Youtube and Facebook: Workplace Morale and Internet Addiction

Should Management Monitor Employee World Wide Web Surfing?

Should an employer tolerate computer social networking on the job, or prohibit it? An Australian study suggests office workers are generally more productive if they relax every so often online, by reading news, shopping or chatting with friends on Bebo, Hi5, AIM, FriendFeed or Yahoo Messenger.  The study’s author, Dr. Brent Coker, argues that often employer blocking of web sites like Youtube or Amazon is counterproductive.  Employees need a break, he says.

But beware Internet addiction.  Dr. Coker sees signs of addiction in 14 percent of Internet users.  Addiction means the users overdo it.  They browse to excess; they can’t act responsibly.  From the perspective of an employer, 14 percent is a huge number.  How can an employer afford to idle 14 percent of its work force?  Dr. Coker warns that for these 14 percent, casual surfing can become a waste of time and worse .

So what is an employer to do?  Internet access in the workplace is not a black and white issue.  Different work environments – and different employees – need different rules and different degrees of guidance.  For example, while on duty, maybe an air traffic controller should not be watching comical videos.  But such videos are probably okay — and maybe even wise and recommended — when she’s on break.

Responsible Internet monitoring by supervisors and even blocking have a place in the modern job site.   If an employer does monitor access to the Internet, it is wise to inform employees in advance.

–Ben Wright

At the SANS Institute, Mr. Wright teaches IT administrators how to stay out of jail.


Facebook In-security

Warning for Business, Corporate and School Computer Networks

Is Facebook safe enough for access by office computers?  For many organizations, the answer is no.  The bad news about the popular social network grows with each passing week.  Facebook has been plagued with the Koobface worm (some call it a virus), which has through Facebook infected (or attempted to infect) work PCs.

Now Facebook faces the scrooge of the Dancing Girl.  The Dancing Girl exploit arrives as an e-mail appearing to be a typical notification from Facebook, saying someone has left you a Facebook message.  The rogue e-mail directs you, the victim, to click to see a video of a sexy dancing girl.  If the victim clicks, he is taken to a fake, Facebook lookalike page, which instructs the victim to download a software upgrade so that the video can be viewed.  But in truth the software to be downloaded is a group of damaging, malicious programs.

If an employer were to prevent (forbid) access to social network sites, then employees would not be tempted to fall for tricks like this.  To say it a different way:  failure to prohibit Facebook and Myspace can promote a lax computing environment in the office.

Local chapters of the Better Business Bureau (such as the Hawaii chapter and the Chicago & Northern Illinois chapter) have issued warnings about the transmission of malware and the propagation of other threats through social networks, especially Facebook.  Among other scams, bogus posts to a victim’s “wall” can link to dangerous external web pages, which might try to install malicious software through the victim’s web browser.

The Maryland General Assembly blocked its network users from access to social networks, especially Facebook.

Update:  Recent research compares the success rates for propagation of malware via e-mail and via social networks.  Hacker are ten times more successful on social networks sites.

–Ben Wright

At the SANS Institute, Mr. Wright teaches IT administrators how to stay out of jail.

Security Threat: Facebook and MySpace at Work

Koobface Virus Spreads among Office Workers

Employees (workers) visiting social networking sites are infecting workplace computers with viruses (or they are subjecting their computers to attempted infections).  Facebook and MySpace are known as breeding grounds for Koobface (technically classified as a “worm”).  Security is a reason for businesses, libraries and schools to block or limit access to social media web pages.

These are documented examples of Facebook being implicated in Koobface infections (or attempted infections) in the workplace or related to the workplace:

  • Richard Larmer, chief executive of RLM Public Relations in New York, had to replace his computer.
  • “[H]undreds of Boston journalists, ad execs and public relations professionals [such as Scott Farmelant of Mills and Co.] who use the popular social networking service have received a Facebook message that purports to link to compromising video of its recipient.”
  • A journalist at Washington City Paper haplessly clicked on a link purporting to be from a colleague at the paper, only to discover that the link caused an infection.

Koobface thrives in social networks because users think they can trust their friends.  The victim believes a trusted friend has left on her “Wall” a link to a video.  Her guard is down, so she clicks the link and then follows Koobface’s diabolical instructions to download a software update.  The worm infects the victim’s computer with malware that seeks to control the computer and steal personal information.

In addition to Facebook and Myspace, Koobface is reported to have infected other social networks, such as Bebo, Friendster, MyYearbook, and Blackplanet.  Experts predict more virus attacks through social web sites.

Although Koobface is not the first virus to spread through Facebook, it is the one that is reputed to have inflicted the most harm.

Update: Local chapters of the Better Business Bureau (BBB) are issuing warnings about the insecurity of Facebook and MySpace.

One strategy for employers is selective blocking, where only certain suspect sites are blocked, with a screen that reminds employees they are responsible for getting their work done.

–Ben Wright teaches computer security law at the SANS Institute.

Screening Twitter from Work or School

Employees Wasting Time with Micro-blogs?

Twitter is popular, and if it is not blocked or forbidden, it can depress workplace productivity.  Twitter is a free service that broadcasts text messages (also known as updates or tweets) of up to 140 characters in length.  Twitter can be addictive, as readers can enjoy the distraction of reading each little instant message as it comes in.

Twitter supports multiple media for sending and receiving.  Users can exchange tweets by way of web pages, electronic mail or mobile (cell) phones (text, IM or SMS).

Responsible use of Twitter can help employees perform their job. For example stock brokers might use Twitter to keep abreast of the latest financial gossip.

