Social Networks Are Risky Business

Why does it seem that most IT departments are woefully un-prepared for IT innovation? Why are they usually viewed as the detractors and inhibitors of technology rather than the innovators and enablers? My own analysis is that the IT department is saddled with processes based on project management that do not allow for innovation.

The typical process calls for annual plans, budgets, needs assessment, and staff assignments with the requisite meetings, status reports, and tracking metrics. Look at the technologies that have made their way into the enterprise with none of these management overlays: the Internet, email, Instant Messaging, WiFi, Blackberrys and now iPhones. When you look at that list you have to ask, “Just what did the IT department bring to the party?”

If your organization is like most, the IT department is tasked with cleaning up after the fact. The most urgent need is usually security. All of these technologies have introduced dire security threats but the benefits from them are tremendous. Most businesses today cannot even function without email. Part of my job is to help enterprises think about these new technologies and attempt to secure them before they get deployed. This is so the painful implementation of policies and security after the fact does not detract from the technology’s benefit. In that light, I am writing today about social networking.

Social networking is simply people using technology to work together, share information, and communicate. A big part of it is the discovery and exploration of people and information that should be linked. Tools that contribute to successful social networking include Facebook, Twitter, LinkedIn, Sharepoint, blogs, and hundreds of applications and spin off websites that support these. And like the other consumer technologies mentioned here, you will be just as successful at blocking the use of social networks as you were at blocking email or the Internet.

Lack of Password Control

Social networks, so called web 2.0 sites in particular, have become the masters of quick and easy signup. The norm has become to ask users for a unique name, password, and email address. To avoid excessive spamming of the groups a confirmation email is sent. Digg, Reddit,, are like this, making it easy for users to be anonymous. Some sites, Twitter in particular, fail to even ask for a useable email address. These sites are the most vulnerable to abuse. One aspect of social networks that is deleterious to good security behavior is the tendency for new applications built off of existing ones to ask for your passwords. It is very common for a new social site to request Google, MSN, and Yahoo! passwords so that your contact list can be harvested to recruit more members.

During the November elections a site was launched in India to take an impromptu vote from Twitter users. It required you to enter your Twitter ID and password so they could keep track of unique votes. After I blogged about the obvious risk of giving your password to a third party, the authors assured me they had no malicious intent.

Over 20,000 people voted, giving up their IDs and passwords to an unknown site. The risk of losing control over a Twitter account is exacerbated by the fact that most people re-use passwords at multiple sites. In other words, a lost account at Twitter could quickly lead to loss of control to Gmail, Yahoo! or even their corporate access. Does the CEO of Zappos, a prolific and famous Twitter-er, use a strong password for his Twitter account? Does he use a different password than his remote access credentials? I don’t know but I’d bet I’m not the only one wondering.