They’re a productivity sink and a bandwidth suck. They’re a vector for malware and a gift for corporate spies. They’re a data spill just waiting to happen. And like it or not, they’re already inside your enterprise.
Meet the Social Network. No, not that movie about Mark Zuckerberg — the real social network, from Facebook and MySpace to Twitter and Flickr, used by your coworkers and colleagues every single day, whether they’re officially allowed to or not.
But social networking inside the enterprise is not only inevitable, it’s essential. Used correctly, social media can help your company solve problems, burnish its public image, recruit top talent, and generate ideas. Implemented poorly — or worse, ignored — and it can create a world of pain.
You can get on the social bus, or you get dragged behind it — your choice.
Taming the social network: With friends like these, who needs enemies?
What could go wrong with giving unfettered access to social networks at work? Plenty. Even if you manage to keep employees from spending all day milking cows and harvesting crops in Farmville, a host of other potential threats lurk just below the surface.
Take bandwidth, for example. Social media is consuming ever increasing amounts of network resources, according to Palo Alto Networks’ Application Usage and Risk Report. While the number of social media apps found on corporate networks has remained relatively stable over the past year, the bandwidth these apps consume has more than doubled and is expected to grow even more.
“Social media traffic is massive,” says Rene Bonvanie, vice president of worldwide marketing for the network security vendor. “We see the bandwidth demands going up substantially through social media apps. In many cases, it does conflict with business systems in these organizations, which could lead to continuity issues.”
Worse, because they’re based on trust, social networks have become very effective vectors for spreading malware, says Sarah Carter, chief strategy officer for FaceTime, a maker of Web 2.0 security tools — much more so than, say, email.
“We’re well trained in the email and traditional Web world,” Carter says. “We don’t click on .exe attachments or URLs that look suspicious — heck we probably don’t even see them anymore because of our spam filters. But in the world of social networking, where the person we’re receiving the message/notification from is inside our trusted network of people, we’re more susceptible to just plain clicking on that link and infecting ourselves.”
According to Panda Security’s Social Media Risk Index [PDF], one-third of small-to-midsize businesses have suffered a malware infection initiated through social media, with Facebook as the leading source. Malware threats once thought of as nearly extinct have made a rousing comeback in business environments, thanks to overly trusting social networkers.
Yet the biggest threat is probably the accidental data leak, wherein well-meaning employees tweet details of secret projects they’re working on, “check in” to meetings between two companies on a verge of a confidential deal, or post status updates that mention internal problems at the company. It’s not quite on the scale of, say, losing a prototype iPhone in a bar, but employee social media gaffes can cause your organization everything from public embarrassment to legal liabilities.
“I can’t begin to tell you how many times companies come to us because they’ve discovered their employees were using social networks that compromised sensitive data,” says Mike Logan, CEO of Axis Technology, a vendor of data masking products. “A P2P network or a social network like Facebook that collects info is pretty much the equivalent of digging a tunnel right into a company’s data center.”
“It all boils down to what is written in the terms of service,” says Carter. “These differ between the different social networks, which creates its own problems. Having proprietary data residing on a social network should absolutely create concerns for enterprises, especially if that data is not stored anywhere else. Enterprises should look at their record retention policies and not rely on Facebook, LinkedIn, or Twitter to store that data for them.”
Taming the social network: Block social media at your peril
From an IT perspective, an understandable response to social media is to block it and forget about it. Depending on the survey, some 30 to 50 percent of organizations polled say they ban employees from using Facebook, Twitter, LinkedIn, and other popular social media sites at work. Simply add facebook.com and twitter.com to your list of forbidden URLs and get back to the real work at hand, right?
Wrong, says Palo Alto Networks’ Bonvanie. Most companies are in denial about how much their employees are using social nets, as well as what they can do to stop it.
“You ask some IT people about social media and they’ll say, ‘Nobody’s using Facebook on our network,’ or, ‘They can’t use it because we’re using IPS or URL filtering to block it,'” Bonvanie says. “In both cases, those IT people are completely wrong. We see massive penetration of social media in the enterprise.”
How massive? Palo Alto Networks has detected Facebook use on 92 percent of the 347 enterprise networks it surveyed last spring. Twitter was detected on 87 percent of corporate nets; LinkedIn and MySpace, 83 and 82 percent, respectively.
When IT has taken steps to block access to Facebook and other social sites on the network, users invariably find a way around those barriers, says Bonvanie.
“It’s very easy for someone to go around those blocks using a public proxy,” he says. “Five minutes later they’re back on Facebook and you’ve lost all control. Believe me, employees are very motivated when it comes to getting on Facebook.”
Even if you did manage to somehow keep all your employees from accessing social networks at work, there’s little you can do to keep them from tweeting their little heads off about company secrets when they head home at night. And social media blocker beware: Employees are more likely to rip into your company on social sites after hours if they can’t get to those sites at work, Bonvanie adds.
