More Thoughts on Blocking Access to Social Networking Sites
A few days ago we discussed some of the early findings from our recent survey on social media behavior among end users (part of our end-user awareness service). Expanding on that insight, we note that companies that are blocking access to social media are not seeing less employee usage of social media sites like Facebook. The usage still takes place, the usage is just as likely to concern workplace issues, and the usage is just as likely to take place during work hours—users either get around technical blockades, or they use their mobile devices.
What’s a CISO to do?
While accessing social media sites through the corporate infrastructure brings some risks around malware and the like, these are not that different in kind or in magnitude than general internet access. The main social media risks—data leakage and reputation damage—remain pretty much unchanged however they are accessed. IREC believes that—regulations permitting—organizations should open up social media access. The harm is low, and the benefits are large:
- First, you help shed Security’s image as the function that says “No.”
- Second, you will enhance collaborative opportunities in your organization.
- Third, and most interesting from Security’s point of view, you can monitor the traffic to the social networking sites. This allows you to monitor for outgoing data, understand how users are using these sites, and identify individuals or groups of users for targeted social media awareness efforts. Why drive usage underground where you can’t do this?
For those who are reconsidering their social media access policy, here are some data we have collected on this topic. We have been asking our members about their social media access posture for more than two years now, sometimes in slightly different ways and across different venues. In all we have about 15 data sets, with an average N of about 20. We narrowed down the responses to three categories: those who pretty much allow everything, those who pretty much block everything except for one-off exceptions for business purposes, and those in the middle who allow access for most users, but have significant limitations or focused technical controls in place. The data are a bit noisy, but we think the trend over the last year towards allowing at least controlled access is pretty clear.
Click for larger
IREC members may explore further with these resources:
Note: to find our complete collection of data sets like these covering all security topics, visit our Peer Polling Results Browser.
To learn more about our research in the social media space, attend our upcoming webinar Measuring End-User Social Media Behavior to Inform Policy Decisions on August 19. In addition we will discuss the social media results in more detail during the ongoing Annual Executive Retreat series.
