Thursday, August 13, 2009

An Unscientific Poll on Social Nets and Information Security

This morning I, along with identity theft expert John Sileo, delivered a webinar on the security and privacy impact of social networking. A timely topic and, judging by the number of people attending (102 on the live broadcast), of interest to a lot of folks.

Given the length of time (45 minutes) we really had to treat this in a broad manner, aiming to raise awareness more than provide any detailed description of how various utilities may have specific impacts on information security.

(You can view the recorded presentation here, if you are interested.)

Rather than rehash the issues discussed during the webinar, I thought it might be worthwhile sharing the results of the polling we did during the presentation. The methodology was unscientific, but interesting just the same.

Attendee use of the “Big Four” social networking sites (Facebook, MySpace, LinkedIn, Twitter):
10% not users
33% used one
33% used two
18% used three
5% used four
(Due to format constraints we didn’t ask which specific utilities were the ones being used)

What percentage of employees estimated to be users of online social networks?
40% said 75% or more
27% said 50-75%
30% said 25-50%
3% said under 25%
0% said zero

What is the primary use of social networks within the attendees’ company?
4% said sales tool
46% said PR/brand awareness
0% said customer service monitoring/engagement
19% said internal communications/team building
31% “Hello? Is this thing on?”

Attendees’ view of their organization’s awareness of the infosec/privacy risks associated with social networking:
24% said policy & training are fully developed
28% said there’s a plan in place, but it is insufficient
2% said they are in the planning stages
16% said they need to get moving

All of these results were interesting to me. I was surprised that only 23% (aggregate) of attendees said they used three or more of the Big Four, but perhaps I’m just exposing my personal bias given my use of Facebook, Twitter, and LinkedIn. But the poll result that I found most fascinating was the last one.

Although far from reliable, that only 24% of those people responding to our webinar poll believed their organization had a fully developed plan in place to address the risks associated with social networking was surprising to me. Nearly half of the organizations (48% aggregate) don’t have a plan in place, and 28% have a plan, but one that is insufficient to meet the risks we discussed.

At the end we outlined the steps toward implementation of a working security strategy:
• Acknowledge
• Understand
• Decide
• Develop
• Educate
• Reinforce

If these figures, along with an abundance of anecdotal evidence, mean anything, it is that we have a long way to go before most companies can move beyond step two and start making informed decisions about data privacy and security in the age of online social networks.