Google+ Poses Corporate IT Security And Compliance Issues

Written By Kailash Ambwani

For business users in industries where compliance is not only a mantra, but a way of life, there are some good reasons not to join the rush to be on Google+ just yet. That’s not to say I don’t believe that it has the potential to rival the likes of Facebook, indeed it’s obvious by the changes the social networking mammoth has just made in addressing users’ privacy concerns that it recognizes Google+ as a serious contender. However, I do believe there are some serious issues around security and compliance that need to be addressed first.

Google+ differs from other social networks in that, with Circles, the user decides how they are going to categorize their friends and followers, but without the other person knowing which category they have been placed in. At first glance this seems like a good thing – after all, how often have you wanted to separate out what work colleagues and friends see on your Facebook page? However, once you’re the recipient of a deluge of information without context, you may find yourself questioning the value of Circles.

Is someone sharing something with you because they’ve placed you in their “Financial Services People” circle or because you’re in the “Soon to IPO” circle? As humans we rely on our intuition and experience, though we’re not always good at it, which is why hackers and malware writers use social engineering techniques. So creating a situation where users’ receive messages without context can lead to confusion, leaving the door open to information leakage and malware.

Like other social networking sites there is no native ability on Google+ for organizations to moderate, filter or block content and file transfers. Controlling the content that enterprises users share on any type of public network is critical, particularly in heavily regulated industries. FINRA for example, insists that where a user is identifiable, all content should be controlled and archived, regardless of whether the user was in the workplace when the content was posted.

Identity is another issue. Google+ is busy enforcing its “real name” policy, but as we saw with early celebrity accounts on Twitter, what you see isn’t always what you get. Fake and hacked accounts are everywhere on social networking sites and are frequently used to send malware or occasionally to extort money out of friends. It’s a successful tactic because we place far too much trust on our friends in these networks.

Just like Twitter, except for verified accounts, on Google+ there is no secondary validation that a picture you’ve just added to a circle is truly that person’s photo. As with any public domain, if you’re planning on sharing potentially sensitive information with someone in your circle, it would be wise to verify them through another known communication method first. However, this still doesn’t overcome the problem of compromised accounts.

Google+, along with its competitors on the social scene, doesn’t have the best track record in regard to privacy. It’s learned some hard lessons along the way, including broadcasting Google Buzz users’ Gmail addresses, but the granular control that Google+ provides in allowing what others can see should help address that issue. It does not, however, guarantee that information will always remain private. Whether a user accidentally forgets to change a setting or a bug within the site suddenly reveals data it shouldn’t, organizations should always be cautious about what their users are sharing over what is essentially a public forum.

Despite the fact that Google+ is busy deleting business profiles, it hasn’t stopped organizations from flocking to the site to set up their own presence, even if the organization is using an employee to represent it. It is worth noting that while the first 10 days delivered 10 million users for Google, they’re now sitting at 25 million users, and adoption rates have dropped by 30%. By contrast Facebook has over 750 million active users.

My best practice advice for organizations considering allowing user access to upcoming social networks has always been to monitor the situation and apply granular controls and policies depending on the risk profile of the individual. Without a doubt Google+ is going to have a significant impact on social media, but it is still in Beta and hasn’t even made its APIs available yet, a key requisite to ensure that additional controls for compliance purposes can be applied. With other social networking site maintaining a far more significant user base, it may be prudent to wait just a short while, before jumping into the latest social fray.

Kailash Ambwani is CEO of Actiance, a security software company.

Share and Enjoy