Boston Medical Center (BMC), a private hospital center affiliated with Boston University, blocks access to all...
social media websites using security software from Websense Inc. Users who attempt to use such sites as Facebook, YouTube or Twitter are shown a page indicating that their destination is off-limits. Nevertheless, the debate about whether to open up access to such sites or to keep blocking them remains contentious.
In fact, the discussion comes up "practically on a daily basis," said Brad Blake, director of IT at BMC. "As you can imagine, we have a lot of users who want access to these sites, but for a variety of reasons we do not feel comfortable opening them."
If BMC created a Facebook account and asked its patients to be friends, "that would constitute a security breach," Blake said. "Our senior management has felt it easier just to block these sites rather than trying to police and manage them."
CIOs faced with the use of social media as a business tool are hard-pressed to balance that business need against security concerns. Some are so hard-pressed, in fact, that they begged off being interviewed for this story, asserting they are too new to the game to speak knowledgeably about security tools for social media. Other CIOs were pressured by their public relations people not to broadcast their thinking, for security reasons. Even those who agreed to describe their strategy for securing social media were hesitant about providing details about their IT tools. And others were in a position similar to Blake: As their companies wrestled with how the business should use social media, the default position was to simply block access.
That doesn't surprise Jonathan Penn, an analyst who covers security at Cambridge, Mass.-based Forrester Research Inc. "We are finding that a lot of these policies are disallowing use of social media, even when there is a business need," he said. "Companies have people bringing in social media and using it faster than the policies and the security groups can keep up with."
Not so long ago, the notion seemed absurd that employees would use a social media website like YouTube for business purposes. Now, many marketing departments are putting videos on YouTube, as well as tracking videos that competitors post. But protecting the business from the risks of social media while facilitating a legitimate business need -- at least on a proactive basis -- remains outside the grasp of many businesses.
"People are not there yet. A lot of the tools -- access controls being one -- are coarse and crude," Penn said. Implementing nuanced, automated rules that, for example, allow a marketing department to use YouTube as long as it takes up only so much bandwidth, or is used only during a certain time, is "very difficult," he said.
Companies have people bringing in social media and using it faster than the policies and the security groups can keep up with.
Jonathan Penn, analyst, Forrester Research Inc.
Companies need to monitor their networks and desktops, as well as their social networks, to find out what employees and outsiders are saying about the company. In such situations, however, often the best that can be done with existing technology is to detect problems after the fact, Penn said.
Kurt Baumgarten, vice president of information security at consulting firm Peritus Security Partners LLC in East Longmeadow, Mass., encourages clients to track company information that shows up on social media sites. Monitoring tools like those from Toronto-based Sysomos Inc., while not inexpensive, allow companies to track their online reputations. Such tools also determine whether employees are disclosing sensitive information. There are numerous analytic tools for Twitter, including TweetStats,Twitter Grader and Hootsuite. Such Web and content filtering tools as Websense's SurfControl cover the Internet and email. Indeed, internal tools for monitoring employees' Internet use have been in place for a long time. "Most good firewalls will spit out variances -- a red light alerting this person is uploading 2 GB of data," he said.
Security tools aren't that smart, however. "Intrusion prevention systems aren't smart enough to shut off connections based on the content or syntax of something that people are posting," Baumgarten said. A clear policy on the use of social media is still the first line of defense against social media threats.
That's a tactic not lost on Tom Gainer, senior vice president and CIO of FirstBank Southwest, a regional bank based in Amarillo, Texas. Any webpage that goes up on social media websites, such as Facebook and MySpace, is for the bank and by the bank. Bank webpages are controlled using a dedicated, standalone PC that is off the bank's network, and that PC is accessed by two designated staff persons from inside the bank's four walls. The PC workstation handles only the social media sites the bank chooses to participate in -- and "nothing else," Gainer explained in an email.
Gainer is circumspect about which security tools the bank uses to mitigate risks from the kinds of attacks that can stem from social media. He admits to having what he calls "border security" that looks at all inbound and outbound bank traffic in real time. The bank runs an appliance that lets it control which external sites are visited, and has other security measures that actively look at traffic coming in and going out, he said. "That's about all the info on this I can give you," he added.
And in regard to employee use of social media, currently the bank blocks all access to social media sites for security reasons, Gainer said.
"What staff do outside of the bank is up to them, although we attempt to educate them on the dangers," Gainer said.
Let us know what you think about the story; email Linda Tucci, Senior News Writer.