"The first step organizations needs to take is they need a reality check," Ritter said. "They need to take ownership of what's going on in social networking. Just blocking sites doesn't work. Employees always find a way around it. And letting everything through is too risky."
Ritter and other industry experts say social networking sites present a far greater oversight problem than IM or email -- even webmail - because there are so many applications associated with them, including instant messaging tools and gaming applets, such as Farmville or Mafia Wars on Facebook. Simply blocking sites such as Twitter or Facebook with a URL filter isn't difficult.
"The problem you have is all the tunneling applications that can get around those controls," said Chris King, director of product marketing for PaloAlto Networks. "Google [the term] 'circumventing URL filtering,' and you'll see what I mean. Some blog sites like Lifehacker.com, and even the Wall Street Journal, publish things like top 10 ways to get around your security controls."
For example, King said, a company employee could simply install a proxy on a home computer, connect it to a cable modem, and when the employee is at work he can connect to that home IP address and circumvent the corporate filter.
"There's everything from Proxy.org, an application called UltraSurf, which is the darling of high school students, to something called Core, which is the darling of spies," there's a whole bunch of applications that make getting around traditional controls easy.
Regulators cast a watchful eye
Over the past 10 years, the U.S. Securities and Exchange Commission (SEC) and other regulatory bodies have focused more attention on strict enforcement of communications rules. For example, the SEC's Rule 17a-4 requires the monitoring and capture of electronic communications, and the National Association of Securities Dealers (NASD) Rule 2210 and 3010, also requires firms to monitor and store communications with clients. Neither agency has as yet felt compelled to specify requirements around social networking traffic, but it is implicit that they fall under the same rules as email and IM, Ritter said.
In 2006, the Federal Rules of Civil Procedure (FRCP) established that companies must establish protocols for capturing electronically stored information prior to civil court cases. Electronic discovery of emails for civil court cases can run into the millions of dollars, and violations of federal regulatory statutes could lead to penalties that aren't cheap either. In 2002, the SEC fined five firms a total of $8.25 million for violating 17a-4 and NASD Rule 3110 by not properly monitoring and capturing email traffic.
In a more recent example, several hedge-fund executives and managers with the Galleon Group, were charged with insider trading. The evidence that cracked the case open? A single text message.
Most recently, the Financial Industry Regulatory Authority (FINRA), the enforcement arm of the SEC, issued Regulatory Notice 10-06, a document presented in a Q&A format, that provides guidance on the responsibilities of firms to supervise the use of social networking sites. The guidance was issued to ensure that recommendations to clients on social networks are suitable and that their customers are not misled.
"The FINRA guidance has sent the financial community scrambling to figure out what to do," Ritter said. "Let's say a broker becomes a fan of a company on Facebook. Is that an endorsement? In essence it is."