Social Media Policy - The 6 EssentialsSecurity Plays Key Role in Writing Rules for Safe Social Networking
Popular sites such as Facebook, LinkedIn and Twitter have had a phenomenal impact in the workplace - both as a corporate channel for communication and marketing, as well as a vehicle for employees to communicate both professionally and personally.
The latter is a key point. According to a new survey conducted by Trend Micro, a global internet content security company, employees increasingly are using social networks while in the office and on the clock. The survey looked at the habits of 1,600 internet users from the U.S., UK, Germany and Japan and found that over the past two years alone, social web use in the workplace has risen from 19% to 24%.
It is debatable how much the rise in social networking has compromised employee productivity, but it's indisputable that much of this activity is occurring in the absence of formal policies.
"In its simplest terms, there is anarchy in the absence of social media policy and training," says John Pironti, ISACA board member and president of IP Architects, LLC. "Without proper direction and clarity, it is hard to enforce appropriate consequences on someone."
Because of this anarchy, organizations are starting to take action. Fear of compromised productivity, reputational damage, data loss and inappropriate behavior is leading many employers to introduce strict controls on staff access to social media sites. Robert Half Technology, an IT staffing company, recently reported that 54 percent of U.S. companies have banned workers from using social networking sites while on the job. The study found that 19 percent of companies allow social networking use only for business purposes, while 16 percent allow limited personal use.
Organizations such as Navy Federal Credit Union have implemented a social media policy for all employees, addressing appropriate conduct on social networks. "The policy provides clear rules for those authorized to communicate on behalf of Navy Federal and rules for those that are not authorized, but choose to engage in social networks," says Aisha Rasul, project manager, delivery channels at Navy Federal Credit Union.
Such policies are being developed by organizations across industry. In short, a social media policy outlines the corporate guidelines or principles of communicating in the online world. A social media policy involves identifying and training employees who are representing the company and have a public facing presence.
The Must HavesThe foundation for a social media policy is based in understanding how social networking is beneficial or harmful to your organization, says Brett Wahlin, information security officer at McAfee. "There is no right or wrong to it. At McAfee, we believe promoting social media is a good thing."
The company therefore, has implemented a rather hands-off policy without too many encumbrances to employees.
Wahlin, however, thinks that the nature of the business, industry and sensitivity of information are what really dictate these policies.
Among the "must haves" when drafting a social media policy:
- 1) Get User/Business Input -- go to the users to ask them how they want to leverage this medium to promote their business goals. "The policy should be one of personal responsibility," says Pironti. Clear expectations should be specified in terms of employee behavior, time spent and acceptable use of social media with personal and corporate accounts, and these expectations should be aligned with other corporate policies with similar objectives like Internet use. "The business owners need to be the creators of this policy," Pironti says.
- 2) Set a General Code of Ethics -- providing guidance on the positive behavior expected from all employees regardless of channel. For instance, employees should be directed to act ethically and not divulge trade secrets or other valuable intellectual property.
- 3) Establish Clear Rules of Engagement -- that include an evaluation process for authorized communicators to know when they should and should not engage in a public dialog. "We strive to engage with reputable people -- not those linked to dubious sites or obscene content," says Navy Federal's Rasul. These rules spell out employee expectations in terms of tone, language to be used, as well as situations that demand an employee response like correcting misguided information related to interest rates or loans.
- 4) Monitor -- social media activity. "[You need] an ongoing initiative where ownership rests with information security," says Wahlin. How do employees use social media? How much time are they spending? Which sites do they visit? Who are their fans or followers? Answers to these questions are lead indicators for assessing risks and threat factors. "More than often, our roles go just beyond looking for data or anomalies," Wahlin says. "It gets to the level of intelligence gathering"
- 5) Provide Training -- on an ongoing basis. "Embrace but educate," says Pironti. Social media is a powerful tool and comes with its own benefits and challenges. Companies should invest in adequate training programs to remind the users of their responsibilities and outline clearly what is acceptable and appropriate vs. not. Send frequent messages to employees on the misuse of social media. Draw upon case studies to understand the consequence of bad behavior or reputational damage to the company.
- 6) Take Disciplinary Action -- when necessary. Enforcement standards need to be set and implemented against employees that do not follow social media policy effectively. Example: when source codes are made public by employees or pornographic photos are posted.
Role of Security Professionals"Security professionals should act as consultants to the process by playing a key role in policy shaping discussions," says Wahlin. Bring to the attention of business owners the threats and risks associated with such an undertaking, which includes discussing the critical trait of social media - that the information posted is online forever.
Employees must realize that social media is a public and highly social forum where controls go beyond the limits of an individual's network, as friends of friends will typically send invitations and links. Again, business owners should be aware that social media companies are there to make money and will engage in some sort of data mining or selling of information, so "companies need to assume that privacy doesn't exist," says Pironti.
Security professionals should educate the business owners on the threats of using technology and the consequence of not having a policy in place by outlining potential risks associated and making it a risk conversation.
More, security leaders need to be involved on a constant basis with business owners to be proactive with foreseen and real-time social network changes that may pose risks, as well as "provide details and develop a response plan for items that need to be escalated to security," says Rasul. For instance, high risk issues such dubious links, phishing attacks and insider threat should immediately brought to security's attention.
The effectiveness, however, of a social media policy ultimately boils down to organizations asking the question: What is our policy on effective social media use at work?
"Just as the internet changed our lives, the use of social media will officially change businesses at work," Wahlin says. "Being prepared to embrace this change is the only choice left for organizations."
For Further ReadingSee these other recent pieces on social media: