Monthly Archives: June 2010

Social Networking Sites & IT Policy

Introduction

Welcome back everyone! SMB Services Limited wishes to thank everyone who visited our booth at TIC, it was a pleasure meeting and speaking to you.  Your presence contributed to the success that it was for us.

In our last issue, we reviewed network security and what small businesses need to know.  This month our intern, Michael Hales, will take you through Social Networking Sites and IT Policies.

Social Networking Sites and IT Policies

Social networking used to involve getting together with your friends and physically interacting with one another and expanding your connections in the process.  Nowadays, social networking has taken on a completely different dynamic altogether in the form of social networking sites.  These sites are described as web-based services that allow individuals to:

1. Construct a public or semi-public profile within a bounded system
2. Articulate a list of other users with whom they share a connection and
3. View and traverse their list of connections and those made by others within the system
4. Take part in activities hosted by the site such as games and surveys

Most of today’s companies range from either a lax policy whereby everyone is allowed access to the internet or they have robust protocols in place to handle internet traffic.  This mainly depends on the size and type of company as well as what speed their internet access is.  Unsurprisingly, productivity is the core issue raised when it comes to blocking social networking sites.  At companies where there is no enforced ICT policy, and employees are allowed to utilize the internet at their discretion, there is a noticeable shift in productivity.  The employee’s attention can easily be diverted away from more pressing priorities with numerous activities these social networking sites provide.

The downside to allowing full internet access is that employees generally do not employ good security practices and as such these businesses become victims of spam, phishing or malware attacks via sites like Twitter, Facebook, LinkedIn and MySpace.

It should also be noted that four of the most popular social networking sites – named above – have all experienced their fair share of spam and malware attacks during 2009, all designed to compromise PCs or steal sensitive information.  From traditional 419 scams that aim to fool users into sending money to foreign destination under the ruse that a friend is in trouble, to malware disguised as Facebook error messages, cybercriminals are using the same old techniques but pushing them out via social media.

As many employees access some social networking sites daily, it may be unwise to completely lockdown on access to them.  The main issue with completely denying staff access to their favourite social networking site is that these employees will try to find a way around the ban and this could potentially open up even greater holes in corporate defence.  Also there are companies that utilize social networking to network with existing clients and potential prospects so completely locking down the sites is not practical.

By adopting a more holistic approach – including investment in greater security and control solutions, as well as offering comprehensive user education – organizations will be better equipped to deal with social networking risks.

A few practices that have helped curbing issues with social networking sites are:
a.  Educate your workforce about online risks – make sure that all employees are aware of the impact that their actions could have on the corporate network
b.  Consider filtering access to certain social networking sites at specific  times – this can be easily set by user groups or time periods for example
c.   Check the information that your organization and staff share online – if sensitive business data is being shared, evaluate the situation and act as appropriate

The above scenario holds the same for employees who indulge in viewing inappropriate sites on the internet (such as pornographic sites) or download large music or video files that take up large amounts of space on the machines or servers and are not work related and even extend to employees using the company telephones for personal activities.

Without written policies, there are no standards to reference when both sticky and status quo situations arise, such as those highlighted above.

So, what exactly are the IT policies that every company should have? There are six areas that need to be addressed:

1.  Acceptable Use of Technology: Guidelines for the use of computers, fax machines, telephones, internet, email and voicemail and the consequences for misuse.
2.  Security: Guidelines for passwords, levels of access to the network, virus protection, confidentiality and usage of data.
3.  Disaster Recovery: Guidelines for the recovery of data in the event of a disaster, and data backup methods
4.  Technology standards: Guidelines to determine the type of software, hardware and systems to be purchased and used at the company, including those that are prohibited (e.g instant messenger)
5.  Network set-up and documentation: Guidelines regarding how the network is configured, how to add new employees to the network, permission levels for employees and licensing of software.
6.  IT Services: Guidelines to determine how technology needs and problems will be addressed, who in the organization is responsible for employee technical support, maintenance and long-term tecchnology planning.

Policy Pointers

1.  Consider holding (depending on the size of your company, a series of meetings that involves all interested parties
2.  The language of your policies must convey both certainity and unquestionable management support.  As you roll out a policy, you may see many examples of inappropriate use or violations, but it’s difficult to     anticipate them.  So it’s important to have catch-all clauses within your policy such as:
a. “Viewing or downloading offensive, obscene or inappropriate material from any source is forbidden”
b. “The storing and transfer of illegal images, data, material and/or text using this equipment is forbidden.
3.  Set out what behaviour is reasonable and unreasonable and determine procedures for dealing with specific abuses
4.  Try to keep policies to the point.  Long written policies are difficult to read and comprehend, and users may be confused or simply give up on trying to understand them
5.  Policies must be written in layman’s terms or the concept may be lost on the end users.
6.  Agree upon a framework for policy review. Usage and technology may change, so you need to be flexible and adapt the policy when it is required.
7.  Decide, define and mandate ‘what’ is to be protected

When it comes to building and implementing an IT policy, no quick or one-size-fits-all solution will adequately serve your needs.  Every business is different and the approach taken to meet objectives and/or ensure compliance will vary from one environment to another, even in the same industries.   Well-crafted policies show that an organization and its management are committed to security and expect employees to take it seriously.  Such policies provide an overall security framework for the organization, ensuring that security efforts are consistent and consistent rather than ad hoc or fragmented.

But you can take advantage of the described above best practices to increase your odds of crafting and implementing a policy that employees will support and that will help your organization.

For more information, you can contact us here.

Rating 3.50 out of 5