Incident Response, TDR

Social networks: To ban or not to ban?

IT security teams across the globe must be getting used to requests to ban employee access to certain websites. While employers have long been advocates for blocking staff access to sexually explicit web content, the list of no-go sites has recently expanded to include social networking sites such as MySpace, Facebook and Bebo.

Reasons for these bans vary. Many organizations believe that staff members spend too much time talking like a pirate and turning their friends into zombies, and not enough time doing what they get paid for. Others are worried that employees might accidentally or deliberately reveal confidential data, leak intellectual property or make statements about the organization that could put the company at risk.

Some employers may fear that employees could be headhunted by recruiters trawling social networking sites for potential new hires. And many companies would simply prefer to pretend that Facebook and its ilk don't exist, fearful of the loss of control that arises from employees, customers and other stakeholders being able to air their opinions of the organization in public online.

But employers should not be so hasty to impose blanket bans on access to social networking sites. For certain divisions and business units, these sites can hold vital information and business opportunities – and blocking access to them for employees working in those areas may actually be counter-productive and affect the overall bottom line.

Human resources departments, for example, have been using social networking sites for some time both to keep an eye on the online behavior of existing employees and to vet job applicants before making a job offer. The news is rife with stories of job candidates being rejected because an HR director found unsavoury photos on the internet, but it works the other way too – recruiters can gain a more accurate picture of an applicant's skills and personality from their online profile, which can help them select the most appropriate candidate for the role.

Corporate communications functions too need to be able to scan these sites to keep abreast of what's being said about the company or brand online, and to address any potential reputational risks before they spread across the internet or escalate into the mainstream media. Banning access to these sites won't make potential problems go away, but it could ensure that employers don't learn about them until it's too late.  

Marketing staff should also be interested to see how customers and potential customers talk about the company online. They may then be able to use sites like MySpace and Facebook to network with customers and create or participate in online communities of interest around the organization or its products and services.

In the financial services industry, the wealth of personal detail that people tend to supply on social networking sites could be very helpful to staff required to observe Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations. It isn't an unreasonable assumption, for example, that the “friends” lists of suspect or blacklisted individuals can provide insight into those people's associates that banks might not have access to otherwise.

Credit card companies, cell phone providers, mortgage lenders and other organizations whose business relies on extending credit to customers also have a duty to understand the dynamic of online social networking and to appreciate the risks that it presents to their own business and to their customers.

Facebook profiles, for example, typically provide more than enough personal information – name, address, date of birth, phone number, relationship status, employer details – to allow identity thieves to apply for loans, credit cards, and bank accounts in someone else's name. The risks are not academic; British newspaper The Daily Mail reported on July 27 that Londoner Victoria Sennitt had been the victim of identity fraudsters using information from her Facebook profile to open a cell phone contract in her name.

With so much information that was once private now so freely available, credit providers must be on their guard. Risk management procedures like background security checks, especially for new customers, should be tightened up in order to ensure that identity thieves cannot use information commonly available on social networking platforms to obtain credit fraudulently.

Social networking platforms are emerging, evolving and diversifying at such speed that individuals and organizations are finding it difficult to keep pace with the change.  But one thing is for certain: with millions of people around the world now publishing personal information and opinions online, companies that react by blocking access to social networking sites for all employees may be creating more problems for themselves than they are solving.

- Paul Johns is Chief Marketing Officer for Complinet

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.