Security Risks in Social Networking Sites
Social networking has in just a few years grown beyond all imagination, with MySpace and Facebook leading the way. Social networking sites enable their users to connect with friends and peers in ways never before possible, and enable them through postings and blog entries to promote their positive attributes and assert their individuality. The number and variety of social networking sites today is mind boggling, but experts tell us that the social networking as it currently exists is only the tip of the iceberg.
Despite the huge numbers of positives associated with it, social networking also has some distinct downsides. The degree to which social networking sites are monitored for undesirable or downright malicious content varies greatly from site-to-site. Hostile, fabricated, or even public safety-endangering content can cause considerable negative fallout. Content posted and then retracted can remain available long after it is retracted because it is cached.
The main issue in this posting, however, is how an information security manager should deal with social networking. From an information security point of view, social networking sites (as good and popular as they may be) introduce security and other risks. Some of the most significant of these risks include:
- Use of peer-to-peer (P2P) networking. A surprising number of social networking sites utilize P2P network technology, a technology that typically allows traffic to bypass perimeter defenses such as firewalls and also greatly increases the likelihood of malware infections.
- Legal fallout from fraudulent enrollment. A certain percentage of social networking site members enroll under false pretenses and then pretend to be somebody they are not, violating the terms and conditions of the sites in which they enroll. This can result in a wide range of legal fallout, including the potential for such a person to face criminal charges for unauthorized access to computing systems.
- Enablement of predators. Predatory behavior and the Internet go hand-in-hand, and social networking sites are no exception. A recent study indicates that approximately one out of six teenagers who use the Internet have received direct sexual advances from predators; I fear that this statistic may be an underestimate.
- Electronic harassment. Lamentably, social networking sites are also used to electronically harass individuals, with ex-friends and ex-lovers being the most frequent targets. Recently a 13-year old girl who was allegedly unmercifully harassed by someone masquerading as a 16-year old boy committed suicide. The masquerader was allegedly the mother of another 13-year old girl who had a falling out with the girl who took her life.
- Net loafing. Employees at work who engage in social networking are wasting company time and resources. Net loafing was bad enough before social networking became the rage; with social networking it has threatened to get out of control.
- Data leakage. Social networking users can and do reveal information about organizations, their trade secrets and their goals and activities that should not be revealed. Social networking thus exacerbates the already out-of-control problem data extrusion problem.
- Reputational damage. The downsides of social networking, e.g., giving users the ability to easily harass someone else or allowing predators to engage in their sordid deeds, can easily cause reputational damage to both individuals and organizations.
What is the “bottom line” then? Should on-the-job social networking activity be banned? The answer is not necessarily. Like everything else in information security, the associated costs and benefits need to be assessed and then weighed against each other to determine whether social networking on the job should be allowed, and, if it is, what controls need to be put in place. Additionally, rules concerning access to social networking sites need to be included in every organization’s acceptable use policy. Finally, such access, like virtually every other type of user activity, needs to be continuously monitored.