When the media relations department at Global Crossing Ltd. first started planning a company-sponsored external blog last year, Michael Miller, vice president of security at the telecommunications services provider, made sure he was involved in the conversation.
“The normal reaction for most people in a security organization is, ‘How do we restrict this activity?’” he says. “But we wanted to clearly articulate some guidance around blogging in terms of what the employee’s responsibility is, what’s permissible, what isn’t. If you spend all your time blocking it, people will find ways around it.”
Miller’s response strikes at the heart of the corporate debate over how to minimize the security risks opened up by blogging, social networking, video sharing and other interactions that fall under the Web 2.0 umbrella. Companies are wrestling with a multitude of issues, such as whether to restrict employees from blogging on employer-owned equipment, whether to monitor what blogs say, whether to steer blogging activity toward a company- sponsored blog and how to set up parameters around these activities. There’s also the question of whether to open the corporate network to the wild and woolly worlds of MySpace.com, iTunes, Flickr and YouTube.
“Sites like MySpace and YouTube are new ways for companies to get infected by malicious code — viruses or spyware — and other scams,” says Arabella Hallawell, an analyst at Gartner Inc. Examples include the Yamanner worm, which hit Yahoo Mail users, and the Samy and Spaceflash worms, which spread among MySpace users.
For many, the blogging dilemma comes down to weighing the risks and benefits of spotlighting the company’s intellectual capital — the opinions of its employees — and opening new channels of communication with its customers without inadvertently leaking valuable information into the public sphere.
And loss of trade secrets is only one type of threat, according to Diana McKenzie, chairwoman of the information technology group at law firm Neal, Gerber & Eisenberg LLP in Chicago. Other common problems include co-worker harassment and defamation, securities law violations and intellectual property abuses, such as misuse of copyrights or trademarks.
“It’s not uncommon for employees to not know better and say, ‘We’re going to have great earnings this month,’ during a company’s quiet period,” McKenzie says. She even knows of a blogger who discussed where his employer planned to set up hidden security cameras.
Why Not Institute a Policy?
Companies can avoid legal troubles by creating policies for blogging, but not everyone makes that effort. In an exclusive Computerworld survey of 113 IT managers, just over half of the respondents reported that their companies have policies regarding employee participation in social and networking sites (see charts above).
When setting up a blogging policy, Hallawell says, IT should work with the legal and human resources departments to identify rules that might limit how restrictive the policy can be. For example, she says, some state laws — and some trade union agreements — don’t let companies prevent discussion of political activities or certain workplace safety issues. “Blogging raises many complex and gray issues for companies,” she says.
For Miller, pulling together a blogging policy wasn’t difficult. He used Florham Park, N.J.-based Global Crossing’s existing guidelines regarding ethics and acceptable use of technology as a foundation and augmented them to allow for the special considerations of blogging. Particularly relevant were the company’s policies for use of e-mail, “which had a direct parallel to blogging, in terms of confidential information and intellectual property,” Miller says.
Basically, the policy allows all employees to participate in the Web 2.0 community, including posting to blogs and setting up a blog, as long as they follow the guidelines. For instance, bloggers need to identify themselves as representatives of Global Crossing and include disclaimers saying that the views expressed don’t necessarily represent the views of the company.
The policy also includes a section on “doing no harm” that warns against inflammatory posts. “We provide guidance on taking your time and making sure that what you’re posting represents you and what you’re trying to get across,” Miller says. “Don’t post when you’re feeling hot-tempered — stop and cool off.”
The policy is aimed at anyone who chooses to post to a blog or set up his own personal blog, but it also pertains to Global Crossing’s corporate blog, which spotlights six employees, each dealing with a specific issue. “We think there’s value to the corporation in expanding the communication boundaries, but in a way that we’re controlling what’s going on and putting the right measures in place,” Miller says.
Dune Capital Management LP takes a more defensive approach to Web 2.0 security, according to Alphonse Edouard, vice president of IT at the New York-based investment firm. He uses QRadar network security software from Q1 Labs Inc. in Waltham, Mass., to block employees from accessing Web sites such as Plaxo and YouTube during heavy trading times. This is as much a preemptive strike against malicious code as it is a way to prevent overuse of precious network bandwidth, he says.
“When someone’s doing a music download, they’re cutting into the business resource of someone else trying to get market data,” Edouard says. “So we use QRadar to secure our assets and manage resources on the network.”
QRadar monitors which sites employees are visiting and generates flow reports of uploads, downloads and file transfers, as well as how all that activity is affecting bandwidth. This capability also helps Edouard’s team spot problems such as malware attacking the network from within the firewall.
