How to balance the benefits and risks of social media through policy

CIOs' managers almost certainly want to use social media to promote your organisation. Here's how you can help them realise social media's power without introducing security or privacy risks.

Chances are your company's CEO has been schooled in the potential business benefits of social media. Social media and networking can enhance brand reputation, build connections with external customers, improve collaboration across the enterprise, spur innovation, and -- when companies start hiring again -- function as an effective recruiting tool for all those bright young millennials. Businesses understand that social media has strategic value; that's evidenced by the news this week that McDonald's has hired its first social media chief.

Using social media also carries risk, however. As enterprises increasingly embrace social media tools for personal and work purposes, CIOs must act quickly to school themselves in the potential identity, security and privacy threats associated with them, in order to advise the business effectively about how to mitigate social media's risks.

The challenge, according to firm Burton Group Inc., is to take advantage of the benefits of social media within a policy and governance framework that includes steps to manage the risks. And, as Burton Group notes, the risks are legion:

  • Malware, phishing and spoofing
  • Impersonation and blackmail from malicious outsiders
  • Denial of service, security failures
  • Jurisdictional issues over privacy and compliance from social media platform operators

Companies that do not provide social media training for employees are at risk for damage to their reputation, regulatory liability and disclosure of sensitive information.

In a report published March 24, "Social Media: Identity, Privacy and Security Considerations," Burton Group analysts Bob Blakely, Ian Glazer, Mike Gotta, Lori Rowland and Alice Wang lay out the implied risks of common social media activities in and outside the enterprise. Here is a sampling of the risks, as well as some advice on crafting a social media policy. Check in with us next week, for a look at technology and compliance remediation of social media vulnerabilities.


  2. Multiple personality disorder. Profile proliferation happens outside the enterprise, as people joining Facebook, LinkedIn or Twitter are required to create profiles that conform to the particular provider's format. Multiple employee profiles also are becoming more common within the enterprise, as employees have one profile for the company's Facebook-like site, and may create other identity profiles for various work communities they belong to, e.g., a women's support group , a professional best practices forum or a community outreach organization supported by HR.

    The risk: If these multiple profiles are not synchronized, the lack of integration can lead to concerns about accuracy, the Burton Group report states. When employees manually maintain their multiple profiles, often they favor one over another, or may abandon others or choose not to participate because of the manual overhead required. The inaccuracy of any one of those profiles likely is not known by co-workers. The risk is compounded when social profiles from consumer providers are aggregated with enterprise profiles, a practice that is becoming more prevalent as products such as Lotus Notes and Microsoft Office offer integration with LinkedIn and other sites.

  3. Too much information: Facebook, LinkedIn, Twitter and other networking tools now incorporate activity streams that update a person's status and activities. These updates are sometimes entered by the person himself, but they also are generated by applications, based on permissions granted. The updates can be cross-posted to other sites, Burton Group notes, and can be captured in real time by search engines like Google. Enterprise sites also have activity feeds that update profiles, for example, when an employee joins a group or comments on a work project.

    The risk: Automating profile updates can be a good thing (see above), but Burton Group stresses that without proper controls, the automatic posting of certain types of actions (winning or losing an important account, or joining a diversity group of gay or lesbian employees, for example) can result in "over-sharing of information" and create security and privacy issues.

  4. Twitter, Twitter everywhere: 2009 was the year Twitter became a corporate tool, in more ways than one. Engaging with customers (or reporters) in 140 characters or less can generate dividends for companies, but they must be careful.

    So many risks: The validity of Twitter accounts, for starters, Burton Group says. Are the account and the person authorized representatives of the company? Enterprises must be careful of following a Twitter account that could offend a customer (politics, religion). Enterprises should monitor who follows their Twitter accounts also (spammers, representatives of sketchy sites). Some industries require the capture of Twitter messages for compliance reasons. Employees who use Twitter may inadvertently, disclose sensitive intellectual property or sully the brand if their messages are associated with the company.

Two sample social media policies

Because of such risks, some companies are tightening their grip on how employees use social media channels at work. Thirty-eight percent of CIOs have implemented stricter employee social networking policies for personal and business use, more than twice the number (17%) who say they have relaxed the rules, according to a study published April 13 by IT staffing firm Robert Half Technology. The Robert Half data was based on telephone interviews, conducted by an independent research firm, of 1400 CIOs from U.S. companies with 100 or more employees. That still leaves the 55% of CIOs who said they made no policy changes.

Crafting an effective social media policy is not easy. "If you try to codify every single one of the social media services, you are always going to be behind the curve," said Burton Group analyst Ian Glazer, who covers data privacy and is one of the authors of the consultancy's social media risks report."

If you ban stuff, all you're doing is telling employees, 'Gee, you can't do that from your work computer, but we all have smartphones, so why don't we all just do it from the bathroom.'
Jill Hurst-Wahl
Professor, Syracuse University School of Information Studies

A social media policy detailed enough to cover specific sites is unrealistic, not only because it is difficult for companies to keep up with who is using which services for which purposes, but also because policy-setting takes time. "To get policy of this kind moved and authorized and in place takes too long to try to it by ones and twos," Glazer said. (The exception is a site or tool that the enterprise decides to ban.)

But Glazer is finding that companies are becoming more adept at writing a nuanced social media policy for the enterprise.

Australia's Department of Finance and Deregulation has recently published its guidelines for staff use of social media. IBM's newly updated social computing guidelines now encompass the "many new forms of social media" that have emerged since the Armonk, N.Y.-based IT provider offered guidelines for blogging in 2005.

Jill Hurst-Wahl, professor of practice at Syracuse University's School of Information Studies, and owner of Hurst Associates, a digitization services consulting firm, said that organizations need a formal policy for how to use social media. "But it might not be a policy of what not to do, but what to do," she said. "Companies should strive for policies that people can live with."

"I think if you ban stuff, all you're doing is telling employees, 'Gee, you can't do that from your work computer, but we all have smartphones, so why don't we all just go in the bathroom and do it from there,'" Hurst-Wahl said. If organizations have to ban certain sites or activities, it behooves them to communicate why, so that employees understand the negative consequences and apply that knowledge to other situations.

Indeed, Glazer, Hurst-Wahl and others advise that social media policies focus on appropriate behavior and appropriate content, rather than on specific social media sites. Employees at most companies understand that the disclosure of certain kinds of information can be grounds for dismissal. "Amending these rules so it is clear that they also apply to social media is a good way to go," Glazer said

Read more on IT risk management