“The motivation for someone to log on to Facebook and go off about their company is a lot higher if you block their access at work than if you allow them,” Bonvanie says. “If you piss them off at work, that’s what they’re going to do when they get home. If the culture at work is to allow social media but be smart about it, tell people how to act and what not to say, they’re not likely to do it at home.”
A partial solution is provided by tools like FaceTime’s Socialite or Palo Alto Networks’ next-generation firewalls, which offer granular controls over which features each employee can access on the social network. For example, a company might allow full access to Facebook, but block usage of third-party apps like Farmville or native features like chat. Granular control could enable employees in the marketing or customer service departments to use Twitter to promote the company and solve user problems, while keeping those with access to sensitive information offline. Or it might allow some employees to simply read but not write — so they can scan LinkedIn profiles for recruiting purposes, but not spend valuable company time updating their own résumés.
Some of these controls can extend outside the company as well. If an employee posts something they shouldn’t from an off-network home PC or an Internet cafe, for example, Socialite can identify and archive the new posts the next time the user logs in to their accounts via the corporate net, notes Carter.
Another potential solution is data leak prevention software. About 70 percent of all data leaks are the result of an employee accidentally or intentionally spilling the beans, says Alexey Raevsky, CEO for Zecurion. DLP suites like Zecurion’s can monitor all outbound communications — email, chat, and social media updates — and block anything deemed confidential or proprietary from leaving the company’s network. But using DLP means keeping a close watch on what information your company deems sensitive and updating those filters regularly as it changes.
“Social media makes it easy to say things you shouldn’t,” says Bonvanie. “The technology needs to do more than a simple binary block or allow.”
Taming the social network: Warning: Stupidity ahead, please exercise caution
The problem with using software tools to combat social media ills is that they lack a “stupidity filter,” FaceTime’s Carter notes. The world’s best social media security or DLP suite can’t keep employees from posting something dumb or embarrassing to their walls.
“What’s most important is education,” says Carter. “Educate, re-educate, and educate again. Put technology coaching solutions in place, where you can remind users of the risks regularly and remind them also of your company policy about visiting sites that are not relevant to business.”
Every company needs to address social networking and create comprehensive policies governing how they can and can’t be used. Yet four out of five enterprises lack such policies, says Kurt Underwood, managing director, global risk leader for IT for Protiviti, a risk management consultancy. That can lead to major legal and regulatory problems down the road.
“You can try to ignore social networks, but the legal and reputational dangers will still be there,” he says. “If employees are using business resources — network servers, desktops, or laptops — to access a social media site or using any portion of it for business purposes, the data being shared on it needs to be viewed just as you’d view information shared across the company’s email system. That’s a big eye-opener for most CIOs.”
Creating social policies doesn’t have to be an ordeal. Sites like Social Media Governance or Social Media Today are designed to help organizations create workplace policies for social media. But the best source for laying the rules of the social road may be sitting in the corporate cafeteria.
When IBM needed to create Internet guidelines for its 400,000 global employees, it turned to the most logical source: the employees themselves. IBM published its first set of guidelines around blogging in 2005, which was created via an employee-driven wiki. Those rules have been overhauled twice since then to reflect changes in technology, including a 2010 version that deals explicitly with social networks.
The guidelines are filled with commonsense advice; for example, they recommend not posting anonymously, trying not to pick fights, always writing in the first person, identifying yourself as an employee when posting about company matters, and making it clear the comments you post are your own personal opinions, not those of IBM.
What you won’t find: heavy-handed warnings or details about the punishments meted out for social media misconduct.
“One thing that’s critical and built into both our guides about social computing and about proper business conduct is the notion of trust,” says John Rooney, program lead for innovation and collaboration at IBM. “We have a culture where we want our employees to understand they’re trusted to act professionally and to represent the best interests of IBM. If potential conflicts do come up, we have ways to manage that. But we’ve had very few cases where we had to take any action in that regard.”
The key to creating policies employees will actually follow is achieving the right balance between formal rules and gentle encouragement, says Scott Gracyalny, managing director and global lead of risk technology services at Protiviti.
“Generally speaking, the policy should be comprehensive but not so rigid that it causes employees to try to circumvent your security controls,” he says. “It should be written in a positive tone that creates a feeling of empowerment, as opposed to ‘don’t do this’ or ‘you can’t do that.'”
Another solution: “Don’t hire stupid employees,” says Jan Aleman, CEO for Servoy, a developer of hybrid SaaS and on-premises software with 108 employees. “At Servoy people already know what they can and cannot say on Facebook. As an open source company we don’t have a lot of secrets. You can already see everything our tech guys are doing, because we commit our code to a public place. But if you had a bigger company or less intelligent people working for you, you’d probably want some guidelines in place.”
Taming the social network: Tapping insights from 500 million of your closest friends
Despite the difficulties, having a presence on social networks is rapidly becoming a requirement for doing business. Yet some enterprises are still balking, notes Underwood.
