EDITORIAL: Social media risk
Written by Peter Davy
With the scale of malicious activity on Facebook appearing out of control, an explosion of smartphone devices and no greater sense of security, Peter Davy asks just how viable is social media at work?
While January may have seen the introduction of a new secure connection for users, it was not a good month for security on Facebook. First, hackers had Nicolas Sarkozy surprising the world’s media with an announcement that he would not to run for the French presidency again in 2012. Next, hackers targeted the fan page of its founder, Mark Zuckerberg. But, in fact, it’s far from the beginning of the problem, according to security experts, Sophos. “The scale of malicious activity on Facebook appears to be out of control,” the security firm noted in its 2011 Security Threat Report, just published.
It’s not just the danger of hacking, which will be partly addressed by the new secure protocol; malware and phishing attacks targeting the site’s 600mn users were more of a worry. And, to be fair, it is not just Facebook: 82 per cent of the Sophos survey’s respondents felt the world’s most popular social network did pose the biggest risk, but it was an attack on micro-blogging network Twitter that was the biggest social networking security incident of 2010. Overall, the survey found that 43 per cent of social networking site users had received phishing attacks and 40 per cent had malware – in both cases nearly double the proportion in a previous survey less than two years before. Businesses, however, still seem fairly relaxed about the risks: half of those surveyed had unrestricted access to social networks at work.
For Matt Cogdell at IT solutions firm Integral Specialist Services that’s far too high. It doesn’t even take an attack for it to be a problem, he says; one Lloyd’s client of his, for example, couldn’t understand why the company’s network would slow dramatically at certain hours. An audit revealed it was down to the number of staff downloading photos and files on their iPhones and using the business tools to transfer them onto social networking sites. The number of workers using social media at work is “frightening”, he says. His solution? “Ban it. Stop it dead. Why should people at work need to keep going on Facebook, Twitter and Friends Reunited?” he asks.
Certainly a number of companies agree. According to Cisco’s Connected World report published last November, 51 per cent of UK businesses restricted access to social networking sites such as Facebook, with the same proportion restricting access to Twitter (against 41 and 35 per cent, respectively, worldwide). However, that leaves a lot companies exposed.
“A lot of people are aware of the risks, but they are not sure how to address it,” says Chris Cotterell, partner at specialist Lloyd’s broker Safe Online. “They might have contractual conditions with their employees around the use of social media but having it adhered to and how they police it is questionable.”
Certainly an outright ban is no panacea. For a start, there are businesses which clearly see a benefit in using social media. More than half of the Fortune 500 now have Facebook pages and 60 per cent corporate Twitter accou-nts, according to The Center for Marketing Research at the Univer-sity of Massachusetts. For the FTSE 100, the figures are 25 per cent and 45 per cent. Sites such as LinkedIn, meanwhile, are specifically aimed at business users.
That’s led a number of businesses to re-evaluate access, says Robert Stroud, vice-president of service management and governance at CA Technologies in New York and international vice president of ISACA, the professional association for IT audit, control and security. Its white paper on social media was published last year.
Rather than an outright ban, says Stroud, many groups take a more nuanced approach, perhaps blocking some staff, who either have no use for social media or who have access to information that’s highly sensitive, but allowing others, who constitute little risk. “In terms of risk management, we are seeing a transition from black and white policies to an appreciation that there are areas of grey,” he argues.
SECRETS AND LIES
In any case, it is increasingly unrealistic to expect to be able to insulate a business from exposure to such sites. The advent of smart phones with internet access and new additions such as iPads, all of which often double for business and personal use, means policing staff is, in many cases, impossible. Restricting access to social media through the company’s central network is one thing, preventing staff using sites with a phone that might also contain the company’s confidential information, at home or out and about is another.
“IT consumerisation and the always-online lifestyle create real challenges,” says Avtar Sehmbi, member of ISACA London security advisory group and head of security and IT risk management at Deloitte. “Social media is no longer restricted to the PC at work.”
One of the teams’s predictions for 2011, released in January, is that over half of the computing devices sold globally this year will not be traditional PCs; another is that 25 per cent of all tablet computers (such as iPads) will be bought by companies. As it is, 80 million smartphones were sold worldwide in the third quarter of 2010 alone. As Stroud puts it: “The technology is ubiquitous, so whether you allow it or not, social networking is happening.”
Allied to this is the fact that the risks aren’t restricted to malware. Gregor Pryor, a partner at media law firm Reed Smith is an editor of the firm’s White paper, Network Interference, A Legal Guide to the Commercial Risks and Rewards of the Social Media Phenomenon. Put together by 70 of its lawyers, the document runs to 130 pages.
“Digital media is effectively a second Industrial Revolution,” says Pryor. Consequently, the issues it throws up are multi-faceted covering everything from data integrity and privacy to intellectual property, copyright and libel. Perhaps most significant, however, are the risks to reputation.
“The impact of move from the old style of the web to Web 2.0 is to give everyone a voice, whether they deserve to have it or not,” explains Stephen Kunc-ewicz, media lawyer at HBJ Gately Wareing and author of Legal issues of Web 2.0 and Social Media.
The mishaps are well known: From the Waterstone’s employee sacked for dubbing it ‘Bastardstone’s’ on his blog back in 2005, through Virgin Atlantic staff calling customers ‘chavs’ on Facebook and YouTube videos of Domino’s staff spitting on food, up to Octavia Nasr, the CNN editor fired last year for her tweet lamenting the death of Grand Ayatollah Mohammed Fadlallah – the fact that these cases have become hackneyed underlines the point that social media gives staff tremendous power to do lasting damage to a firm’s reputation.
Again, the risks are exacerbated by mobile technology. Facebook’s own figures show users accessing through their mobile devices are almost 50 per cent more active than non-mobile users, points out Ulf Bergström at ENISA (the European Network and Information Security Agency). Indeed when Apple released a list in January of the most popular downloads to coincide with selling its 10 billionth app the top spot will not have surprised anyone: Facebook.
Despite the fact that a company’s reputation can be tarnished with social networks, any time or anywhere, there’s still reluctance to address the risk. According to Kuncewicz, the vast majority of companies he has dealt with tend to be either sceptical about social media matters or see it only as a marketing issue.
How far companies should go is open to debate. Certainly there are some that question whether solutions tracking social media buzz are worthwhile. Peter Morgan, head of communications at Rolls-Royce and director of communications at BT before that, told delegates at an industry conference last year that he thought it was largely a waste of time. “For decades, there have been people in pubs all around Britain saying how much they hate BT or how frustrated they are with Virgin Atlantic or whatever. The fact that they now spout their opinions on a social networking site doesn’t make them any more important or more alarming,” he said, adding that if an issue did need addressing, a company would know soon enough – the Daily Mail will call.
Not everyone agrees with that; Sehmbi insists that engaging with online critics early can prevent a story gathering pace and the newspapers ever getting wind of it. However, even if Morgan is right about external threats, the least companies should do is make sure they have a policy on social media use, outlining what’s acceptable (which most do) and educate users so they know and understand it (which many still don’t). That will ensure the risks originating inside the organisation are minimised – because, whatever else, the issue is not going away.
“It is easily dismissed because a lot of people say it is just another fad, but that is a major mistake,” says Kuncewicz. “Whether it will be on Facebook or not in the future is irrelevant; the movement towards people having something to say online is not going to stop.”