Facebook: The new staff security education tool
While some employers are banning staff from accessing Facebook fearing security risks and productivity hits, GE Commercial Finance is encouraging use of the social network site to improve staff security practices.
The Australian division of GE Commercial Finance is encouraging more than 1,000 staff in its Australian and New Zealand operations -- from the mailroom to the boardroom -- to embrace the social networking Web site as a means to improve staff security practices at work, GE Commercial Finance's IT security and risk analyst Ashley Jones told ZDNet Australia.
Jones said he has noticed staff putting far too much information on Web sites such as Facebook, including where they work and their date of birth -- key details he is trying to get staff to be more protective of. By teaching employees to look after their details on social networking sites such as Facebook, GE Commercial is hoping to extend good security practice across the organisation.
Social networking sites have been cited by security firms as a major risk to organisations' information security due to staff putting too many personal details on publicly accessible Web sites, which can be used by criminals to perpetrate identity fraud.
Facebook specifically has also been blamed for negatively impacting worker productivity. Security firm Sophos recently conducted a survey of 500 staff which found that 10 percent of the respondents visited Facebook over 10 times a day while 14.7 percent were logged on to their accounts all day.
While this may be true, GE Commercial Finance's Jones said that Facebook can help staff overcome difficulties around understanding complex security concepts and also prove more effective for communicating with workers than traditional methods.
"If I sent out a mass mail to staff members which said, 'Don't write your passwords down because if someone gets it they can get into our system and steal millions of dollars', they might say, 'whatever'. But if I say, don't put your personal information on to Facebook because someone can steal your identity, and can steal money from your bank account, they are likely to take notice because the threat is personal, rather than to the organisation as such," said Jones.
A good measurement of the success of a company's security policies and practices is when information security is integral to the organisation's culture -- for example, when staff dispose of paper by shredding it or putting into a secure storage unit, said Jones.
In addition to using Facebook as an education tool, Jones has developed multiple means to communicate security messages to staff, including distributing desktop wallpapers covering a range of security issues including how to protect passwords and electronic keys.
Jones said his team has also begun to tailor its approach to security education for different units within the business.
"We've also tried to join team meetings, which enables me to do more business focused presentations. So if we go down to the customer contact centre, I could emphasise social engineering, because they are more likely to get people on the phone trying to extract information," said Jones.