To Block or Not to Block? Social Networking Sites at Work
BackBy Meagan Polakowski, copy editor — May 12, 2008
There’s no doubt that social networking sites are a relevant part of the everyday lives of people at home. This is occurring in the workplace as well. People are realizing these sites have impact not only in terms of personal growth and relationships, but also as tools for staying connected in business.
The recording industry recently demonstrated the growing importance of these sites. In early April, BusinessWeek reported that Warner, Sony BMG and Universal launched an endeavor with MySpace in which the social networking giant will allow users to listen to and watch music content and purchase related merchandise and tickets on its site. Certainly, there are business reasons to employ these sites.
But like all worthwhile technology tools, this one, too, comes with pitfalls. The increasing use of social networking sites in the workplace can have serious security and productivity implications for companies, which is why more and more companies are choosing to block or limit the use of these sites.
MessageLabs -- a messaging and Web security services provider -- found in February that the blocking of social networking sites by its customers increased from 12.9 percent to 46.9 percent. In March, 11 percent of its customers had decided to block access to Facebook specifically.
Scammers are coming up with new ways to steal information and corrupt users' computers through sites such as LinkedIn, Plaxo, MySpace and Facebook. One such method is Nigerian 419 advance fee fraud, which experts say has popped up recently on these sites.
Paul Wood, senior security analyst at MessageLabs, described one such case: “We’ve seen one example of [Nigerian 419] recently, where the fraudster had created a fairly convincing-looking page on LinkedIn to give some sort of credibility to their background in the sort of business they’re trying to promote.” In these cases, the scammers may use e-mail correspondence to prompt you to visit their profiles and learn about their fake personas. The aim is that with the information, you will gain a false sense of trust and be convinced to do business with them — and ultimately give them money.
In some cases, a scammer will claim to be someone you know, “pretending to be that person in order to gain access to your profile, your friends list or some other information you might be willing to give them,” explained Wood.
Another trick is the use of fake embedded videos on otherwise legitimate-looking Web sites. “You might see [what looks like] a link to a YouTube video. But in fact, what you’ll find is it’s not really a YouTube video; it’s just spoofed in that way.” When you attempt to view the video, you might be asked to download a codec that supports the video’s format. In most cases, what you actually are downloading is malware.
“It’s very hard for the novice user to be aware of these types of threats because it’s got the YouTube logo, [so] you would think that it’s just a YouTube video,” said Wood. There is a social engineering aspect going on here, he explained. They’re “trying to dupe people into believing something that’s not true.”
In order to protect yourself, Wood suggests verifying the identity of people who claim to be someone you know and also being skeptical of these types of videos and links that may appear legitimate.
“If somebody says, ‘I’m so-and-so that you used to work with several years ago,’ do you have another means of contacting that person?” Wood said. “Don’t take it at face value; [on the computer, people] tend to be more trusting than if [they] were face to face meeting somebody for the first time. [On the Internet], there are so many other factors that you miss out on, like body language.”
These sites also can cause a lag in productivity. “If someone’s spending too much time online or addicted to playing Scrabble with somebody on Facebook, then they might not be doing their jobs,” said Wood. This is another reason companies need adopt policies regarding acceptable Internet use on the job.
Some companies choose to completely block social networking and blogging sites, and others will allow some use of these sites at specific hours, such as lunchtime. What’s important, said Wood, is accounting for the “three prongs” of Web policies.
“You have to look at the policies appropriate to your business: the user training and awareness side of it as well as the educational aspects, internally, to make sure people understand the potential risks — the social engineering threats — that they may come into contact with.
“And the third part of that is really having the tools and the technology in place in order to protect the employees so that they don’t visit a site that may harbor some malicious content,” he concluded.