Should we allow our employees to engage in social networking?

Introduction

The question often comes up: Should we allow our employees to engage in social networking? The debate has raged for years, and surprisingly, it is still not settled. In general, the discussion tends to fall down four possible paths:

1) Social media reduces productivity
2) There are a lot of threats that comes from social media
3) Social media is a new technology and therefore is scary
4) Employees don’t really need social media anyway

So let’s take a look at these:

1) Productivity

Many times the “productivity” topic rages within the security field, which has always surprised me. Keeping employees productive is the responsibility of the business owner, and while I’ve often seen it delegated, I’ve never seen it delegated to either the security people or the admins. Realistically, this is the responsibility of management or HR.

Even then, it seems that every place has slightly different rules as to what is and is not been permitted. In some places, it’s customary to spend hours each Monday morning talking about the previous weekend’s hunting or sporting events. In others, everyone takes off Friday afternoon and sits around socializing before “closing time” hits. In still others, there are required breaks every two hours as well as a mandatory lunch. However, in absolutely none of them is social interaction categorically denied. The prevailing attitude seems to be that so long as the work gets done, the specifics are irrelevant.

Different people work differently and some need the occasional long social break to limit distraction. Humans are social beings and there is considerable evidence that socialization is a deep-seated need in our species*. It seems unlikely that many people could be truly productive without a form of socialization… do the technical means really matter?

Perhaps, instead of banning the technology, it would make more sense to monitor productivity and ensure that any employees that begin to stray are quietly corrected. This would enable you to take advantage of the benefits that the technology offers without necessarily experiencing a productivity hit.

* This could be a long discussion in of itself, but, fascinating though it may be, would distract from the point

2) Threats

A considerable amount of malware and no-tech attacks come from social sites. Twitter is particularly bad, due to the inherent obfuscation used in the TinyURLesque sites (though they’re working on it). However, you can’t live a life that is entirely devoid of risks, and in most cases we don’t approach risks by banning the technology. Instead we take a balanced view and assess risks before we take action. For some reason, many people tend to approach these problems as if it were a game of whack-a-mole, which is a shame.

To draw the over-used analogy to automobiles (a similar technologically-induced societal change), in the rural states, a common threat is deer. We could address this threat by building fences along each highway (Banning) or by constructing a massive array of detectors, implanting RFID chips in each deer and building weapons-equipped automated flying drones that kill any deer wandering onto the road (Intrusion Prevention). Instead, we put up little yellow signs that tell people to be careful. For some reason, we find this a more economical solution, even though it places a slightly higher burden on the drivers to pay attention.

I think that a lot of security professionals avoid the “educate the users” tack because it’s traditionally not worked too well. Of course, a lot of us are also far more comfortable with technology than we are with people, so it is possible that the past failure of education was due to our own failure to educate ourselves on education processes. Maybe, if we were better at making little yellow signs, many people would manage to avoid the majority of threats.

3) New Technology Is Scary

I am sorry to say it, but we security professionals tend to say “no” a lot. I ran into this problem myself recently and used what I call a “shortcut no” — where I said “no” when I meant “yes we could do that, but I think it would be prohibitively expensive”. However, within the security community, when one person’s “shortcut no” is heard as a “true no”, we tend to build up an echo chamber effect and think “no one else is permitting this technology, so there must be a reason, so let’s just say ‘no'”. This, I think, results in the regrettable state of things being banned “for security reasons”.

Changes to technologies and processes must be first analyzed and the risks then be explained to management. At that time, it is their decision. I have encountered businesses that prefer to believe that regulations such as PCI-DSS, the FTC Red Flag Rules and HIPAA/HITECH do not apply to their business. In some cases, I have disagreed, but it is, in the end, their decision. Perhaps the failure was on my part, and I was less than ideally effective in explaining the risks. However, an alternate perspective is that many experience an unconscious resistance to change. The impact of new regulations is change, and in many cases, change may be scary.

Of course, fear of change is part of being human. Luckily, if you know this, you can take steps to address it. One common approach is to take a social media class. If you lack the budget for such a thing, you can also spend a day reading about it online. Good Google terms are social media in business, twitter marketing, facebook marketing, Internet Business Mastery and search engine optimization.

4) Do They Really Need It?

Four years ago I gave a presentation to a group of entrepreneurs about how to leverage technology in a start up. One question I was asked was “Do I really need a website?” I was stunned. I couldn’t imagine a new business without one. Most people I know first check out a business on the web, both for contact information and for reviews. If a business isn’t on the net, it’s invisible. If it’s on the net but no one is talking about it, it’s probably not worth much.

This is even truer today. I don’t think I’ve opened a phone book once in the last year. I’ve found many great resources through word of mouth via the Internet. Social media allows me to research a company in minutes. I can get information faster than ever before on prospective clients, partners and employees. I can check my thinking against that of others in my field. I can research threats, responses and technologies without having to do the test implementation myself. (Though test implementations are still important.) If it weren’t for social media, I would be unable to do my job.

These networked social efficiencies exist pretty much across the board. Alliance Technologies tends to “run light”. Our marketing, sales, support and administration are staffed at a level far lower than other comparable companies, simply for this reason. If we didn’t have social media, we’d have to double our staff.

Clearly, not all companies are the same. However, the effectiveness of social media in all aspects of our business leads me to believe that it’s generally useful to most businesses.

A) We Can’t Stop Them Anyway

Trying to stop people from socializing is a doomed effort. You can draft and implement all the polices you want, but if they go contrary to human nature, they will not be followed. Moreover, if they are burdensome, they will be actively rebelled against. Do you really want to spend your time protecting against outside attacks while your inside people are working to bypass your web filters, firewalls and IPS systems? I know that I don’t.

Practically speaking, web filtering technology works, but nothing is perfect. You can block most sites in a category, but there is always a way around it. You can block gambling sites, but you can’t prevent an employee from placing bets via email or SMS on their cell phone. You can block porn sites, but can’t keep someone from bringing a magazine into the office if they really want to. Generally, you just raise the barrier high enough to say “management would rather you not do this stuff” and people will take the easier path. Even then, saying “don’t gamble” and “don’t look at porn” are vastly different messages from “don’t talk”. Banning social media is equivalent to banning talking at the water cooler, over the cube walls or in the hallways. If you try, you’ll experience a lot of pushback… and as employee generations shift, the pushback will grow.

Personally, I’d rather focus my efforts towards bringing the employees in line with business goals and then combating actual threats against the business. To do otherwise is just spinning in circles.

(This post originally appeared over at Alliance Technologies)