A web of deceit?

Social networking sites aren't all bad; they just need to be analysed in terms of benefits and risks.

Read time 2min 40sec

IT organisations and business leaders, says Gartner, are struggling to understand the business risks and benefits of uncontrolled access to social networking sites.

“In a survey carried out in November 2007 at Gartner ITxpo, 38% of the 309 respondents indicated their organisations blocked access, 9% supported only limited access, 49% allowed unlimited access or simply took no action, and only 3% indicated that their organisations encouraged the use of such sites. These results are supported by anecdotal evidence from numerous discussions with clients in the US, Europe and Australia, as well as media reports from other sources. Blocking will not eliminate all risks, and it's likely to offend employees and have unintended consequences,” the report states.

That said, social networking sites do present some risk - notably productivity, security, acceptable usage and corporate liability, data loss and privacy risks, Gartner says. Conversely, the report notes, these sites have advantages too, specifically: Attracting/retaining next-generation employees, providing a better work/life balance, fostering innovation of business practices, and advertising and marketing.

“There are legitimate risks involved with allowing uncontrolled access to social networking sites; however, most can be minimised through the use of a comprehensive Web security strategy,” report author Peter Firstbrook says. “Most of the risks are not exclusive to social networking sites; therefore, simply blocking these sites will not mitigate the hazards of increasingly interactive consumer Web applications.” Further, he notes: “There are corporate advantages to allowing social networking sites, the most compelling of which are attracting employees and providing a progressive work environment.”

Blocking will not eliminate all risks.


Gartner has the following recommendations for organisations grappling with the social networking question:

1. Organisations should only block social networking sites after conducting a carefulanalysis of the risks and benefits. Management, not the IT organisation, should make the decision.

2. Update employee guidelines, employment contracts and acceptable use guidelines for interactive Web sites (not just social networking sites), to align them with acceptable Web use policies. However, the IT department should provide only technical guidance to HR and legal - the IT organisation should not allow itself to be perceived as the author of the policy.

3. Block social networking sites only when there is significant corporate risk that can't be mitigated by other security controls. Use secure Web gateways (SWGs) or URL-filtering software to monitor and enforce your policies, or where the specific social networking site frequently allows or promotes the dissemination of content (such as suggestive or sexual material and copyrighted information) that is counter to established corporate policy.

4. Develop a user education programme to warn employees about the indiscriminate distribution of personal information. Include clear guidance on use of data that involves corporate activities and affiliations, personal information and intellectual property.

* Report courtesy of Gartner, information sourced from: Social-Networking Sites Present Real Business Risks and Benefits, Peter Firstbrook, 10 March 2008.

See also