Infosec 2011: Policy is only way to deal with social media, say security professionals

The best and only way organisations can deal with the use of social media is through robust policies and user aware campaigns, according to a panel debating the topic at Information Security Europe 2011 in London.

Despite the considerable risk that the move to Web 2.0 has meant by making everyone a publisher to two billion people online, organisations are inevitably moving to using it to promote their brands and communicate with customers.

Although some companies are still trying to block access to social media, for most the benefits are too great, such as recruitment companies which find it the most effective way to reach young people.

"Our company moved to using Facebook as way of communicating with candidates without any consultation with the IT department," says Steve Whittle, chief technology officer, Cobra Group of Companies.

"We use social media as a tool for communication and it has boosted our recruitment figures by 40% since we started using it, but the only way we can control it is through policies," he says.

For the armed forces, social media is an important morale booster, says Adrian Price, head of information security at the Ministry of Defence. However, he says this use is policy-driven and is backed up by ensuring all members of the forces are aware of the consequences of breaching those policies.

Although there are technical controls that can be applied to social media, these apply only to company networks, so in the face of social media access via smartphones and other portable devices, robust policy backed up by awareness and education is really the only option, says Graham Taylor, head of IT security for UK and Asia for Michael Page International.

The other big challenge is that not only is it impossible to put controls around access via privately-owned devices, it is also nearly impossible to monitor what people are doing across the plethora of social media sites, particularly where IT staff and resources are limited.

"Social media is here to stay and can be used for good things if used properly, but this relies purely on policies on usage being as tight as possible and coupled with an effective awareness campaign," says Price.

Ensuring a policy is watertight before it is implemented is essential, says Whittle, whose company consulted legal and social media experts in formulating its policy.

The most common approach to policies across the panel is to require users to do nothing that can bring the organisation into disrepute.

"This principles-based approach keeps the policy simple," says David Cripps, chief information security officer at Investec bank.

Michael Page International supplements this approach by warning all employees not to claim to be spokespeople for the organisation unless they are specifically authorised to do so.

The organisation also regularly checks employee awareness and understanding of the company's policy on social media. "A robust policy is no good at preventing mistakes if awareness and understanding is not checked," says Taylor.

Beyond robust policies and awareness campaigns, the panel concluded that education around social media at the board level is of paramount importance. Without board understanding of the issue, they said, the board can't make informed policy decisions.