“It’s like we’re back in 1993, when enterprises were trying to decide whether to participate in this thing called the Internet or simply ignore it,” he says.
For things like recruiting, marketing, and customer service, using public social nets is a no-brainer. For example, Servoy actively trolls Facebook groups built around fourth-generation programming languages like FoxPro and recruits their members to webinars. It also uses its Facebook presence to solicit feedback from customers.
“It’s good to talk to your customers and find out what they think is important,” says Aleman. “Otherwise you could develop your products in a way you think is best but isn’t what the market wants.”
IBM has folded Facebook and Twitter into its corporate communications strategy, just as it did with blogs five years ago, says Rooney.
“We have people on Facebook actively talking about the things they’re working on at IBM, which we see as a big positive,” says Rooney. “When people are looking for a particular kind of expertise, Facebook makes it more possible to discover that at IBM. Social media gives us a pathway to engage directly with clients, demonstrate openness, project the future of what we’re working on. It’s a way to collect feedback on what we’re working on and improve our product offerings.”
Language learning company Rosetta Stone recently integrated its Parature CRM and customer support systems with Facebook, offering the same knowledge bases and support options like live chat on Facebook as it does on its its own website, as well as the same ability to capture all of that real-time customer data in its CRM. Launched in August, Rosetta’s Facebook page had already garnered more than 22,000 fans at press time.
A big difference between social media and typical online support channels is “the viral nature of a positive experience,” says Parature founder Duke Chung. “When someone posts on a Facebook wall or uses our live chat and gets an answer to their question, we give them the option to share that experience with their friends. They can say, ‘I just got my answer and now I’m back to learning Japanese faster than ever,’ and 500 of their friends see it. It lets Rosetta’s customers market their great experiences via Facebook streams.”
The other big advantage, says Rosetta Stone senior vice president Jay Topper, is how much data companies can glean from sites like Facebook — for absolutely free.
“Companies spend so much money trying to get information from their customers, while places like Facebook are essentially a free 24/7 focus group where every day thousands of people are providing you with a constant flow of information,” he says. “It’s mind-boggling how much you could mine from this.”
Taming the social network: Your own private social network
Of course, you probably don’t want your product road map being retweeted by Ashton Kutcher. You don’t really need 10,000 people on Facebook to “like” ideas your development team is still mulling. It’s usually not smart to post photos from company parties on Flickr or MySpace. Public social networks are poor solutions for a great many things.
But if you want the benefits of social nets — collaboration across geographies, instant feedback, and real-time communication — without the risks associated with public exposure, a private social network may be just the ticket.
For example, AT&T uses Spigit’s social media technology to create a mass virtual water cooler for the telecom giant. About 45,000 employees — roughly one-sixth of AT&T’s global workforce — participate in The Innovation Pipeline, its online brainstorming community. The company has already implemented one idea suggested by employees: creating a TV channel that shows the differences between HDTV and normal resolution, to help AT&T sell high-definition programming packages to its broadband U-Verse customers. Several more are in development, says Patrick Asher, innovation leader for the company.
If an idea is too good — or such a no-brainer that it deserves immediate implementation — company executives can pull it from Spigit sites before it leaks to competitors, notes Spigit CEO Paul Pluschkell.
“It’s all about bringing ideas to market that much quicker,” he says. “Until you execute on it, an idea is just an idea.”
Gaming network IGN Entertainment uses Yammer, a hosted social networking service, to collaborate and comment on each others’ ideas. It began when a single IGN engineer signed up for Yammer and now has spread virally to the entire company, says Greg Silva, vice president of HR. As the geeks critique, management can see who’s contributing which ideas, and gauge how engaged they are with the company and the industry as a whole.
“Yammer gives our leadership team the opportunity to see which employees are consistently contributing ideas and adding to the conversation,” Silva says. “And because we operate in five locations worldwide, it gives our employees the opportunity to engage in any discussion, no matter where it started.”
When Synaptics, a $500 million maker of touchscreen technology, was looking for a “21st-century communications tool” that allowed people to collaborate 24/7, it turned to Broadvision’s Clearvale, says Jim Harrington, senior vice president of global human resources for the company.
“Too many times when you send out email people just delete it without reading,” he says. “Clearvale enables us to build communities inside our company that are able to communicate with external communities for things like recruiting. It also allows us to communicate between different internal communities such as marketing and product development, or between product development and human resources.”
Internally or externally, the rest of the world is adopting social media. If your company isn’t there, they’ll just end up talking about you behind your back.
“The first thing you have to understand is that, if you’re not present on social media, if you don’t have brand and corporate advocates in these spaces, you’ll have no opportunities to address concerns and correct problems,” says IBM’s Rooney. “You’re not going to fix it or protect your brand by ignoring them. If you’re engaging authentically and directly, if you exhibit openness and a willingness to listen, you’ve got a much greater opportunity to change hearts and minds.”