Social Networking for Business Reasons...What About The Risks?

Matt blogged earlier about Haworth adopting various and sundry social networking applications.  Haworth is a perfect example of an organization that is a bit ahead of the curve - adopting these applications for business reasons, yet managing the inherent risks.  More thoughts on that:

Any organizations that are not yet diving into social networks headfirst will be doing so shortly.  There are lots of legitimate business reasons to embrace social networking applications - seems like lists of why you should engage are cropping up weekly - here most recently, but marketers also salivate over the sheer size of the audience - hereMostly, organizations are interested in new, fast, cost-effective marketing channels, customer intimacy, and reaching a new generation of consumers (although social networking adoption is rapid among the over 55 set - with 19% of over 55 Internet users participating).  Some organizations embrace these apps for purely employee culture reasons.  It is worth noting that many organizations don't quite know what they're going to get out of the experience - so there is a tremendous amount of experimentation.

In most organizations, information security professionals cannot (and should not) stand in front of the social networking steamroller, but instead help their organizations manage the risks associated with social networking applications?  But what are they?  And how does one manage it?

Step 1:  Understand the Risks.  Worms like Koobface have been discussed extensively.  Obscured or shortened links leading to phishing scams or malware are the current darling of the press.  Legitimate accounts are being hacked to spread trojans to followers.  Some organizations have concerns about employee productivity drain, compliance issues, or the potential for data loss.  The most interesting (and dangerous) piece though is summed up nicely in this SecurityFocus piece, and is historically consistent with the dynamics associated with other types of communication technologies upon initial adoption (e.g., email, IM) - that the hundreds of millions of users of social networking applications are far too trusting of interactions that they have within the medium.

Step 2:  Manage Risks.  So given that information security professionals can't/shouldn't stand in the way of this steamroller (that scene in Austin Powers comes to mind), and that enterprises will be experimenting heavily, what can be done?  First, understand what's going on.  Most organizations guess, try to glean bits of information from various security components, but don't REALLY know what applications are running on their networks.  Second, work with the business to create policies that enable the business to experiment, innovate, and realize the benefits of social networking applications - but limit the exposure to the aforementioned risks.  In other words, don't ban the apps unilaterally, but limit use by user, group, application function, time, or content (threat, confidential data, etc.) - to ensure benefit without taking on undue risk.  By the way, because we're still in the experimentation phase, these policies are going to be pretty dynamic for a while.  Third - get control over which applications are running on your network (enforce those policies).

Social networking applications are here to stay, and will be part of various business initiatives (we just don't fully understand how yet).  Don't get hit by the steamroller.