Embrace social networking and consumer devices, but watch your legal back

We hear a lot about social networking as a security threat and productivity drain. But James Beeson, CISO of GE Capital, says that kind of thinking is all wrong.

At the CSO Security Standard event in New York today, he said it’s time to start learning to think like a digital native — not just when it comes to social networking, but also when it comes to using consumer devices like Androids and iPads in the workplace.

“They think differently. They prefer texting to phone calls. They research things far differently than baby boomers did,” he said of the younger generations.

Without question, there are big security risks attached to social networking, which we’ve covered extensively in such articles as “The 7 deadly sins of social networking.”

But there are some basic steps companies can take — if they haven’t already — to make this whole thing work, he said:

-Have a policy

-Teach data protection and personalize it

-Think through the regulatory policies and make adjustments to account for the social networking world and consumer devices like smartphones and tablets

-Focus hard on data leakage prevention

In focusing on the dangers, Beeson thinks a lot of companies are blind to some significant security advantages in Twitter, Facebook, LinkedIn and newer platforms like Google+.

“Social networking is actually helping with our security attention span,” he said. “My kids are more aware of the bad stuff out there. It’s giving us a much better digital trail. We are getting a much better baseline of user activity, which can help us understand the new normal so we can more effectively identify today’s abnormal activity.”

He noted the conundrum we face: Company leaders tend to see social networking as a waste of time that kills productivity. Digital natives find it essential for collaboration and efficiency.

But the digital natives are not going to turn back, so the older generation needs to get on board.

“This is not a choice. You’ve already enabled the workforce whether you like it or not. We are already there,” he said. As examples, he said that:

-Texting and apps are overtaking voice

-PC and laptop sales are dropping

Of course, there are risks companies should be on guard against, he said. They include:

-End users circumventing IT

-Productivity overtaking risk perception

-Malware thriving and the target growing

-A proliferation of unstructured data

-Location-aware devices can be dangerous to personal safety

-Policy compliance gets trickier, especially in Europe, where there are a host of regulations on top of those we’re used to in the U.S.

Another tricky matter is that corporate IT security procedures can spark lawsuits.

“I can absolutely see an employee filing a lawsuit because the company decided to wipe personal data, including family pictures, from a device,” he said.

Asked if that should be less of an issue for companies with clear policies stating that they reserve the right to wipe data from any device used for business, he said:

“That could be the case to some extent. But people are always ignoring terms of use and clicking ‘accept’ to get to the next thing. People agree to things without reading the fine print first.”

Whatever the policy, someone who hasn’t read through it will still file a lawsuit.

The company may have a policy that covers the legal bases, but they still have to devote resources toward fighting the lawsuit. And, he added, you can never be certain how a judge will rule in such matters.

–Bill Brenner

Sign up today.

Get your morning news fix with the daily Salted Hash e-newsletter!