Security and Social Networking

Security and Social Networking

by Lawrence D. Dietz, TAL Global

Staying Ahead of the Problem

Social Networking as embodied by sites like MySpace, Facebook, Flickr, Linkedin, Bebo and others has gotten quite a bit of publicity recently. In this article we provide guidance and insight on assessing the relevance of Social Networking

Social Networking as embodied by sites like MySpace, Facebook, Flickr, Linkedin, Bebo and others has gotten quite a bit of publicity recently. No less a publication than the Economist (18 October 2007 Edition) ran an article scoffing at the financial valuation of this class of site in spite of the lack of concrete business model or return. Unfortunately, the security practitioner is not so fortunate as to be able to conveniently ignore a new trend or technology simply based on its financial viability. More than one article has been published marveling at the graphic details often posted on these sites. In this article we provide guidance and insight on assessing the relevance of Social Networking to your security posture.

First of all it would be imprudent not to point out that the demographic for a social network is quite young, with the under 25 age group being the principle constituency. At this point it would appear that the aim of social networking is actually quite basic – to expand one’s web of social contents by publishing information (photo, audio, video, data) about one’s self.

Market research analysts have indicated that there are a number of business benefits to social networking, chiefly the ability to research this market for your products/services and/or to engage in direct dialog with your current and potential consumer customers.

Notwithstanding this early emphasis on consumers and consumer marketing, there are important aspects of social networks for business as well. Tal Global has divided the social networking market into roughly two groups: Social and Business. The former category includes the mainstream social networks such as MySpace and Facebook. The Business category includes sites whose goal is to foster and benefit from business connections and networking. Two sites in this category are Linkedin and Plaxos. Each has relevance for organizations.

When dealing with social networks organizations must be aware that there may be privacy implications invoked when organizations utilize information gleaned from social networks, consequently General Counsel should be apprised of any activity regarding social networks prior to the activity being undertaken. Organizations must not only consider the rights and interests of individuals whose information is on the network, but the contract terms of use for the network itself. Organizations who are ‘mining’ information on selected networks may find that they have violated the terms of access and could find themselves on the wrong end of a law suit.

We are aware that many HR departments, recruiters in particular, make use of social networks to find candidates and to learn more about them. Networks such as Linkedin can be particularly useful in this regard because individuals are likely to put their best professional foot forward when creating their profiles. Researchers can learn about specific technical skills of individuals which in turn can lead to implications about the IT or telecommunications infrastructure of their current or past employers.

Social networking profiles may reveal more about the individual than a potential employer needs to know or frankly wants to know. Since this area is relatively nascent, organizations should consider developing policies now before issues develop. For example, HR should determine if research about new applicants should include social networking sites and if so, employment applications should be revised to give permission to view the applicant’s website on any public/social network.

Tal Global recognizes that social networking is just coming in to its own and that organizations may not feel they are a major security concern at this point. However, we feel that we need to track new trends on behalf of our clients and provide insight when we deem it appropriate. Consequently we feel that organizations should:

  1. Develop a policy that balances the company’s need for operational security and the employee’s right to privacy and self-expression.
  2. Assess whether the organization should engage in an on-going ‘intelligence’ program. These programs can be offensive and defensive. From a defensive perspective, organizations can determine what information is available about the company and perhaps determine if there are any indications of individuals who might be violating company policy. From an offensive perspective, the company can gather legitimate competitive intelligence.

Develop and present a continuing employee education program stressing how employees can get the benefits of social networking without sacrificing their personal freedom or privacy.

    1. Perhaps a booklet: A Business Survival Guide to Social Networking.
    2. Provide advice to employees as parents that will keep their employees’ families and home systems secure.

Organizations who are interested in pursuing activities with regard to social networking should contact us.