You Want Growth? Empower Your Employees with Social Media.

Comment

Comment by Patrick Sullivan on April 30, 2009 at 12:14pm

As it happens, the topic of security risks around employee and business use of social networking sites, particularly Facebook, came up in other discussions today. I've posted a couple of articles from ComputerWorld in a discussion section for security related issues and social networking in the Smaller Indiana Information Security Exchange group.

Comment by Patrick Sullivan on April 29, 2009 at 1:50pm

From a risk management perspective, I might look just as hard at a company that automatically says "no" as I would at a company that has too little control- they may not actually be assessing the risks of utilizing social media either (or whether the use of such media advances business objectives-- risk management objectives and business objectives should go together)- depends on how regulated the organization is.

I think we're on the same page- good idea but needs to be driven by business strategy and risk management requirements.

Comment by Erik Deckers on April 29, 2009 at 1:00pm

One thing it would be very easy to do is to tell the ambassadors to NEVER EVER blog about work. Don't talk about "exciting new developments, more to come" or "the president of our competitor has been in the office all day." Don't get advice on behalf of a company.

Instead, talk about life in the job, without discussing the specifics. Don't say things online that you wouldn't say in public. Don't talk about things that would get you fired, and if you're not sure, then just don't do it in the first place.

Yes, it does have to be regulated and monitored, but too many companies would rather automatically say "no," without thinking about the future.

Comment by Patrick Sullivan on April 29, 2009 at 12:34pm

Yeah, but... that bothersome security and compliance thing keeps raising its ugly head.

The reasons companies get touchy about things like blogs and other social media is exactly because of the potential risks related to inadvertent or intentional disclosures of confidential information (regulated, proprietary, trade secret or otherwise protected), and other potential legal liabilities that present themselves when employee communications aren't controlled. And, the companies are correct in controlling those communications -it's just basic risk management- and have every right to do so -they own the brand, the information that may be at risk and likely the assets that are used for the communication. It's nice to think that employees are all going to use social media responsibly, but they don't, either because they're not careful, they don't know what might create a problem, or because they are intent on causing harm. Not being diligent is how accidents happen (ask any company that's had state securities enforcement actions resulting from employee blog posts that inadvertently constituted insider trading). And a disgruntled employee with a Twitter account is a disaster waiting to happen...

Companies that don't appropriately control employee communications, or that simply fail to identify and evaluate the risks of not controlling those communications, are arguably failing to implement reasonable information security practices in that area. Failure to implement reasonable security that results in disclosure of regulated information can get you a visit from the Federal Trade Commission or a state consumer protection division (failure to implement reasonable security is regarded as an unfair trade practice, and at least 4 states require implementation of reasonable security practices as part of their security breach notification laws). Dealing with an enforcement action resulting from disclosure of regulated information in unmanaged employee communications can be costly enough for a large organization, and it can kill a small or entrepreneurial business.

Policies, procedures and other controls around employee communications are a standard best practice on anybody's security controls checklist. Blogs, Twitter, Facebook accounts (Smaller Indiana accounts) are no different from employee email in that respect - especially if the account is accessed through company owned assets, or is a company account. When companies open their own accounts, the risks aren't just about what may be posted, but also about the risks that affect the media (Koobface worm for Facebook, anyone? And don't forget the 19 year old who created and released a worm for Twitter because he was bored).

Yeah, use the media, but keep the control. Let the employees be ambassadors, but absolutely regulate and monitor the process.

Comment by Erik Deckers on April 29, 2009 at 11:12am

The reason some of the more established corporations and government agencies don't like their people using Twitter is because they're afraid of losing control. When I was at the state health department, the Office of Public Affairs (my office) had to approve ALL communication that left the agency. Needless to say, this mentality still exists, and it strangles all outgoing communication, including social media.

Corporations need to relax just a little, and at least find a few people they would trust to use things like Twitter and Facebook. Don't make it a regulated process, but rather, let them be company ambassadors.