Archive for the ‘Web 2.0 / Collaboration tools’ category

More Thoughts on Blocking Access to Social Networking Sites

August 5, 2010

A few days ago we discussed some of the early findings from our recent survey on social media behavior among end users (part of our end-user awareness service).  Expanding on that insight, we note that companies that are blocking access to social media are not seeing less employee usage of social media sites like Facebook. The usage still takes place, the usage is just as likely to concern workplace issues, and the usage is just as likely to take place during work hours—users either get around technical blockades, or they use their mobile devices.

What’s a CISO to do?

While accessing social media sites through the corporate infrastructure brings some risks around malware and the like, these are not that different in kind or in magnitude than general internet access. The main social media risks—data leakage and reputation damage—remain pretty much unchanged however they are accessed. IREC believes that—regulations permitting—organizations should open up social media access. The harm is low, and the benefits are large:

  • First, you help shed Security’s image as the function that says “No.”
  • Second, you will enhance collaborative opportunities in your organization.
  • Third, and most interesting from Security’s point of view, you can monitor the traffic to the social networking sites.  This allows you to monitor for outgoing data, understand how users are using these sites, and identify individuals or groups of users for targeted social media awareness efforts. Why drive usage underground where you can’t do this?

For those who are reconsidering their social media access policy, here are some data we have collected on this topic. We have been asking our members about their social media access posture for more than two years now, sometimes in slightly different ways and across different venues. In all we have about 15 data sets, with an average N of about 20.  We narrowed down the responses to three categories: those who pretty much allow everything, those who pretty much block everything except for one-off exceptions for business purposes, and those in the middle who allow access for most users, but have significant limitations or focused technical controls in place. The data are a bit noisy, but we think the trend over the last year towards allowing at least controlled access is pretty clear.

Percentage of companies blocking social media site access

Click for larger

IREC members may explore further with these resources:

Note: to find our complete collection of data sets like these covering all security topics, visit our Peer Polling Results Browser.

To learn more about our research in the social media space, attend our upcoming webinar Measuring End-User Social Media Behavior to Inform Policy Decisions on August 19. In addition we will discuss the social media results in more detail during the ongoing Annual Executive Retreat series.

Protecting social media risks

August 2, 2010

Our recently conducted survey on social media policy and usage shows that of the over 17,000 end users surveyed at Fortune 500 companies, nearly 70% are using social media. Of these total end users we found:

  • 35% percent are accessing the social media on their mobile device, regardless of whether social media sites are blocked by the company
  • 15% are engaging in risky activities that are primarily work related such posting company or client information on consumer collaboration sites like Google docs
  • Usage of social media for these high risk activities is higher in the non-management and middle management ranks
  • Perception of social media risk is different from traditional end user IT risks like leaving laptop unsecured or sharing password

So what are the implications of these findings for the CISOs inundated with social media requests and looking for ways to mitigate social media risk?

Implication #1: Given a third of end users access social media through personal mobile devices at work, traditional blocking approaches will not work.

Implication #2: End user awareness is a key tool to manage end user risk and it should be specially targeted on end users using social media at work.

Implication #3: Unlike traditional IT risk awareness where senior management is usually least aware, social media training should focus on rank and file.

Implication #4: Finally, given that end users sometimes use the same social media space for both and personal work related activities; training needs to be more nuanced, and focus on both professional and personal usage of social media.

Members can learn more about our research in the social media space at our webinar Measuring End-User Social Media Behavior to Inform Policy Decisions on August 19. In addition we will discuss the social media results in more detail during the ongoing Annual Executive Retreat series.

The Future of Corporate IT: 5 Radical Shifts in IT Value, Ownership and Role

May 4, 2010

We here at IREC are part of the IT Practice of the Corporate Executive Board. The IT Practice has just released what is probably the most important research we have done in years: The Future of Corporate IT.

The Future of Corporate IT

Our research series on The Future of Corporate IT is based on interviews and surveys with IT and business leaders at over 200 organizations, and on our analysis of business, social, and technology trends. As a result, we find that there are five shifts underway that will radically change how technology is used to create value and how the IT function is structured and managed. These shifts will upend job descriptions across IT management and result in a massive translocation of IT do-ers.

(more…)

Obama lends CISOs a helping hand?

September 11, 2009

 This week Obama gave a warning to kids about their social media activities. I’d like spend some space here to analyze how effective this might be.

My first reaction to was this was “great!”. Oganizations–or more typically people in their organizations–are diving into social media use.  But, as we describe in this week’s Business Week, organizations lack governance and policies around social media. One thing our member CISOs have been working hard on over the last year is user educuation on appropriate use of social media. Any attention is a good thing, and this will likely get some play in the media.

Then I thought about our research into how security awareness messages change user behavior. We analyzed the differential effect of communications depending on the source of the message–manager, colleage, etc. We can probably draw a rough parallel between these corporate positions and people in a kid’s life:

  • Direct Manager = Parent
  • Colleague = Friend
  • CEO = Obama
  • Information Security = ???  Maybe a nerdy teacher at school?

