As a privacy and security professional, I am often asked what other companies are doing with regards to social networking sites like Facebook, Twitter, etc. Most recently, a mid-level manager at one of my business clients had mentioned that he would like to block facebook and wanted my opinion. He mentioned that his staff are predominately made up of young, twentysomething employees and wanted to know how other client organizations are handling sites like facebook and twitter .

So, what’s my answer - it depends! Blocking sites like Facebook and Twitter is definitely dependent on your company’s personality and how it treats issues like work/life balance. Let me go through the two scenarios:

1)    Blocked

I’ve seen in larger organizations (mostly financial services and banking), that there is ‘zero-tolerance’ for this type of activity, particularly where the protection of confidential/sensitive information is paramount.

Why?

To protect against the risk of disclosure of sensitive company/client information. Facebook is an effective medium to communicate information quickly and efficiently to a large audience. The reputational and client risk is not acceptable for most organizations of this nature, hence it is blocked. And typically So are Hotmail, Gmail, blogger, skype, MSN, and twitter..

2)    Not Blocked

In other cases, Facebook is allowed, and is treated as an accepted part of normal communications like phone and email (which is widely accepted, that it is incidentally used for personal communications) - the company understands that, on occasion, it is used to communicate to family and friends.

Why Is it allowed?

Either because of lack of concern - no real business impact so they haven’t really thought and acted on it. In other cases, It is part of the ’social norm’ of the company. In most cases, these companies have a belief that they inherently trust their employees to do their work and can ’self-govern’ their performance and tasks. Outside of the odd exception, most personnel are conscious of the office’s social norms and fall in line. The odd exception is handled on a case by case basis and is usually a symptom of a performance based issue with that specific employee. Hence it is handled by that employee’s manager and is treated very similarly like an employee who spends too much time on the phone with family and friends, or takes extended lunch hours far too often.

Anyway, that is what I’ve seen. Perhaps, you may want to ask the following before your company makes a decision on issues like this:

1)    Why do we want to block Facebook?

The most important question. If it is to protect against the disclosure of company/client information, then blocking Facebook and other social networking sites, personal email sites, is an effective method. Otherwise, if it is to address performance issues with staff - there are probably more effective methods for managing performance. It all depends on the problem you are trying to address. What is the root of the problem?  Is the solution addressing the problem or is it only masking one of the symptoms? I always use the following analogy - sometimes checking the engine when the tires are flat isn’t going to fix the problem.

2)    What is the actual business impact?

Is this issue of significance to our business and to our clients? Is it one person or everyone in the organization? When does it happen? The first thing I always recommend is collect and gather metrics. There are quick and easy tools and metrics to gather to collect, and in most cases IT departments have the existing capability to report on it.

3)    Are staff aware about was is acceptable and not acceptable?

In most cases, staff are unaware of the company’s policy or accepted practice on issues like this. Has a policy been drafted and communicated to staff?  The communications should be clear and concise, with appropriate course of action/consequences. In most cases, this is an effective means of curtailing excessive or abusive behaviour of company assets.

Anyway, those are some of my own personal thoughts.  I hope this sheds some light on your situation. Good luck!