But many employers or teachers may have little tolerance for Twitter within their domains.  Although employees or students may need access to Internet-connected computers, Twitter can be a nuisance.  Administrators therefore might adopt a policy that bans Twitter, and take technical steps to block it.  Technical measures might include the deployment of software that blocks certain URLs (such as,,,, which support Twitter or its widgets).

Further, an administrator might use Internet monitoring software to discover which time-wasting sites users are visiting – the latest access points for Twitter and other worthless chat.

An administrator who monitors computer usage is wise to warn users of that fact.

Update:  Popular services like Twitter inevitably attract the interest of hackers.  Some Twitter users contracted the StalkDaily virus.  For some employees there is no reason for them to be on Twitter at work.  Security is an additional reason to block the access of these employees to Twitter.

–Ben Wright Mr. Wright teaches data security and e-mail records law at the SANS Institute.

Cyberbullying: School, Library or Church Legal Liability

Lawsuit for Harassment?

Cyberbullying could attract a lawsuit for a school or other educational institution. The Internet is the new medium for harassment. Churches, libraries, community centers (places with shared computers) and the like need to supervise electronic communication (text, instant message (IM), Facebook, Myspace, Youtube and other social network site chat) today as they have supervised hallways and playgrounds in the past.

States such as Arkansas, Iowa and Missouri are amending their anti-harassment laws to include cyberbullying.

Institutions like schools are at risk of liability if they are negligent about harassment.  Casey County, Kentucky, schools agreed to pay five students a total of $110,000 to settle a lawsuit for failing to deal with old-fashioned bullying.  A more modern version of that same lawsuit would involve (at least in part) harassment via electronic communication.

Now that computer communication is the norm, Internet monitoring grows more compulsory for teachers and administrators.

–Ben Wright – Instructor on Computer Law at the SANS Institute.

Mr. Wright maintains other blogs on Internet law

Ban Facebook and Myspace from Work?

Social Network Security Risks

Human Resources (HR) Meets Generation Y

Update:  The US Marines are banning social network sites like Facebook, Myspace and Twitter.

Does banning employees from Facebook, Myspace, Bebo and Hi5 stifle the younger generation? Web 2.0 economist Don Tapscott argues that bosses should not block social network sites.  He says that by blocking them managers alienate young workers, denigrate the technology that defines them and prevents them from collaborating productively.  Tapscott (author of the book Grown Up Digital) almost makes the prohibition of social media sound like the violation of a civil right.

Although I agree that interactive media can promote an esprit de corps among employees and empower them to work more efficiently, I question whether pop sites like Facebook and Myspace are the best for doing that.  I suggest managers open a dialogue with employees about the topic.  If employees believe that access to pop sites is consistence with the purpose of their employment, then let them prove it.

For example, access could be enabled on a provisional basis, subject to daily time limitations and review after two or three months.  Managers could invite employees to report their experiences.  Employee advocates might be asked to explain why pop sites are better than other options, such as straight-laced blogs, special-interest social sites like The Internet Protectors (specializing on computer security) or private (password-only) social sites created on platforms like

When it comes to productivity, there’s nothing magical about pop sites that would render them more effective than their many alternatives.  Pop sites place emphasis on games, advertising and entertainment like music and video. Filtering that stuff is much like forbidding an older technology – television – from the office.  Few would suggest that forbidding TV is tantamount to encroaching on a civil right.

What’s more, open social network sites like Myspace are a security risk.  The virus Koobface has been infecting Myspace and Facebook visitors for months.  Malware like Koobface can infect company PCs and the company network.

One strategy for employers is selective blocking, where only certain suspect sites are blocked, with a screen that reminds employees they are responsible for getting their work done.

Update:  Now Koobface is spreading through Twitter.

–Ben Wright, IT security law instructor for the SANS Institute

Parental Limits on Myspace and Facebook

Can Teen Social Networking Time Be Valuable?

Are kids just wasting time when they hangout on social media sites like Facebook?  A study by the MacArthur Foundation says no.   It argues teenagers learn skills that are important to their generation — skills on how to socialize, how to build a web page, how to manage a public persona, how to cope with emotions and even how to handle bullies.

As the parent of teenagers, I say fair enough.   I would also hope my teens learn, through their social networking, how to manage time.  But kids don’t learn in a vacuum.  I know that good parenting includes the setting and enforcement of time rules, such as “socializing shuts down at 10pm.”  In the old days that meant no telephone tête-à-tête after 10.  Today that means no Myspace, Youtube or Hi5 after 10.

The oh-so-common response from my son will be that he needs an Internet-connected laptop in his bedroom because he’s working late on homework.   No doubt his response holds an grain of truth.  But the time-honored risk is that he’ll also use that laptop to chat late into the night, after the rest of the family has gone to bed.

That’s where technical controls can serve the modern duty of parenthood.  Software can be installed on that laptop to block Facebook starting 10:00pm.  Alternatively, the software can monitor the teen’s Internet usage and report to the parent which sites were visited, at which time and for how long.  That enables a parent to know how the laptop was used and to open a loving conversation after the fact about good time management.

What’s more, the mere presence of monitoring and reporting software can foster the desired behavior.  If teen believes Dad has the ability to review activities, then teen adjusts his behavior without Dad having to actually review the reports.

Update:  Research shows that college students on Facebook make lower grades.  Although the research does not conclusively show that Facebook depresses academic performance, this news gives parents of high schoolers an additional reason (at a minimum) to monitor and place time limits on social networking.

Update:  Parents s can now use the free Threat Detector service to discover which risky places chldren have been visiting.

–Ben Wright

Ben is an advisor to CyberPatrol, thought leader in Internet Safety.