When handled properly, social media in the workplace can benefit staff and employers. Unfortunately, it also presents a wonderful opportunity for crooks, says Alan Calder.
Social media, by its very nature, is designed to be as inclusive as possible. But when you open your doors to everybody, you are also making information — possibly sensitive information — available to everyone. You are not only inviting your friends inside; you are clearing a path for your enemies.
For many organisations, an instinctive reaction to these aspects of social media is to pull up the drawbridge. But the truth is that a siege mentality is doomed to failure.
You cannot realistically hope to isolate staff from the likes of Facebook, LinkedIn, YouTube and Twitter — or at the very least, you cannot hope to do so without risking damage to employee morale. They do, after all, have private lives.
Avoid extreme measures
The threats that social-media services present to an organisation are not going to fade away. Then again, neither are the opportunities. The key is to maximise the benefits of social media while minimising the risks. So, as is so often the case in business, extremes tend not to be effective.
If you simply ban, block or limit your staff from accessing social networks during work hours, there is a chance that a demoralised workforce will become even less productive than when they were wasting a little invigorating time each day on Facebook.
Certain staff might even choose to devote their attentions to finding ways to beat the ban. They are certainly going to be forthright about their employer when tapping away on Facebook at home in the evening.
Understanding human nature is essential to understanding the risks of social media. With so many people now accustomed to web 2.0 being part of their lives, trying to stop the tide of social networking from entering the workplace may well prove to be an impossible task.
You need to ensure that social media becomes integrated into your company's overall public relations, marketing and positioning strategy. From a positive point of view, after all, you are being presented with a rapid and open line of two-way communication with your partners, stakeholders, customers and potential customers around the world.
How can members of your team harness the opportunities to present themselves and your company's products and services in the best possible light? Rather than fear negative comments in blogs, ask yourself how rapidly your organisation can improve by responding to those criticisms.
How many customers can you meet through LinkedIn? For many companies, social media is already a critical part of the business that, when properly utilised, represents a marketing revolution.
Unsurprisingly, there is no such thing as the universal social-media strategy, appropriate to every organisation. There are many principles that can be adapted to almost any company's needs, however.
As with so many business processes, your company's first strategic social-media discussion must be to identify your objectives. From there, you can work to...
...develop, implement, monitor and improve your organisation's social-media activities within an effective governance structure.
Even allowing for the individual needs of each organisation, we can nonetheless say that almost every social-media strategy should contain the following documents:
1. An overall policy
You need an overall policy that provides guidance for everyone in the organisation on how to interact with social media in most circumstances.
2. Clear descriptions
It's also essential to have clear descriptions of roles and responsibilities, procedures for metrics and monitoring, and policies on communications and training.
3. Acceptable use and guidelines
You need to create an acceptable-use agreement, branding guidelines and corporate style rules to help embed crucial controls and ensure all use of social media by staff fits within the larger corporate marketing and communications strategy.
4. Best-practice guidelines
Finally, you must have operational best practice guidelines, covering everything from blogging and LinkedIn to Twitter and YouTube.
Armed with these documents, an organisation can seek to exploit social media, rather than fear it.
There is never a time for complacency in information security. The revolutionary wonders of web 2.0 can rapidly be turned into threat 2.0. Any technological advance brings new security risks, as hackers immediately start finding ways to burrow in and exploit vulnerabilities.
So, keep your social-media strategy under constant review, because you can be sure the cybercriminals will constantly be probing your defences.
A flawless social-media security policy means nothing if your staff are not willing and able to implement your plans, because social media enables most people to share perhaps sensitive corporate information with third parties.
Unless you have an effective training and communications plan in place, data leakage is almost certain to occur. You need to ensure everybody understands that social media, while beneficial in many ways, can bring risks too. Training, without being dictatorial, is key.
Self-protection begins with knowing your enemy. We have to be realistic and unfortunately I think we can expect to see an increase in the number of social-media attacks in the next year. In particular, the cybercriminals will be looking to exploit inadequate password security and insecure free apps.
The security settings for personal and sensitive data on social-networking sites are not transparent, meaning individuals are not always aware of how much personal information is accessible to third parties, who might be looking at social media to provide key information for identity theft.
Social media is a wonderful opportunity for your organisation to talk to the world and for the world to talk back. On the other hand, social media can also be a wonderful opportunity for cybercriminals to find their way through your organisation's defences, and for critical information to leak out. It's a battlefield. You need to make sure you are on the winning side.
Alan Calder is chief executive of security and compliance organisation IT Governance.