Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Allowing access to social networking... securely?

From: "Robin Smith (FaceTime)" <rsmith () facetime com>
Date: Wed, 20 May 2009 16:13:29 -0700
Disclaimer: not a product advert, despite what the first sentence may lead you to believe!
 
We have a product that among other things has categorised the apps in several popular SN sites. Part of the research 
behind producing this was to talk to our customers about how they use SN; I've since spoken to quite a few more 
customers/prospective customers. For those that allow access to SN sites, we got a very similar response when asking 
how much productivity do they think they lose to SN or Facebook in particular. Two working days, per person per month 
or thereabouts is often the response - and alot of the time they've actually measured it. When you consider that I 
alone spoke to companies ranging from 200 to 100,000 users (totalling about 275,000 users), well the maths isn't 
complicated...One of our customers saw one particular offender that was tracked actively clicking about on Facebook for 
7 hours out of their normal working day.
 
That said, for those that allow full access to SN (i.e. they don't even block the games / video / messaging / file 
sharing apps during working hours, which alot of our customers do), their reasoning is that although it infers exposure 
to lost productivity and the possibility of Data Loss, it reinforces their positive working environment policy and 
actually helps with staff retention and attracting new staff, e.g. onto University graduate schemes. So the push to 
block sites like Facebook isn't necessarily from HR, although that obviously varies by individual company and the 
vertical industry in which they operate.
 
Another side of it is that we see companies who want to give their marketing department access to certain things to 
allow them to run promotions or advertisements, their developpers might be producing an application and they might have 
HR running recruitment programmes, so different people may actually need access to parts (not necessarily all) of the 
SN sites for legitimate business use.
 
My point here is that yes, SN sites can eat up staff time and yes, they can introduce potential security risks, but 
we're seeing more and more corporates embrace SN, because they believe they can't afford not to. Ultimately, as Krymson 
correctly states, it's not an IT problem; it is for the company to define their policy, but IT need to provide the 
enforcement mechanism (assuming it is possible to implement!).
-- 
Robin Smith - FaceTime 
EMEA Technical Manager
T: +44 (0) 118 907 6385
M: +44 (0) 7769 702 792
USA: +1 (650) 631 6453
W: www.facetime.com
 

________________________________

From: listbounce () securityfocus com on behalf of krymson () gmail com
Sent: Wed 20/05/2009 19:30
To: security-basics () securityfocus com
Subject: Re: Allowing access to social networking... securely?



I don't think any discussion on Social Networking or employee productivity is complete without mentioning the HR 
component. Too often web filters are crutches (excuses/scapegoats...) for what is otherwise poor management, poor 
employees, and poor HR practice. I don't think productivity should be mentioned or used by IT or security as part of 
the reason for or against filtering/SN.



This is all very easy if HR puts their foot down one way or another, but it is difficult for IT to know what to do with 
questionable personal or social sites when they may not directly have malware, etc...

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff!

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------




------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff!

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: