The social networking dilemma – damned if you do and damned if you don’t

Jan/10

The social networking dilemma – damned if you do and damned if you don’t

I work for a large financial services company. We take our responsibilities for protecting and enhancing our client’s wealth exceedingly seriously. We are also one of the most highly regulated Industries – and of course we all expect that to become even truer in the aftermath of the recent recession.

When faced with new technology we always have to look at both how it can be used positively and also assess the risks it poses. Social networking technology is one of those types of technologies that seem to have what I call a “bar bell” shaped profile: It has some incredibly strong benefits, and at the other end of the spectrum, some very big risks. Technologies with these profiles are among the most difficult to manage because people really want to use them and the risks are very difficult to mitigate.

Since our industry is very risk adverse we always seem to focus on the risks first – so let’s look at the basic risks:

We don’t want other people to know who our employees are. There are two main reasons:
1. Corporate Recruiters – they are well known for using social networks to indentify employees to contact for job openings at our competitors.
2. “Bad guys” use social networks to learn who our employees are and then target them for phishing or social engineering attacks. A phishing email is pretty hard to resist if they spoof your boss, who “sends” you an email with an embedded link and a message that says “take a look at this and get back to me ASAP”. Check out the “Nightmare scenario” below for another frightening example.
We are concerned about Information leakage – there have a been a few examples already of corporate employees who felt so comfortable sharing with their “friends” on a social network site that they posted details of the “secret” project they were working on. What would/do our employees post?
Alternative messaging platform – We generally have to monitor and archive employee’s email – this means we have to block access to alternative email systems. Many (most, all?) social networks have the equivalent of email and instant messaging. So our employees can communicate with other people outside our corporate email system and corporate controls – this is an issue.

Now let’s look at some of the positives:

Great for networking and staying in touch with colleagues. This is of course how most people use social networks and I think most people are at least somewhat aware of the risks.
Your companies brand can be enhanced through embracing the new tools – if your company has a Facebook page, or a sponsored company group, or is on Twitter you are seen as “progressive” – hip, now, cool, etc.
Younger employees will grow up plugged into Social Networks. My children (ages 13 and 15) won’t know a world without them. Can you attract and hire these people if you shun their world? Not only that but as a parent I know that we sometimes adopt to our children’s communication paths rather than the other way around. Both my wife and I now use SMS to communicate with our children because that is the best way to reach them. In the future maybe I will communicate with them via Facebook (assuming they accept my friend request).
Speaking of attracting new employees – Social Networks are proving to be very valuable for recruiting new employees into our organization (as opposed to being used to lure them away as described under the risks)
Attracting and retaining clients – this is perhaps the most exciting area for this technology. For example shouldn’t we be linking social networking technologies to our CRM (Customer Relationship Marketing) systems? The benefits of linking the two areas of CRM and Social Networking are ensuring you have all the latest news (and gossip) available in your CRM system so you can be in a better position to talk to the client about things that are affecting them at that time. This would give them some confidence that you were taking time to understand their business. It may give you more information about their pain points and how your services/products could help. It may also generate ideas about how you can respond to market trends or competitive products. Even in this new world the old adage of knowledge is power remains key.

Other considerations:

Blocking the sites from work does not prevent the behavior – employees simply engage in it from home or elsewhere.

Here’s where things get really interesting – you can simply “forbid” the use of social networking at your company – and you can buy technologies that will even block it from your employees. But can you really control it? Facebook has an iPhone client, a Blackberry client, and is of course accessible to your employees everywhere they are not at work. In other words you can’t put the genie back in the bottle.

Not only that but companies are definitely behind the curve because there employees are already using this at work.

In my opinion the benefits of the technology outweigh the risks, but the risks must be addressed and mitigated. I have always felt you stand a better chance managing technology by embracing it rather than shunning it. The Internet itself is both one of the greatest tools invented by mankind and a cesspool. How many companies have successfully “shunned” the Internet?

- The Wandering CIO

================================

“Social media users believe there is protection in being part of a community of people they know. Criminals are happy to prove this notion wrong.”

Nightmare scenario: This is a perfect example of why Facebook is a nightmare to a corporate CIO:

We started the project by scouring all of the social networking sites for employees of our target company. Not surprisingly, we found numerous people who openly discussed what they did for a living. We also found numerous employees who openly discussed disappointment in their employer.

The majority of our [target’s] employees were using Facebook, so we created a Facebook group site identified as “Employees of” the company. Using a fictitious identity, we then proceeded to “friend,” or invite, employees to our “company” Facebook site. Membership grew exponentially each day. By creating a group, we were able to get access to employees’ profiles. We chose to use the identity of one of our Facebook-friended employees to gain access.

[NOTE: notice if the company had embraced social networking and already sponsored a legitimate company site this would have been much harder to pull off.]

On the day we intended to breach the facility, our guy was dressed with a shirt embroidered with our [target’s] logo, and armed him with business cards, a fake company badge, and his laptop. Upon entering the building, he was immediately greeted by reception.

Our man quickly displayed his fake credentials and immediately began ranting about the perils of his journey and how important it was for him to get a place to check his email and use a restroom. Within in seconds, he was provided a place to sit, connection to the Internet, and a 24×7 card access key to the building.

Later that evening, he returned to the empty office building to conduct a late-night hacking session. Within a short period of time, he had accessed the company’s sensitive secrets.

Sources:

Share and Enjoy:

No tags

RSS feed for this post (comments) · TrackBack URI

September 2010
M	T	W	T	F	S	S
« Jun
	1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30

Interesting Tidbits

Homeroom Security: book about the insanity of zero-tolerance classroom policies
Salon's got a blood-boiling interview with Aaron Kupchik, author of Homeroom Security: School Discipline in an Age of Fear, a close look at four very different US schools. Each school has a different demographic and different location, but the thing they all share is a set of zero-tolerance policies that turn them into Kafka-esque nightmares: They start […]
Salesforce Completes The Puzzle With Jigsaw For CRM
When Salesforce.com bought crowdsourced business contact database Jigsaw for $142 million earlier this year, the CRM giant said that it would combine its suite of applications with Jigsaw’s model for the automation of acquiring and keeping up-to-date business contact data. Today, Salesforce is unveiling Jigsaw's deep integration into the company's […]
Viral Video: "I Want Your Money" [BoomTown]
In the interests of political fairness, here is a trailer for a documentary coming out in mid-October that takes aim at President Barack Obama’s economic policies. Titled “I Want Your Money,” the controversial trailer has already gotten over 1.76 million views on YouTube. (Take that, Michael Moore!) Here’s the description of the film: “Set against the backdr […]
If You’ve Got Social Media Fatigue, UR DOIN IT WRONG
Just as I was reading Paul Carr’s latest column about quitting social media, my husband looked at his phone and broke into a huge smile. He is a graphic designer and has long been a fan of Chank Fonts. Earlier that day, he’d taken a picture of a retro-looking podiatrist office, posting it on Twitter with the word “Font-o-licious.” It didn’t go viral. It didn […]
Founder Institute: How To Launch In 10 Steps With Less Than $2,000
For any entrepreneur, the challenge of taking an idea to launch can be a daunting and expensive journey. Fortunately, Adeo Ressi, founder of TheFunded and startup accelerator, Founder Institute, has a ten step plan. While there is no foolproof recipe for every launch, Ressi says his template will help any tech entrepreneur get a business off the ground for l […]

The Wandering CIO

Personal Observations on Leading Information Technology