Social networking: The ‘what not to do’ guide for organisations

“You meet a lot of IT security professionals in large companies who are scary and the answer to everything is ‘no’. Basically, if you haven’t already got it, the answer is ‘no’!”

This is the view of Ewan MacLeod, Mobile Industry Review editor, and innovations consultant. It is a common view.

Robert Stroud, international vice-president at ISACA, confirms that the first response typical of information security professionals to organisational use of social media, such as Facebook, Twitter and LinkedIn, was indeed negative. “The initial response was to turn it all off; the risks were just too high. While that works for a period of time, people find ways of working their way around the controls. You can control who has access to a piece of data, but you cannot control human behaviour”.

Stroud reports a sea change in attitudes among information security professionals, and IT generally, over the last 90 days. “IT is adopting an approach of gradually letting the walls down, putting education processes in place, advising people not to say anything that would not be admissible in court.”

He also stresses that social media is a piece of cloud computing and cannot be wished away. “Any business unit can subscribe to a service like Amazon EC2, going outside formal IT procurement. IT gets to engage when it becomes an exercise in integration”. He urges IT professionals to become “facilitators, spelling out to the business that it has to accept risk. We are starting to see that happen”.

Social media in corporate IT

A recent survey of IT professionals in corporate organisations bears out the thesis of a shift in attitude from negative to positive, although this change seems to be a work in progress. The Corporate IT Forum is a membership organisation for the IT functions of a large slice of the UK economy. It comprises large companies and major government departments. In August, it surveyed its members on their use of social media. There were 131 respondents from 65 large enterprises.

Ollie Ross, research analyst at the Corporate IT Forum, sums up the picture that the survey projects. “A year ago”, she says, “corporate IT professionals were interested in social networking technologies, but in a more theoretical and less concrete way than now. They seem now to have hit on tactical solutions to specific problems, using, for example, Twitter. The interest is also much greater. Moreover, it is interesting that bottom-up, ‘from the outside’ social networking technologies are taking off in ways which have been much less true of top-down approaches. So, for example, we’ve found interest in unified communications being eclipsed by interest in the collaboration potential of Twitter, LinkedIn, Facebook, and so on”.

Members of the Forum report they have piloted access to social networking sites for staff, often in response to demands from outside IT. One says: “marketing and the business are agitating for greater access to Facebook and LinkedIn and various in-house flavours of the same”. Another comments, “for many IT shops, trying to prevent the clamour is akin to Canute trying to hold back the tide”.

It is clear that whatever the security and privacy risks, IT is now at the sharp end when it comes to social networking: in facilitating access; monitoring usage, in the name of HR; or trying to ensure security.

While the majority surveyed are still using social media sites for personal content, a growing majority are disseminating corporate content, with tweeting the most popular (36%) followed by LinkedIn (29.4%). Developments are uneven, however, and not always welcome.

One respondent comments: “corporate use of – and control of – access to social networking sites should be wholly owned by the business, not by the ICT specialist. ICT should only be involved in flagging up the risks and providing solutions to access and control. Another says: “our use of social media is not simple: the general user population does not have any access, however corporate communications and marketing do”. This dual approach has led, in one case, to “a strange situation where staff access to Facebook/Twitter/etc. will be heavily restricted but the organisation will have corporate identities on both!”

Opportunity and threat

The Information Systems Audit and Control Association (ISACA) published a white paper during the summer on social media as a phenomenon that both promises opportunity and threat, ‘Social media: business benefits and security, governance and assurance perspectives’. While its emphasis is more on opportunity than on threat, it does identify the top five risks of social media use in organisations: malware; brand hijacking; lack of control over content; raising unrealistic customer expectations; and non-compliance with e-discovery regulations.

ISACA’s Robert Stroud also speculates that the recent recession has bred a certain lack of physical contact in business life — with people not travelling and using video-conferencing instead. Organisations might need to be aware of that, and aware, too, that younger employees may simply lack the communication skills typical of face-to-face interaction. Digital natives might need to be re-educated to make eye contact, understand tone of voice, and so on. Stroud says: “we have now got four generations in the workforce for the first time in history — baby boomers, generations X and Y, and, now, the real digital natives”.

Get out of the way!

Younger employees, who have never known a world without the internet, often expect smartphones and Facebook access as a matter of course. That constitutes one kind of challenge for information security, but yet another is caused by the very velocity of technology change. Ewan MacLeod, a consultant who is working with corporate organisations to make better use of social media, says that the “fast-paced change in technology is creating problems, and the smart security people are ensuring that they are delivering value and not holding things back.

“What was business-critical information two years ago is simply not now. If you follow me on Facebook you have all my details. If I’ve friended you, you have my contact details. You can’t document that. In terms of storing such information, previously you would have done that in a database, to the right standards. So, what is important now is who has the password to the company Twitter account or Facebook page. A disgruntled former employee or a smart hacker can cause massive problems for a company’s reputation”, he continues.

“Consumer power used to be very low. It’s the complete opposite now. Within twenty minutes you can destroy a brand. And, if your company does not allow Facebook or Tweetdeck (say) you might not know!”

MacLeod sees Vodafone as a trailblazer for the creative and effective use of social media. Post a message on a cat lovers’ website about a negative experience you’ve had with Vodafone, and you’ll probably get a response from one of the company’s social media team. “Customer services [in companies in the social media vanguard] are driving this, and they make sure IT gets out of the way”. However, he says, “the vast majority of British companies are not getting Twitter. If we called it Marketing Process Re-engineering they’d be buying the book and getting the T-shirt!”

He also contends that the “people who are jumping on this are the ones who see the significance of getting a response. They are not necessarily generation Y. It’s more the fact that they have business experience that enables them to see the value. It’s just about smart people. It’s about companies who want to move faster, better, cheaper. You see big gulfs between those who can move fast and those who can’t. It’s a problem for those who’ve been accustomed to 10 to 20 years of guys on £600 a day managing an email server”.

His message for information security professionals is simple. “Massively open your minds. Security is more and more important. But change your perspective”.

Wielding a double-edged sword

John Colley, managing director, EMEA, for the information security certification organisation (ISC)² sees social media as “a double-edged sword”. He confirms that (ISC)² has indeed embraced the social media trend with its own Twitter presence, YouTube channel, and its own social networking service – Intersec.

“In a sense, this is nothing new. You used to get technical staff posting on bulletin boards, which was always both dangerous but potentially useful for solving problems”. And he recalls that “at ICL [International Computers Limited], we had the knowledge management intranet Cafe Vik in the late 1990s, which was a precursor to wikis and so on”. Cafe Vik was an intranet whose letters stood for ‘Valuing ICL Knowledge’, and was a star of the knowledge management firmament in the era of Web 1.0. Its mission to promote knowledge sharing was much admired and emulated by organisations a decade ago. But it belongs to a more top-down and walled in world than that being created through social networking sites — at least according to contemporary commentators such as the authors of Groundswell, Forrester analysts Charlene Li and Josh Bernoff.

John Colley sees the BBC, and other major media outlets, as leading the way with the building in of interactivity with social media. “Infosecurity professionals need to work out how to deal with this: understand the capabilities of the technology and understand the risks”.