Online social networking is major threat to organisations – and it’s not just about loss of productivity or bandwidth wastage. Research shows that 90% of all security breaches originate from inside an organisation’s ranks. 95% of these breaches are unintentional. So, it is a company’s employees who cause most communication and security breaches, and generally they don’t mean to.
“Research shows that 90% of all security breaches originate from inside an organisation’s ranks. 95% of these breaches are unintentional. So, it is a company’s employees who cause most communication and security breaches, and generally they don’t mean to.
“With the array of communication channels open to people nowadays, distributing information is easy. The pervasiveness of online social networking sites just makes it even easier to send out information and communicate with a large audience quickly and often without much forethought to the consequences.
“People have become quite flippant, if not brazen, about ‘airing dirty laundry’ on the likes of Twitter and Facebook. On a personal level, it’s their indaba. Although people should be weary of what they publish about themselves on public domains because it could put future job prospects, personal relationships and even their own identity at risk.
“For companies however, employees posting information online about the business can be severely detrimental on various fronts,” warns Dries Morris, operations director at specialist IT security company, Securicom.
He explains that employees can create liability for a company by publishing inappropriate or confidential business information on profiles or blogs. For example, an employee could unwittingly preempt the release of an organisation’s financial results by publishing financial information or figures online prior to the formal announcement is made public by SENS. This amounts to insider trading. Or, an employee might publish information about a customer, legal proceedings, mergers or proposed retrenchments that should have been kept confidential.
There is the risk of reputational damage arising from the dissemination of inappropriate or defamatory information relating to the company or its employees that could put the organisation in a bad light or cause it to lose credibility with shareholders, customers and the public. This can also obviously have financial repercussions.
Fraud is another threat arising from the distribution of business-sensitive data such as financial information, customer information, banking details and even employee data.
An organisation’s future endeavours can also be put in jeopardy through the premature sharing of information relating to strategy or new products and such.
Industrial espionage is a reality.
“Intelligence shared, even if out of pure excitement and not maliciously, about a new product before it’s launched could put an organisation at a competitive disadvantage if it lands in the wrong hands. For instance, a new crisp flavour that promises to send a snack manufacturer’s sales soaring, or the name of and magic ingredient in a new line of anti-aging face cream. It happens. Online social networking makes it far easier,” says Morris.
Management of employees’ online activity is no mean feat and to be effective, requires a multi-pronged approach. Corporate IT security and email and internet usage policies are obviously part of it. These policies formalise the rules relating to the usage of company assets and internet access and establish how the organisation intends to secure their infrastructures, data, and ultimately the business. Employees also need to be aware that online and email usage is being tracked.
However, the complexity and wide spectrum of technology systems employed by companies nowadays, as well as the multitude of gateways to the web, make it difficult to enforce rules and polices around usage without technological assistance.
“Aside from a policy formalising the rules around the usage of company assets and resources for online and email communication, technical mechanisms and systems must be in place to interrogate user-initiated, outbound web traffic across multiple gateways. There is simply no other way of doing it.
“The answer is not to block employee access to online social networking and blog sites. Instead it’s about managing what they do, monitoring and protecting the information they send via the company network, and having measures in place to ensure that they do it safely,” advises Morris.
Specialised software capable tracking and tracing information sent via the network and published online is accessible and affordable even to smaller enterprises if bought as a managed service from a reputable IT security provider.
Morris concludes saying that this type of technology should be properly deployed and managed to be effective.
By Dries Morris at Securicom