The Social Media Security Conundrum

social medium security conundrumShould you use social media at work because it’s the way work gets done today?  Or should you ban it because the risk is too great that an employee may disclose confidential information through it?

I love social media and social networking.  I use it all the time.  I use Twitter as my up-to-date news source and have great conversations with people.  I use LinkedIn extensively to share blog posts, read articles, get a pulse on what’s happening in the industries I follow and find business opportunities.  I use Facebook to keep up with my kids, friends, colleagues and numerous companies.  I learn about products, services and how to do things on YouTube.  And of course I read blogs for all kinds of great information.  Many businesses use social media to interact with their customers and get work done.  In fact, even the Pentagon has recently embraced social media as an important communication medium.

All of these tools are great for research and exchanging information with people.  But how do you decide what to share and what to withhold?  One of the great things about social media is how easy it is to share information.  There are Twitter and Facebook buttons all over the web that make it easy to post information with the click of a mouse or swipe of your finger.  That also means it’s easy to share confidential information accidentally or maliciously.  A data breach is as easy as a click away.

Businesses have taken different approaches to using social media in the workplace.  Some allow people to go to Twitter, but not Facebook.  Some block YouTube.  Some allow open access to anything and some have banned access altogether.  Most businesses haven’t done a great job of defining what is acceptable or not acceptable for their employees to disclose on social media sites.  There is a perception in some companies that these places are a waste of time, they are only for kids and that no work gets done there.  Other companies express genuine concern about confidential information being posted to one of these sites, so they choose to ban access completely.

Sticking your head in the sand or ignoring these issues will not resolve them.  Just as organizations had to develop acceptable use policies for the telephone, fax machine and email, they need to create them for social media.  If you ban access to websites at work, people will find a way around that.  It’s just as easy to access Facebook from a mobile phone as it is from my laptop.

Every organization should develop social media policies and train their employees on them.  They should be an extension of the policies on corporate ethics and general business conduct.  In my last company, each employee had to watch a video describing scenarios on corporate ethics and how best to handle potentially compromising situations.  Much of this is common sense, but should be spelled out so people understand what is expected of them and there are no ambiguities.

Social media policies should address the same things you think about with email or a telephone conversation.  Just as I wouldn’t email a picture of my company’s latest product design to my competitor, I shouldn’t post a picture of it to Facebook or Flickr.  An organization needs to trust it’s employees to show proper judgment when using any communication tool.

Cisco is one company that has done a great job of this.  They created the Cisco Social Media Policy, Guidelines and FAQs and posted it to their blog and to Slideshare.  They look at social media “as a collaborative tool to help better serve our customers, our partners, our investors and our employees…and to LISTEN to them as well.”  They also ask for feedback to help them improve their policies.

Here is one item from the policy:

Q: How do I determine what information is proprietary or confidential, and whether or not it is OK to post externally?

A: Security policies and practices of external social networking tools may differ from Cisco policy and requirements. Always assume the information you post to these sites is not secure and that it can be compromised or used against you and Cisco.

Please refer to the Proprietary Information and Inventions Agreement and the Data Classification Policy for guidance on identifying confidential or sensitive content. Do not post data classified as Cisco Confidential or higher on any third party or public site. Doing so may cause Cisco to lose its trade secrets.

Some information, such as acquisitions, product announcements, or Cisco financials, becomes public information once it is announced by Cisco. However, do not post such information to external sites until it is formally announced or shared with the public by Cisco. Disclosure of any information which is deemed to be material non-public information prematurely or selectively may violate securities law and may subject both you and Cisco to liability.

If you have questions about posting specific data, consult with the data owner or your manager.

 

While social media has its risks for a data breach, so do many communication avenues, including having a conversation in a coffee shop.  Creating social media policies and training your employees on them is the first way to ensure they protect themselves, your business and its information.

 

Photo credit Intersection Consulting

Leave a Reply