Debate: Does Social Networking Require User Policy Changes? - CSO Online - Security and Risk

By Bill Brenner, Senior Editor

April 13, 2009 — CSO —

IT security administrators have had a fairly easy case to make against such social networking sites as Myspace in the past. Myspace in particular tends to be a place for the mostly personal, and some profiles are simply front companies for online mobsters and malware pushers. [Read more about the challenges faced by MySpace's CSO in Hemanshu Nigam: Mr. Safety for MySpace.]

Malware pushers are also alive and well on such sites as Facebook and Twitter, but these sites present a special challenge for IT security execs. Both applications, along with the likes of LinkedIn, are used heavily for business networking. [See: Facebook, Twitter, LinkedIn: Security Pros Warm to Web 2.0 Access.]

And while LinkedIn is almost all business, Facebook and Twitter straddle an increasingly squishy line between the personal and professional. Online outlaws understand this and are trying to do on these sites what they have done on Myspace; see for example LinkedIn, Facebook, Twitter Users Beware and 3 Ways Twitter Security Falls Short.

These developments have security practitioners like Robert Fitzgerald -- a Boston based digital forensics investigator and president of The Lorenzi Group LLC -- pushing the corporate world to update policies for what employees can and can't do when using company computers online. Since most company user policies don't mention the growing array of social networking sites specifically (there's typically broad language forbidding things like surfing porn sites), Fitzgerald believes companies are opening themselves to lawsuits where the plaintiffs can successfully claim that users weren't expressly forbidden from trolling Facebook on work machines.

"Most user policies are 100 years old, with language like 'no personal e-mail and no surfing the Web,'" Fitzgerald said. "Well, today it's impossible to conduct business without being on the Web. The Internet has hit employees like a tidal wave, and if you put rules in place it'll help people understand what not to do online and make everyone more aware more quickly of data breach risks."

Of course, others believe it's a mistake to get too specific with user policies. A big reason is that technology is constantly changing, and tweaks made for today's social networking craze may become obsolete in a year or two as some new gray program comes along.

With that in mind, CSOonline conducted an informal poll -- ironically via LinkedIn -- asking security pros if it makes sense to update user policies as Fitzgerald suggested.

The question: Does Twitter/Facebook/LinkedIn etc. require a change in company policies for network usage?