In our previous post we covered some of the important risks that could affect a corporation through internet access. Here we look at some of the ways you can reduce that risk. Of course, the best mitigation would be simply to block internet access for all employees however it’s unlikely that would be good for staff retention or morale. Besides nowadays many of us need web enabled applications and email simply to perform our job roles.
So if we accept that allowing access to the internet is inevitable then it’s important that users read and accept your internet usage policies. Also they should follow common-sense guidelines when they are online in order to reduce those security risks to a minimum. These should be distributed to all staff ideally before their user account is created and internet access granted. Also staff who work remotely or outside the physical location should be included too. This could be important because if they have access to a remote access server, their online activities will still be linked back to the corporate digital network. For example. users can access a VPN server like this to do things like watch BBC iPlayer from Spain or stream from digital media sites.
Educating users about the potential business risks and impacts associated with blogging and social networking. Raising user awareness is an essential partner to the organisations policy and standards and should ensure that the potential dangers are known to employees who may use such sites. This will also help employees in their safe use of such services when at home.
Avoiding problems with blogging and social networking sites A number of checks may be applied that will help organisations and their employees avoid problems:
- Verify if the organisation has a relevant policy and the extent to which this applies
- Ensure that Social Networking and Blogging risks are considered within the overall approach to information risk assessment and management
- When registering with a website, understand what you are signing up to and importantly what security and confidentially claims and undertakings exist
- Watch for add-ons i.e. additional features or applications that change the terms and conditions of what you have signed up for, or that may require changes to the security settings of your devices
Withhold personal details that you do not want to be made public
- Avoid loading work related information to blogging or social networking sites
- Examine carefully any email coming from social networking sites or contacts as these may be unreliable containing malicious code or be spoofed to look as though they are authentic
This list is not complete and indeed it’s almost impossible to keep up to date completely. However the general principles should apply through all technological changes and developments. It should be stressed wherever possible that all communications and opinions expressed online are clearly defined as belonging to the individual. Many companies actually insert disclaimers and text into their email footers and even on any text that is posted through a corporate proxy server. This means that any employee wherever they work will be included in this policy even if they worked from Australia through a VPN.
Most employees nowadays use the internet at work for a variety of reasons. Whether it’s personal finance, shopping or simply entertainment during lunch hours most people will spend a substantial amount of time online. However there is a significant risk to the employer from these activities particularly if people spend a lot of time posting or sharing information on forums and social media.
It is important that these risks are identified and can be mitigated by various methods including creating an internet usage policy. This should also include other internet activities which may effect productivity and network safety. For example the policy should cover other non-work related activities such as using a company VPN to watch BBC from Ireland like this.
Legal liabilities from defamatory postings by employees When a user registers with a site they typically have to indicate their acceptance of the site’s terms and conditions. These can be several pages long and contain difficult to read legal language. Such terms and conditions may give the site ‘ownership’ and ‘third party disclosure’ rights over content placed on the site, and could create possible liabilities for organisations that allow their employees to use them. For example, where a user is registering on a site from a PC within the organisation, it may be assumed that the user is acting on behalf of the organisation and any libelous or derogatory comments may result in legal action. In addition, information being hosted by the website may be subject to other legal jurisdiction overseas and may be very difficult to correct or remove.
Reputational damage arising from ill considered or unjustified comments left on sites may adversely affect public opinion toward an individual or organisation. This can lead to a change in social or business status with a danger of consequential impacts.
Malicious code targeting social networking users causing virus infections and consequential damage Sites may encourage or require the download and installation of additional code in order to maximise the site’s functionality and potential values. Where sites have weak or ineffective security controls it may be possible for code to be changed to contain malicious content such as Viruses and Trojans, or to trigger unintended actions such as Phishing. ~ Systems overload from heavy use of sites with implications of degraded services and non- productive activities Sites can pose threats to an organisations information infrastructure.
Particularly as the use of rich media (such as video and audio) becomes the norm in such sites, the bandwidth consumption generated by these sites can be significant and they have the potential to be the biggest bandwidth consumers within an organisation. o intimidation of employees from inappropriate use of sites leading to investigations How might the organisation respond to these risks?
Whilst there are technical controls that could be applied the main defence against threats associated with blogging and social networking is awareness related. Actions that may be considered by NHS organisations include: Deploying technical controls to block or control permitted website usage; – Revising and updating organisational policies to include acceptable use of blogging and social networking sites.
Policies and standards should be clear about the acceptability of accessing sites during working hours and from the organisation’s internet connected devices eg. PCs, mobile phones etc. The consequences of non-compliance with organisational policy should also be clear.