Information Security Tips from Westfield Insurance

Where were you on June 9, 2009 at 10:22am?  At that moment in history, the 1,000,000^th word was adopted into the English language.  What was that word?  Web 2.0.  Now you are probably asking yourself, I’ve heard of Web 2.0 well before June…why are we only adopting it now?  Well, the Global Language Monitor has certain criteria by which they judge; but that is well beyond the scope of our discussion here.

So what is Web 2.0?  It has nothing to do with the technology or domain naming.  Mostly it is about the dynamic content and the way users interact with the Internet.  Remember how your parents read the newspaper every evening or watched a newscast on television?  The information flow was one way.  Web 2.0 is about sharing information, opinions and experiences.  You live with Web 2.0 everyday and you probably don’t even know it.  Have you read a review on Amazon?  Have you commented on a news article?  Those are just a couple examples of user provided content.  Websites such as Facebook, Twitter and MySpace, YouTube and other social networks are the big names in social networks or Web 2.0 but there are countless others.  You may think that because you don’t have a Facebook account or don’t visit social networking sites that you, your family or business are immune from anything harmful; you better think again.

The Good

Rather than jump right into the bad or ugly, let’s first discuss how social networks can be good.  Social networking or social media IS the future of communication.  Rather than wait for the newspaper to be delivered, you get news as it happens by the people who are experiencing or involved in the situation.  Remember the US Airway’s flight that landed in the Hudson River?  Well before the media had a chance to deploy reporters to the scene, passengers on the flight were posting pictures and updates through their Twitter account.  Companies are using social networks as a tool to market their brand.  Have you heard of Blendtec?  How about “Will it Blend?”  Blendtec CEO, Tom Dickson, became an instant celebrity when he began posting videos of his blender destroying things like iPhones, Guitar Hero guitars, etc on YouTube.  It also helped them sell a lot of blenders.  Even Westfield Insurance uses LinkedIn and Facebook to find talent, as well as, communicate promotions and events.  Blogs such as this one and the Westfield Loss Control Blog are another way that companies can reach out to current and potential customers.  Internally, employees can network between departments giving them a feeling of being more than just another “employee.”

The Bad

Those were just a few examples of how social networks can be beneficial to a company. What are some of the drawbacks?  First, it is difficult to balance a work culture that embraces social networking while ensuring that it does not impact productivity.  It is increasingly more difficult to monitor or limit these activities as social networks extend beyond the desktop and onto cell phones.  Additionally, companies may have a difficult time restricting or limiting the content that employees post.  A disgruntled employee may post negative information about their employer for all to see.  Companies may have human resource policies when it comes to employees posting information about their employer; but how does a company draw a hard line in the sand between moral, religious and political biases and freedom of speech?  Social networks are making it difficult for companies to separate an employee’s business relationship and their personal lives.  On the other hand, employees are learning that inappropriate use of social networking may allow a company to terminate their employment.

The Ugly

So your company is on the cutting edge of technology and you have an HR policy that addresses social networks; is that enough?  Not quite.  Aside from the fact viruses, Trojans and other malware have found a new distribution vector; there are many other security concerns.  Data Loss Prevention is among the top as employees may maliciously or accidentally distribute sensitive company information.  Depending on the leaked information, your company may be faced with regulatory fines and requirements such as privacy breach.  Even if the information isn’t overtly sensitive, information may trickle that may give a hacker or your competitors an inside advantage.  Take for example your network administrator who blogs and/or posts questions about Cisco routers and firewalls.  A hacker may use that inside knowledge to target the vulnerabilities specific to Cisco products.  I am sure there are additional threats that remain to be discovered.

Conclusion

Whether your company has adopted or is blocking social networks; it is probably time for a revisit.  While the inherent risks and productivity impact of social sites such as Twitter, Facebook, etc. are good reason to not allow them in the work environment; you may find that people are spending more time on their cell phones texting or other social activities.  It is difficult to balance a no tolerance policy for social sites while allowing shopping or other entertainment sites while on company time.  Blocking all non-work essential sites has proven time and time again to reduce employee morale; which in turn has greater impact in reducing productivity.  If you feel your company is behind in addressing this issue, don’t feel alone.  Many companies are working struggling to weigh the risk versus the reward.  We would love to hear how your company handles social networks. Please make a comment or contact us at infosec@westfieldgrp.com.