Posted February 9, 2011
Image reproduced with permission from Agent-X.
When Cyveillance cyber security experts speak at industry events and client meetings, the conversation almost inevitably turns to social media. Large businesses want to embrace social media websites like Facebook, Foursquare, and Twitter while avoiding the public relations blunders that social media sites easily make possible. Marketing departments see huge opportunities while legal and security departments foresee dangers and headaches on the way. Who is right?
Of course they are both correct. However, in order for both to be satisfied, a middle ground that must be found. The question is how to find the balance between risk and reward. Finding that balance will vary for each organization but one thing is certain: no organization can afford is to do nothing, hoping that common sense will prevent indiscretions by employees.
Here at Cyveillance we have seen far too many cases of employees disclosing confidential information online that should never reach the public. As Batman explains in the cartoon from Australian artist Agent-X above, some employees feel compelled to make unwise disclosures online. Indeed, one can find serious breaches of sensitive information with implications for national security without a lot of work.
So relying on the common sense of employees is not a very safe or wise strategy. At some point an employee will make a comment online that is not desirable from a PR or security standpoint. It happens sooner in larger organizations but inevitably it happens to most out there.
Worse, while such mistakes are never acceptable, some employees can honestly claim that they did not know they were not supposed to talk about work on their Facebook, Twitter, or other social networking sites. Sure, they should have known, but they have that defense because their employer never got around to developing a social media policy and educating their employees about it.
This is not breaking news. Many organizations, whether public or private, know they need a policy but are at a standstill while legal, marketing, IT, and security departments figure out who has what responsibilities. That is, if they’ve even had inter-departmental meetings on the topic to begin with.
The important thing is to have something in front of employees as soon as possible, calling it an “interim social media policy” if necessary. Tweak it as circumstances change, but do not wait idly in the meantime. Given the speed of communication on through social media, no one can afford to wait.
If you’d like assistance developing social media policy for your organization, don’t hesitate to contact us. Cyveillance specializes in helping you minimize the damage that can occur to your organization by inappropriate disclosures of sensitive or confidential information on the Internet.