Are you cracking down on social media use by employees in the workplace?
Think twice about your Facebook shutdown. A recent survey conducted by Telus and the Rotman School of Management indicates that companies that ban employees from using social media are 30 per cent more likely to suffer computer security breaches than firms that are more lenient on the issue of workers tweeting and checking Facebook posts in the office.
The survey queried IT security decision makers in 649 firms and found that companies that blocked social networking for security reasons experienced 10.3 breaches or security incidents on average in the last 12 months. Companies that did not block social networking access had 7.2 incidents for the same period. Click here to download survey.
“It might seem counterintuitive, but the survey results confirm what we have been tracking over the last two years,” said Rafael Etges, director of security and risk consulting with Telus. “No social networking policies are actually forcing users to access non-trusted sites and use tech devices that are not monitored or controlled by the company security program.”
Walid Hejazi, professor of business and economics at Rotman said it all boils down to human nature. If authorities shut one door, people tend to look for another opening.
“It’s called punching a hole in the security wall,” according to Hejazi. “If users deem their actions are justified they will find ways to circumvent firewalls or bring their own devices to surf sites or even access files that they are not authorized to.”
Both Hejazi and Etges said that for many organizations the solution is not to ban social networking and BYOD practice but rather educate users on the importance of security and they develop policies around the safe use of social networking and use of personal devices.
For example, employees could be allowed to access social networking sites during specified hours and when it is required to complete their duties. Firms can also come up with a list of sites that can be visited by employees and then monitor activities for compliance.
Hejazi said, companies can also provide employee machines that are cannot access areas of the corporate network that lead to sensitive data, but can be used to access social networking sites. This, he said, is being done by a leading bank based in Toronto that provides a special common place for employees where they can use such machines.
Overall breaches down
The study showed that annual breaches in security costs publicly traded companies $195,588, compared with $70,833 for privately held firms and $58,929 for government agencies.
IT security breaches were down nearly 50 per cent from last year. But Etges suggested this was probably a result of breaches only being reported if they resulted in a material or financial loss to the organization, and companies may be better at dealing with some types so that they no longer cause such losses.
But while insider breaches went down for public (30 per cent in 2010 from 27 per cent in 2011) and private (19 per cent in 2010 and 16 per cent in 2011) went down, government agencies actually had an increased incidence of insider breaches. Numbers shot up from 33 per cent in 2010 to 42 per cent this year.
The study said one of the reasons behind increased insider breaches in the government may be terminated staff and contractors who leave their jobs with carting off valuable business information as a means of improving their chances of finding employment elsewhere, or that they may have a sense of ownership of the data since they created or manipulated it at work.
Management flouting security policies
Etges of Telus said social networking in the workplace need not be an all or nothing proposition. Businesses can set up policies based on the company’s IT security needs but also consider the needs of employees.
Rules could be set and machines could be configured to prevent access to unsafe sites but. But true buy-in to security policies can only be achieved by educating employees and explaining to them the impact of unsecure practices.
“Our survey showed that when it is explained to workers that breaches impact the bottom line, customers and themselves, as much as three quarters of the employees were prepared to comply with security policies,” said Etges.
When it comes to following security rules, executives and contractors have a very bad track record, according to Hejazi. “In 2010 and this year, executives exhibit the least regard for established security policy.”
This, the professor said, is in stark contrast to the message typically coming from the top that security and risk management is critical for the success of the business.
“Some senior executives probably believe they have privilege to use personal devices or visit sites as they see fit. Others forgo customary security procedures reasoning that they need to cut through red tape to accomplish business critical tasks,” said Hejazi.
Either way, he said, this sends out the wrong signals to rank and file and low level management. “The perception is that there are double standards when it comes to IT security.”