Is Facebook key to teaching staff better security?

The Australian division of GE Commercial Finance is encouraging more than 1,000 staff in its Australian and New Zealand operations to embrace the social networking website as a means of improving staff security practices at work.

GE Commercial Finance's IT security and risk analyst, Ashley Jones, said he has noticed staff putting far too much information on websites such as Facebook, including where they work and their date of birth - key details he is trying to get staff to be more protective of. By teaching employees to look after their details on social networking sites such as Facebook, GE Commercial is hoping to extend good security practice across the organisation.

Social networking sites have been cited by security companies as a major risk to organisations' information security, due to staff putting too many personal details on publicly accessible websites, which can be used by criminals to perpetrate identity fraud.

Facebook specifically has also been blamed for negatively impacting worker productivity. Security company Sophos recently conducted a survey of 500 staff which found 10 per cent of the respondents visited Facebook more than 10 times per day, while 14.7 per cent were logged onto their accounts all day.

While this may be true, GE Commercial Finance's Jones said Facebook can help staff overcome difficulties around understanding complex security concepts and also prove more effective for communicating with workers than traditional methods.

He said: "If I sent out a mass mail to staff members which said 'don't write your passwords down because, if someone gets it, they can get into our system and steal millions of dollars', they might say: 'whatever'. But if I say 'don't put your personal information onto Facebook because someone can steal your identity and can steal money from your bank account', they are likely to take notice because the threat is personal, rather than to the organisation as such."

A good measurement of the success of a company's security policies and practices is when information security is integral to the organisation's culture - for example, when staff dispose of paper by shredding it or putting into a secure storage unit, said Jones.

In addition to using Facebook as an education tool, Jones has developed multiple means to communicate security messages to staff, including distributing desktop wallpapers covering a range of security issues, such as how to protect passwords and electronic keys.

Jones said his team has also begun to tailor its approach to security education for different units within the business.

He added: "We've also tried to join team meetings, which enables me to do more business-focused presentations. So, if we go down to the customer contact centre, I could emphasise social engineering, because they are more likely to get people on the phone trying to extract information."

Liam Tung writes for ZDNet Australia