Investment bank Investec sees social media as part of the insider threat to information security, but has implemented policies and technologies to make it work.
“Staff members are probably one of the biggest threats,” David Cripps, information security officer at Investec, told attendees of the Gartner Security & Risk Management Summit 2012 in London.
But there is no way organisations can hold back the flow of social media, he said, so it is better to put policies and technologies in place to manage it. Like the use of telephones and email, he believes social media will become standard communication tools in business.
Despite the risk, recent research has shown that only around one-third of companies have social media policies in place. “This issue needs urgent attention by the majority of organisations,” said Cripps.
It important for organisations to have control measures in place, he said, to ensure that no commercially sensitive information is leaked, that it is compliant with all applicable legislation and regulation, and that it cannot be hit by vicarious liability for the actions of staff members.
The information security challenge, however, is that everyone who uses social media is a potential publisher of information to an audience of more than three billion people, said Cripps.
There is no way organisations can hold back the flow of social media, so it is better to put policies and technologies in place to manage it
Using social media responsibly
To meet this challenge, Investec has a social media policy that makes it clear to its staff what their obligations are every time they publish something online.
“It is essential to ensure staff members know the boundaries, that they know what they can and can’t say, which Investec has consolidated into 10 bullet points,” said Cripps.
Organisations that have not yet addressed the issue of social media should start by getting executive-level support for the strategy they intend to follow, he said.
The next element is creating the policies that set out what behaviour is expected online and then raising awareness among staff members about those policies.
“Making it personal by getting people to think about their own families’ use of social media helps highlight and explain the risks,” said Cripps.
A survey of Investec’s 8,000 staff revealed that 1,600 had completely open Facebook accounts, but once this figure was published internally, that number fell to 250 as people changed their privacy settings.
As part of the compulsory information security training, which focuses heavily on social media, staff are given guidelines on how to find and change their social media privacy settings.
Read more about social media at work
- CW500: Managing social media
- Cautious middle managers avoiding social media
- Enterprise social media and collaboration guide
- How social media drives business success
- Expert offers tips to craft effective enterprise social media strategy
- Should CIOs be responsible for social media best practices?
- Business fails to realise social media potential
- Skip pitfalls of enterprise social media networks by managing change
Enabling and monitoring social media
The technology for enabling and monitoring social media should be the last step, said Cripps.
For Investec, monitoring means using a granular firewall to limit social media activities based on the user's role in the organisation and technology to measure sentiment on the internet, which is done mainly for marketing purposes.
“We are not monitoring individual staff members, but if they say anything about Investec on the internet, we will pick that up,” he said.
Staff members need to know they have an obligation not to bring the organisation into disrepute and that they will face consequences for doing so, said Cripps.
Investec has a single policy, but because the bank operates in 14 jurisdictions, this means adhering to the most prescriptive laws and regulations.
For example, US banking regulations say customer-facing staff may use social media only if all those communications are recorded. “We do not have the technology to do that, therefore our policy dictates that no customer-facing staff may use social media,” said Cripps.
In summary, he said organisations need to understand social media; they need to accept that it is not going away, but if they allow it, they need to monitor for any immoral, illegal, offensive content linked to the organisation and be able to stop it immediately if it occurs.
Having a comprehensive policy and maintaining high staff awareness are key to making social media work at work, said Cripps.