For example, a Trojan horse might enter the network through an e-mail message and establish a secure connection with an outside Web site that results in 100 pop-up ads streaming over the network. Many companies use antivirus software to protect against this, “but you only need one machine compromised, and before you know it, 20 or 30 are compromised by the end of the day,” Edouard says. With QRadar, he can quickly block access to the site when he’s alerted to a suspicious traffic pattern on the network.
Edouard is also cautious about allowing employees to install weather-tracking or search engine tool bars on their workstations. “These add-ins use substantial resources and aren’t really work-related,” he says. “We prefer they use Web-based rather than application-based tools.”
More Policy Than Technology
Organizations are more likely to use policy rather than technology to control the risks raised by Web 2.0 technologies, particularly blogging, according to Hallawell. For instance, she says, well under 15% of companies scan Web traffic for viruses. That’s mainly because existing antivirus tools tend to cause performance problems and many companies don’t think the threat is very high.
A better option for protecting your network against malicious code from Web 2.0 sites, Hallawell says, is an emerging technology she calls the “secure Web gateway,” which is a combination of antivirus software, URL filtering, application controls, Web reputation services and “safe search” tools.
Tools in the emerging content monitoring and filtering (CMF) category are another option. Companies can use CMF systems to block access to Web sites and scan data streams for predetermined character strings to monitor what employees are posting when using the company network. Other names for this type of tool include content security and enterprise content governance systems, says Mark Rhodes-Ousley, an information security architect and author of Network Security: The Complete Reference, (McGraw-Hill Osborne Media, 2003). Vendors in this category include Tablus Inc., Reconnex Corp., Vontu Inc., Websense Inc.’s Port Authority unit, The Fidelis Group Inc., Vericept Corp. and Clearswift Ltd.
While CMF technology shows promise, it also has limitations, says Rhodes-Ousley. For instance, “blocking access to specific locations is a cumbersome process inevitably punctuated by holes,” he says. And because determining what content to look for is the responsibility of the people configuring the technology, it’s a naturally error-prone effort.
In addition, “keyword searches aren’t going to catch everything,” says Rhodes-Ousley. And while some of these products allow for quarantining certain types of content, a moderator has to sift through everything that’s quarantined, “which is not an easy job,” he says.
Lastly, CMF tools don’t address image-based content. “This technology is a useful part of a comprehensive data leakage prevention effort, but it’s not enough by itself,” Rhodes-Ousley concludes.
“This is still an emerging market,” with less than $50 million to $60 million in sales in 2006, says Hallawell. “But we expect more acquisitions in this space by antivirus, e-mail and URL filtering vendors,” she adds.
A Management Failure
The weaknesses of filtering tools aren’t just technological ones, according to Tim Bray, director of Web technologies at Sun Microsystems Inc. They’re also managerial.
“If you think you need filtering technologies to be sure your employees aren’t damaging your reputation, that’s a management problem, not a technology one,” he says. “If employees can’t be trusted, technology is the least of your problems.”
Sun was one of the first companies to institute a blogging policy and claims 2,000 to 3,000 active bloggers among its employees, both on and off the corporate-sponsored blogging site (www.blogs.sun.com). Bray says Sun doesn’t worry too much about malicious code entering the network from Web 2.0 sites because as a Macintosh shop, it’s less vulnerable to viruses.
Bray has maintained his own personal blog since 2003. “One of the reasons why blogs have been so effective in general and extremely so at Sun is that the message has not been homogenized,” he says. “Press releases are not particularly what ordinary people want to read.” Active blogging has also helped the company communicate better with its community of users. “We have much more sensitive antennas than we would without it,” Bray says.
Global Crossing has filtering technology but uses it only when abuse is suspected. The URL filtering system from Secure Computing Corp. in San Jose can track where employees are spending time on the Web. “It’s important to have a policy in place and allow people to get out and participate in the community,” Miller says. “But it’s also important from a security standpoint to have the right tools in place so that if there is misuse, you can go back and take proactive steps to stop it.”
Put It in WritingDoes your company have a policy regarding employees participating in blogs, wikis or sites such as MySpace, or visiting online sites such as YouTube, Pandora or Second Life, during work hours?
Base = 113 IT managers
Just Say NoDoes your company ban such activities or sites?
Base = 59 respondents who said their companies have policies regarding social sites
Growing TrendWill your company be working on a policy regarding employee participation in social/networking sites in 2007?
Base = 54 respondents who said their companies dont have policies regarding social sites or were not sure
A Growing ProblemHas your organization had security problems related to these types of social/networking sites?
Base = 113 IT managers
Find out more about Web 2.0 Security:
- Your Gadgets Are Springing Leaks
- Web 2.0 Survival Tips
- See the full Web 2.0 Security report
- FAQ: Web 2.0 basics
Brandel is a Computerworld contributing writer. You can contact her at firstname.lastname@example.org.