Monday, 27 April 2009

Should companies block Twitter?

Recently I have heard several security professionals say Twitter is a source for corporate information leakage, and therefore must be blocked by businesses using web filtering.

Should companies block Twitter? In my view the question is wrong, as I don’t think blocking access to Twitter on corporate networks will do much to prevent business information leakage. The question should be, how do businesses better educate their employees in the usage of social networks such as Twitter, educating instead of blocking will surely do a better job of mitigating the risks of information leakage and company reputation damage. The latter being the most likely outcome of unchecked employee social network website usage.

Twitter allows a person to make a 140 character statement to the entire world, so in terms of information leakage it’s not about controlling data files leaving an organisation, the most someone can do is to send an Internet link along with some text, all be it the text element could be company sensitive or damaging information. However blocking Twitter usage with corporate network web filtering will not prevent employee using of Twitter, as staff can simply tweet updates using their mobile phones, or just wait until they get home, or even find a free WiFi connection when on the road. So my conclusion is blocking will do little to mitigate risk. The answer is to educate employees and provide them with rules (a policy). Everyone in the business should be clearly made aware of what is acceptable and not acceptable to say about their company, their job role, work colleagues, managers and customers publicly (on the Internet), whether it is on Twitter, Facebook, company Emails, on web forum postings or even down the pub with in conversations with their friends.

Business Directors and Senior Managers argue Twitter and other social networking websites should be blocked in the name of productivity, which is a fare and valid point, but then the question is not about managing risk at all, but about business productively, which is a business and possibly HR question. Using “Security” to drive and hide the productivity reason to block social networking is wrong and sends out the wrong message to the user base. In my view, Security Managers need to be encouraging company staff to be onside with the security programme, not getting staff "backs up" and pitting them against the security programme, as ultimately business security always comes down to the individual business employees, who should be and need to be supportive of the security programme, and coached to be security proactive and aware, it's these individuals which can have the biggest impact in mitigating information leakage risk.

Finally, in recent times more and more people are being sacked for Twittering including recently a magistrate and perspective Cisco employee So understanding the acceptable social network boundaries is not just in the interest of the company, but in the interest of each business employee, who needs to be told and understand the social networking line which shouldn’t be crossed. I think many companies today are not doing a great job in clearly explaining those boundaries to their employees.


James DeLuccia IV said...

A resounding - YES.

Blocking is a losing proposition. Focusing on the culture, people, and performance aspects are the right means of protecting a business and it's employees. After years of field work installing product, shifting procedures, and composing a book on IT Compliance and Controls (focused on the same underlying - people aspect) I can say with certainty a simple block line is a mistaken and irresponsible response by businesses.

The security risks shall remain regardless - focus on mentoring and monitoring.

James DeLuccia

WhiteHatH4x0r said...

I believe blocking is an imperative part of an Enterprise's Information Security plan. Having worked as an Information Security Analyst for 2 of the largest pharmaceutical companies in the world and seeing what kind of information that all levels of employees send out through IM, Email, Social Networking and every other way, blocking certain things simply HAS to be a part of a responsible, comprehensive Info Sec / Compliance plan.

Believe me, these employee's were not only TRAINED on a CONSTANT basis on the proper use of computer security and info leakage/protection, but they were also regulated, audited and could quite possibly be in some big time trouble with the Federal Government, thanks to HIPAA and a host of other laws and regulations relating to the protection of confidential medical and classified information. While I agree with James' points that mentoring and monitoring are also an imperative aspect of a secure corporate culture, no matter how much training, re-training, mentoring, classes, memos, etc., etc., there will always be people who either willingly send out improper info, irresponsibly protect their data or are just, well... stupid.

For information security purposes, protection from malware, avoiding potential liability or even just for productivity reasons, I believe you simply cannot have a secure infrastructure (or as secure as possible) without some form of Content Management or blocking. Especially when that infrastructure spans the entire world. Just IMHO.

Devin C. Ellis

SecurityExpert said...

Thanks for the comments.

Just to emphasize the topic see this BBC News report - "Probe into teacher Twitter posts"

"Argyll and Bute Council said it has a policy of blocking the use of social networking sites in all its schools.

It is thought the language teacher, who has not been named, may have accessed the site via her mobile phone."

powerpuff said...

This software program Time Doctor uses a better method than blocking Twitter because it only monitors Twitter in work hours. So team members can use it when on lunch. Also some people must use Twitter for work purposes so it's silly to indiscriminately block it.

silverwink said...

Whether an application is blocked or not, self-control comes from within

Ive been using .
It uses a better procedure than blocking social media sites because it only monitors sites like Facebook during production hours. People/Employees still have the option to use it for a breather or during breaks really . Sometimes they use it for work too in helping reach decisions. For me its really unnecessary to block Facebook.