cent of the Facebook population (that’s more than a million people) installed the widget to find out who fancied them. They never did find out, of course, but they did have to download a “crush calculator” application that came with an unwanted adware application. “Malware exploits the double whammy of people feeling safe with their mates and developing the habit of downloading web-based applications known as widgets to “enhance” their site experience.”
Fortinet also revealed more recently that spammers are targeting Facebook users by posting links on their message walls that lead to spam sites – which are well known for hosting Trojans and other assorted malware.
Some friendly advice
The current NHS Connecting for Health policy with regard to accessing social networking sites on NHS time seems to be that there is no policy. It’s a matter for individual trusts to determine what is an acceptable use of resources and what sites staff should be allowed to view. So, some best-practice guidance might not be a bad idea:
Management:
1. Include social networking within your Acceptable Use Policy guidelines, making it clear what is regarded as unacceptable conduct within the online world and covering issues such as confidentiality, data protection and potentially libellous gossip.
2. Spell out your policy regarding use of trust resources during working hours for non-trust related activity.
3. Make sure that all staff are educated not only in terms of understanding trust policy, but also in understanding how to behave safely and responsibly online. Another bunch of rules will not be well received; taking some time to ensure both personal and trust safety online will be appreciated - and yield a more effective response.
4. Monitor Internet usage and enforce policy rules if breaches are discovered.
5. And finally, if productivity loss, resource usage and security implications remain problematical consider a block on all social networking sites during working hours.
Staff:
1. Don’t think that only our friends can see what you say on social networking sites.
2. Don’t treat these sites as the same as chatting in the pub after work (although you shouldn’t breach patient privacy or discuss confidential issues there, either).
3. Don’t abuse your employer’s trust by spending time on Facebook when you should be working.
4. Do remember that malware exists within these seemingly safe environments.
5. Do abide by employers’ acceptable use and acceptable conduct policies.
* By the way
Poking is one of the many ways of interacting on Facebook. If you didn’t know that, then apologies for making you spill your coffee.
About the author: Author, journalist and consultant Davey Winder has been writing about security issues for 16 years and was IT Security Journalist of the Year 2006, an award from BT.
Related Articles
If Trojans are all Greek to you, then read Davey’s comprehensive guide to security threats of all kinds