It has been more than a year since social media use surpassed email in terms of worldwide reach. And with social media quickly threatening to do the same in the enterprise, changes brought to IT departments large and small now reach well beyond advances in technology and into the realm of privacy and security concerns.
In a few years, we will look back at the introduction of social networks into the business environment as a revolutionary change, similar to the magnitude of change we saw after the advent of email more than 20 years ago. We may well have a collective “what were we thinking” moment when considering what we would have missed out on had we not embraced the social networking revolution.
Social networks must be adopted within the enterprise because of the potential windfall in productivity and collaboration. However, privacy is an important concern, and collaboration and privacy may well be mutually exclusive.
Like email, social networking is here to stay. The challenge for those charged with leveraging new technologies within the corporate environment is to strike an effective balance between the capabilities the new technology will unlock for the company versus policy concerns, including security and privacy.
To begin to address this, we do have to first encourage the use of social networking within the enterprise. While this may seem to be an obvious first step, there are always those resistant to changes in the ways they are used to doing business. And while the digital natives within the organization may be ready to take off at a full sprint, many of us will probably need to walk before we run. We have to test, experiment and get comfortable before racing headlong into the world of Web 2.0.
Prior to a full migration onto social networks, we must have in place realistic policies that define appropriate use. Of course, we also have to communicate these policies to employees, verifying both that the message is received and understood, then providing training and reinforcement of these policies on a routine basis. Once in place, we must audit for appropriate behavior and reprimand as needed. After all, the use of social networks is not a right, and abuse of this privilege must have consequences to deter such behavior in the future. These guidelines should help to build a human firewall, promoting behaviors that protect information within the company while achieving a measure of operational security that cannot be realized by technology alone.
Reasonable people would not deliberately disclose personally identifiable information or corporate intellectual property. But as we have seen time and again, it only takes one employee to click on a malicious link in order to open the entire company up to the whims of a hacker. In the long-term, we must encourage vendors to develop new technologies that eliminate the human risk as much as possible. But technology will never be a silver bullet. Nothing will ever fully replace responsible human judgment or eliminate the need to educate employees as to where the boundaries are.
Over the past 20 years, we have placed much emphasis on technical security controls – firewalls, IPS, encryption and the like. But with the increased use of social networking technologies, the need for effective operational security (OPSEC) will become at least as important as the digital firewall.
Firewalls and IDS can be easily grasped and understood, while OPSEC is not and is thus often ignored. But with the coming migration of enterprises onto the social net, the need for effective OPSEC, i.e., the human firewall, will become at least as important as the digital firewall.
Rick Tracy is the CTO and CSO of Ashburn, Va.-based Telos Corp.