Facebook: A boon to business security?

The Australian division of GE Commercial Finance argues Facebook is a useful tool for educating staff in good security practices

While some employers are banning staff from accessing Facebook, fearing security risks and lowered productivity, GE Commercial Finance is encouraging use of the social networking site to improve staff security practices.

The Australian division of GE Commercial Finance is encouraging more than 1,000 staff in its Australian and New Zealand operations — from the mail room to the boardroom — to embrace the social networking website as a means of improving staff security practices at work, GE Commercial Finance's IT security and risk analyst, Ashley Jones, said.

Jones said he has noticed staff putting far too much information on websites such as Facebook, including where they work and their date of birth — key details he is trying to get staff to be more protective of. By teaching employees to look after their details on social networking sites such as Facebook, GE Commercial is hoping to extend good security practice across the organisation.

Social networking sites have been cited by security firms as a major risk to organisations' information security, due to staff putting too many personal details on publicly accessible websites, which can be used by criminals to perpetrate identity fraud.

Facebook specifically has also been blamed for negatively impacting worker productivity. Security firm Sophos recently conducted a survey of 500 staff which found that 10 percent of the respondents visited Facebook over 10 times a day, while 14.7 percent were logged onto their accounts all day.

While this may be true, GE Commercial Finance's Jones said that Facebook can help staff overcome difficulties around understanding complex security concepts and also prove more effective for communicating with workers than traditional methods.

"If I sent out a mass mail to staff members which said: 'Don't write your passwords down because, if someone gets it, they can get into our system and steal millions of dollars', they might say: 'Whatever'. But if I say: 'Don't put your personal information onto Facebook because someone can steal your identity and can steal money from your bank account', they are likely to take notice because the threat is personal, rather than to the organisation as such," said Jones.

A good measurement of the success of a company's security policies and practices is when information security is integral to the organisation's culture — for example, when staff dispose of paper by shredding it or putting into a secure storage unit, said Jones.

In addition to using Facebook as an education tool, Jones has developed multiple means to communicate security messages to staff, including distributing desktop wallpapers covering a range of security issues, such as how to protect passwords and electronic keys.

Jones said his team has also begun to tailor its approach to security education for different units within the business.

"We've also tried to join team meetings, which enables me to do more business-focused presentations. So, if we go down to the customer contact centre, I could emphasise social engineering, because they are more likely to get people on the phone trying to extract information," said Jones.