Why your company needs a social media policy

Widespread use of social networking means management is vital, says Mike Hrabik

Any company with a computer in the office needs to adopt a social media policy. It is just common sense, and, frankly, a smart edict to deploy and follow.

The main purpose of implementing a social networking policy is to identify proper usage and behaviour for social networking applications. Remember, the overall goal is to protect the rights and privacy of all employees and the integrity and reputation of the company.

The CIO should be responsible for ensuring the effective implementation of enterprise-wide information technology policies, standards, and procedures within each department. They should be posted in a place where they are easily visible, like an intranet site, and reiterated on at least an annual basis through awareness training.

Before any company delves into social media, it is important to be familiar with what it should look like and what elements the plan should include to be most effective. Communication is dynamically changing, so it is important to establish new or further enhance existing policies to accommodate these changes — and to revise when new forms of social media are being adopted — preferably earlier rather than later.

Because social media is unchartered territory for some companies, there are staffdon't have an instinctive sense of the right and wrong ways to use it. Social networking users can easily introduce and spread malware to others and most of the time they don't realise they are doing it. A social media policy educates employees about your expectations for their behaviour. It also gives an indication of your company culture and work environment.

Here are a few guidelines to being good stewards:
What's the business value? — It is important to consider whether utilising these tools will add any real value to your organisation. At the same time, the phrase "If you can't beat 'em, join 'em" comes into play here. If there aren't any social media activities/technologies sponsored at the corporate level, your staff will likely put something out there anyway and without your control. When this happens, the repercussions could rapidly spin out of control.

Social media sites are exploding with new features and functions, with new sites popping up all over the internet. You need to continuously identify and evaluate social media sites to determine business relevance and the unique risks associated with sites used by employees (on the personal or business level).

A company contemplating starting a blog or utilising social network sites should:
• Produce policies, standards, and procedures.
• Train employees regarding business strategy for use of such sites.
• Update and refresh materials as necessary to be sure the messages are always accurate.
• Measure success and quality distribution channels.
• Continue to review risk associated with the evolution of media.

The policy should define what "public" information is (for example press releases, social media sites, marketing materials) and firmly state that only information labelled or considered "Public" can be used on social media sites.

Evaluate the security and risk: The most effective way to illustrate security risk is to educate by example. For example, it sounds great if you have a sales person who uses LinkedIn to create a network of business connections. But consider the fact that anyone can easily view any given user's connections and see current and past clients and co-workers.

Here is another example. Technical people may use support blogs and forums to post questions about challenges and problems. Again, while this certainly has value to the individual, these posts often provide huge insight into an organi sation's IT infrastructure. I think we can all agree hackers would love to get their hands on this type of information.

Security-related items to consider include:
• Updated information use guidelines and policies.
• Dictate what content can/should be published.
• Comply with company confidentiality guidelines.
• Keep in-line with company image and vision.
• Respect all copyrights and trademarks.
• Train employees on publishing materials and document the results of this training.

Don't forget to assess and review: How do you know if these sites are effective? How do you know what information is being put out "there" if you do not check for it? How do you know what risk is associated with evolving sites? What new sites are out there and being used? This is a key part to understanding effectiveness and examples of policy breach to utilise for training purposes.

This final step should include:
• Identify authorised persons or agencies to access social media web sites.
• Monitor for information leakage.
• Automating tools are your friend.
• Evaluate the risk of existing sites on an ongoing basis.

Even if a company has clear social media policies in place (with specifications about what can and can't be posted) there is no guarantee everyone will represent the company exactly as intended.

It is not enough that employees read the policy. They should sign off on the fact they have read it or even be given an oral or written test. Without written sign-off, it is far too easy for an employee to claim "I never got the policy" or "Nobody ever told me I couldn't do that". Should the matter go to court (as in a dispute over whether you did have the right to terminate an employee for tweeting about a client's pre-launch strategies) you'll want the paper trail or e-trail.

The security and compliance risks
Social media sites are also havens for the hacker community — often times, they are based overseas where countries have little or no jurisdiction. This is why emphasis is important. Sites, which are utilising Web 2.0, are particularly vulnerable to: Web application security threats; data aggregation threats; re-targeted threats and threats to reputation.

Employees must be aware of what they can and cannot post and/or discuss on public blogs, forums, collaboration, help and technical forms, and so on, and such posts should be monitored. You would be surprised to know what sensitive information is available to the public, such as dump files, log data, network diagrams, configuration files, and yes, even user names and passwords.

Hackers live for social media. With the ability to post photos, video and audio recordings to sites, employees can inadvertently leak confidential company information. Data leakage is not always easy to stop. Leakage, if not instantly mitigated, can be a floodgate. How data leakage is prevented or controlled depends on strategic and operational requirements. It may require behaviourchanges and often results in redesigning reporting and other business processes. Organisations that fail to stop data leakage are only kidding themselves about the safety of sensitive data. Data leakage from approved or accepted business practices is a significant security vulnerability.

Security and compliance is not just about blocking web sites, it requires understanding the business and customising a security solution, which ensures regulatory compliance.

It is always smart to have an outside service provider perform an initial assessment of your regulatory requirements. Also, assess the extent to which an organisation's users utilise social networking services and the sort of data leaving the organisation. This will give you an understanding of the risks and the effectiveness of existing controls.

The up side
With all of that said, how can social media advocates convince CEOs and other executives that social media is worth pursuing?

Many executives do not consider social networking to be an investment that delivers sufficient value to warrant pursuit.

Companies must have a champion to articulate the value proposition in real terms.

The first step is convincing executives that social media is valuable to the organisation. Sit down with the executives, one-on-one and walk them through a social media session. You cannot be sure what their views are, so try to show them it is possible to utilise social media in a secure and user-friendly manner.

Leave them with an understanding of what useful business information you can get from the social network sites. Show them the useful marketing and competitive intelligence information you can access about your business. Executives view social media in a "quantifiable business" sense. It is all about generating revenue! Put dollars to it — show the amount of money you would have to pay market researchers to provide the information that is freely and publicly offered on a social networking site.

Let them know how their competitors are using various social media channels and generating revenue. Try to get support from stakeholder departments, such as information security, auditors and marketing staff. If you have their support, it will make selling social media easier.

It always helps to go in with support from a key ally — investor relations, information security, products and so on. If you have the support of other key players it makes selling it to the top easier.

Bottom line, executive decisions are driven by fiscal requirements. Have a plan, which includes current benchmarks, expected improvements and a timeline for measurement. Include traffic, customer lifetime value, response rates, and sales in your metrics. This provides a method for monitoring the effect of your social media efforts and reduces resistance. Make sure the timeline is long enough to see the benefits.

Hrabik is CTO at Solutionary, a managed security services provider