Social networking sites, while encouraging contact building and, as some have suggested, providing a fantastic opportunity for online marketing and recruiting, are the root of four problems: loss of productivity; impact on network resources as bandwidth is eaten up; the threat of social engineering and phishing resulting in data or identity theft; and the risk of malicious material finding its way into the corporate network.
According to a study undertaken by information security consultancy Global Secure Systems and the organizers of the Infosecurity Europe 2008 exhibition, the use of such sites is costing UK business an estimated $12.5bn per annum in terms of reduced output. A similar study showed that employees spend at least 30 minutes a day visiting these sites. In some cases, employees admitted spending up to three hours of their working day taking care of their online profile.
The question that is being asked is should employees be allowed to use social networking sites, or extending the options, personal email and personal affairs (online banking)? There are three options.
First, a company can simply ban not only access to social networking sites (in the extreme case – no internet at all).
Secondly, it can allow employees unrestricted access, confident that they will only use it during their lunch break and they will not download material on to the network.
The third, is to monitor and limit staff access to these type of sites, including general internet browsing and downloading.
Looking at each option, it is clear that outright banning, while increasing security, also sends a negative signal to employees, imposes limitations on those who need to access the internet and ignore the employee’s ‘right’ to spend his free time at work as he or she chooses.
The second option, unrestricted access, is obviously dangerous and no system administrator would want employees to be visiting and downloading material from sites that are known to contain viruses etc. Also the uncontrolled downloading of material or widgets from Facebook could be a security threat.
The third option is probably the best and means striking a balance. Companies can install software that monitors what sites are being visited and allows administrators to block those that are not permitted. At the same time, administrators can also block access to certain sites, such as Facebook, for most periods of the day except during lunch or after hours. Companies can also prevent or block downloads from these sites by implementing policies for particular file-types.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.