Infosec: Workplace Facebook bans are a waste of time

News 26 Apr, 2012

Web security vendor Barracuda Networks claims banning staff from using social networking sites still exposes firms to risks.

IT departments that try to ban employees from accessing social networking sites for security reasons are fighting a losing battle, claims security vendor Barracuda Networks.

Speaking to IT Pro at Infosecurity Europe, the firm’s chief research officer, Dr. Paul Judge, said most end users find a way round blanket bans on Facebook and Twitter use in the workplace.

Your average company’s website is just sat out on the internet with nothing protecting it

And, with newer sites such as Pinterest and Instagram emerging and growing in popularity, it is an evolving situation that is hard for IT departments to keep tabs on.

“If you look at the time people spend online, the biggest time drain is social networks. So, if you’re an attacker trying to get in front of more eyeballs, it’s the place to be,” said Judge.

“[These attackers] are making millions of fake accounts to interact with legitimate people and, potentially, your company’s employees are exposing you to risk.”

However, rather than stop people using them completely, there are steps companies can take to mitigate these risks.

“A lot of companies try to tell people they can’t use Facebook or Twitter, but it is easier to let them access the sites in a controlled way,” he explained.

“For instance, they can use application control rules or policies to protect themselves against malware, viruses and data loss by controlling the amount of risk social networks expose them to.”

He said businesses should make use of "read-only web" tools, which allow employees to visit sites, but prohibits them from downloading and uploading content.

“You can compromise in other ways by letting employees access Facebook, but use tools that stop them from accessing user profiles and limits access to company-related pages,” he added.

“There are tools that scan Facebook and Twitter profiles, looking for suspicious content, malware and spam, which gives employees access to a wider range of pages in a controlled way.”

Aside from social networking sites, he claimed businesses are also leaving themselves open to attack by failing to secure their corporate sites properly.

“Large financial institutions have been doing [a great job of this] for years, but your average company’s website is just sat out on the internet with nothing protecting it,” he claimed.

“It is changing. The Anonymous era has increased awareness of network and website breaches and increasingly the board is saying to the IT department, ‘how can we stop that happening to us?"