The latest annual security survey of 649 Canadian organizations by Telus and the Rotman School of Management indicates that organizations which ban social media at work suffer more - not less - infosec incidents than those which permit it.
According to an article about the survey (cited in the RISKS newsletter): "It might seem counterintuitive, but the survey results confirm what we have been tracking over the last two years," said Rafael Etges, director of security and risk consulting with Telus. "No social networking policies are actually forcing users to access non-trusted sites and use tech devices that are not monitored or controlled by the company security program."
What's the betting that restricting personal email use at work would stimulate a similar adverse and counterproductive reaction from (some) employees? Yet this is the knee-jerk reaction by some naive information security pros and managers.
Sir Isaac Newton's third law of motion is the one about action and reaction - equal and opposing forces, the reason that rocket engines make rockets fly. Autocratic managers blankly telling members of staff they cannot do something that, to them, seems entirely innocuous is the action: a common reaction, it seems, is to find ways around the ban. Being successful in this venture may even prompt employees to become more reactionary or subversive, a bit like naughty children pushing the boundaries of parental control (a classic illustration of social engineering).
Being a security awareness wonk, and I suppose a liberal by nature, I would argue that raising employees' awareness of the security issues associated with social media, email, personal IT devices etc., along with their options for dealing with the risks, is a more effective way of improving security than simply banning them outright. I'm certainly not claiming that awareness will prevent all incidents but an effective awareness program (meaning one that motivates and so achieves more secure - and less insecure - behaviours) can certainly help, for example by helping employees understand, recognize and respond appropriately to the associated threats. If they can be led to appreciate that information security is in their own as well as the company's best interests, that's a more persuasive argument than "Don't do that, or else!". Self-interest is a powerful driver for most people, especially in todays cut-throat me-me-me world.
On the other hand, who knows: maybe combining effective security awareness with a ban on social media, personal webmail or whatever would be even more effective than either part alone? Personally I doubt it but your mileage may vary. Either way, this situation is worth bearing in mind when you are developing security policies and practices on almost any topic. It's relatively easy to write a policy banning bad stuff but takes a bit more thought, effort and creativity to achieve the desired aim with the cooperation of employees rather than strong-arming them into submission. Isn't it better to get employees to think up better ways to acheive a common aim than to spend their lunchtimes plotting revenge against an overbearing management wielding the big stick?
Gary Hinson NoticeBored