With this, maybe it’s worth a moment to extrapolate from the data we have. Here’s a graph of the relative* effectiveness of these sources:

communication source

So, as we probably already knew, it is likely best for parents to talk to their kids about this subject, but the President’s message should be pretty effective.

* (Maximum Impact is actually an absolute measure, but a bit involved to explain here. Contact us if you would like more information.)

The Real Risks of Social Media

July 6, 2009

The news media has been all over the ‘Facebook Fiasco’ involving the future head of Britain’s MI6. All the ridicule and snide commentary aside, this incident should lead to thoughtful discussion and debate at enterprises about the real risks of social media.

IREC has been tracking the social media domain for almost a couple of years now. We have seen a significant shift in CISOs’ perception on this topic.

Before we get into the details, let us establish a common definition of the term – we use ‘social media’ to refer to the group of technologies/platforms that enable creation and sharing of user-generated content. Examples include blogs, wikis, forums, ratings, tagging and social networking.

If used well, social media could provide a useful and creative channel to build top-line growth and enhance brand awareness. Some of the creative examples that come to mind include:
Dell’s use of Twitter as a sales promotion vehicle
Comcast’s customer service experiment via Twitter

The first set of queries we received on this topic were all about the potential security risks of social media. CISOs were also interested in knowing their peers policy posture in this area – Are companies allowing access to Facebook? What technical controls are available to prevent data leakage through social media channels? etc

In the course of the past 12 months, one thing has become very clear: The real concern for corporations is not the security risks of social media, but the reputational risks that accompany thousands of employees sharing their life (and work) details in the public domain. A recent study conducted by our sister program, the Marketing Leadership Council found that 71% of organizations surveyed plan to increase their social media investments in 2009. However less than a quarter of these organizations had a social media strategy in place.

It begs the question: What should Information Risk’s role in social media governance be?
Our conversations with CISOs at leading corporations suggest the following:
1. Develop a social media policy that covers the use of social media by the enterprise (eg., recruiting on Facebook) as well as by individuals. Provide simple ‘do’s and don’ts.’ The US Air Force has put together a simple flowchart to help staff decide when/how to respond to a social media post – very effective example of social media policy in action!

2. Incorporate social media etiquette into your organization’s security awareness and training programs. (These need not be part of the security awareness program per se – just make sure it is a part of some training employees receive). Include contractors in the program and create little booklets/information packets that employees can share with their families.

3. Lobby for investment in reputation management and moderation technologies. Most probably, your Corporate Communications department is thinking about this as well.

4. Take the lead in setting up a social media governance program. Many executives in the organization are thinking about social media – like HR, Corp Comm and Marketing. Get the group together to lay the groundwork for a well-defined program.

5. Finally, don’t forget to collaborate with your Legal department on issues such as records retention policies and monitoring of social media activities.

Google Wave will be here…shortly!

May 29, 2009

Google recently previewed Google Wave, its next-generation, unified communication platform set to launch later this year. In Google’s words, “Google Wave is a new model for communication and collaboration on the web.” It combines features of IM, email, wikis, web chat, social networking, and project management in a single browser-based communication client.

What seems to set Google Wave apart are the following features:

Real-time: You can see what someone else is typing, character-by-character

Embeddability: Waves can be embedded on any site or part of a site

Drag-and-drop file sharing: Instead of attaching files, users can just drop a file into a wave and make it accessible to all

And of course, it is all open source and developers can build extensions and apps for the Wave.

Google Wave comes with its own terminology – Embeds, Robots, Gadgets etc. It is billed as the ultimate real-time collaboration tool.

According to our sister program, the Infrastructure Executive Council, most enterprises are seeking to roll-out collaboration technologies – it won’t be a stretch to imagine that end-users will be clamoring for Google Wave in the enterprise. It would be well worth it for security professionals to spend some time assessing the proposed features and have a point of view before Google Wave (and other such unified collaboration platforms) go live!

Ben Parr’s article provides a good overview of Google Wave and its features.

Getting ready for the next round of web focused smart phones

May 19, 2009

Two years ago Apple introduced the iPhone and initially most IT Security organizations were caught off-guard. I remember talking to several CISOs and most of them said that they would just ban the iPhone. Well, it is now two years later and I think most CISOs out there would agree that that was not really an option – especially not since the phone quickly became a CEO toy. What happened back then I think could be described as a big underestimation of the adoption of the iPhone and what this would mean for corporate IT and corporate IT Security group.

We are now less than a month away from Palm introducing its iPhone competitor the Pre, and we are likely a month away from Apple announcing its third generation of the iPhone. While the Pre might not beat the iPhone’s excitement levels or adoption numbers it could do so, especially judging by the good reviews it is getting so far.

This makes me wonder if CISOs have looked at what widespread adoption of the Pre would mean for their organizations. Have CISOs together with their IT peers talked to Palm about integration of the new device into corporate infrastructure, or how the devices can be secured? If not, what are the plans for corporate IT shops come early June, when maybe hundreds of employees find ways to connect their Pre to the corporate email network.

Let us know what your plans are.