Changing technologies, communication norms and business needs demand that firms regularly update guidelines for employee on the use of social media, market insiders say. Despite revisions, such policies should be kept "pragmatic" not only to ensure clarity and compliance, but also because social missteps are never totally preventable.
Steve Durbin, global vice president at the Information Security Forum (ISF), told ZDNet Asia that a social media policy is meant to set the "ground rules" of what is, and what is not, acceptable employee conduct in this "ever-growing, ever-changing space".
In an e-mail, he noted that when crafting a social media policy, there is "no perfect solution, so pragmatism will need to prevail", adding that it "boils down to the individual organization" to determine what the "ideal" policy should look like. Each policy needs to be mapped to the needs of the individual organization and address the business critical issues that affect the successful day-to-day running of the enterprise, Durbin explained.
Once a policy has been crafted, an enterprise also needs to review, test and monitor it, and "not be afraid to make changes to it [as] an effective policy changes with the needs of the business", he advised.
Maria Ogneva, head of community at Yammer, which develops enterprise social networking applications, pointed out that most initial social media policies were "more simplistic" in that they "treated social media as its own silo" and explained in terms of what staff can and cannot do.
Today, however, social media cuts across business functions, from sales support to marketing and public relations, so its relationship to all other parts of an organization is "more complex", she said in an e-mail.
Apart from the evolving nature of social media, the need for policy adjustments can also be driven by changes at the company level, such as when a company becomes a publicly-traded company, Ogneva said.
Update policies to stay on track
Furthermore, as society's "notions of privacy and communication norms" are also subject to change, Ogneva advised that corporate social media policies be updated at "regular intervals" while still staying "true" to basic tenets such as non disclosure of confidential or proprietary information, and no denigration of other parties.
Carter Lusher, research fellow and chief analyst for enterprise applications ecosystem at Ovum, concurred. While social media policies are "not completely new" to the corporate realm, most organizations still have only "very simple" policies which may be "out-of-date", or none at all, he said in an e-mail interview.
According to him, "good" social media policies are updated periodically, or at least annually. The revisions are necessary because new social media forms--including geolocation or question-and-answer services--and new features such as LinkedIn's news feed, are constantly being introduced to the market.
Updates also ensure a company's social media policies remain compliant with new laws and regulations, and help remind staff of corporate guidelines, he added.
However, Lusher noted that revisions do not necessarily translate into more text. "Over time, good social media policies do not necessarily become longer, but become more nuanced."
Keep guidelines practical
The Ovum analyst also pointed out that in the "rapidly evolving" social media environment, organizations ought to move away from a "static" policy or "a hard set of 'you will do this, you will not do that'", which could eventually be forgotten by staff.
Instead, they should develop a program or framework of guidelines based on "common sense"--for instance, forbidding employees from posting sensitive corporate information on personal social media accounts, he said.
ISF's Durbin agreed, noting that the "best policies are pragmatic, simple and well-communicated".
Organizations that believe social media use has strong business benefits are also likely to recognize that "because of the very nature of social media, mistakes will occur ", he argued. This allows for a more "realistic" planning for such eventualities, said Durbin.
On the other hand, organizations that believe social media can be tightly controlled would likely have "more draconian" policies which are, paradoxically, less effective at preventing mistakes, he noted.
Durbin pointed out that the focus in social media tends to be on technology, with the human aspect "all too often forgotten". Social media can boast speed and global accessibility, but it can create a situation where if "something is posted once, in error, it remains in the sphere for eternity" even after the user deletes it, he said, adding that this becomes "trickier" in the corporate context.
In Singapore, employees of the Health Promotion Board and The Straits Times made the news when they accidentally posted expletives on their respective organization's Twitter account, instead of their personal account.
Like Durbin, Ogneva and Lusher also emphasized that while social media policies are necessary to minimize employee social media blunders, such mistakes are inevitable.
Social media causes "a blurring" between personal and business time, and "employees are people and can make mistakes", said Ovum's Lusher. Noting there is a "huge difference" between accidentally and deliberately flouting the guidelines, he stressed the need for education, training, monitoring and where necessary, enforcement, to reinforce awareness of policies and best practices to staff.
Ogneva from Yammer said organizations "have to expect [mistakes] to happen as part of doing business on the Internet". However, a company should clearly define consequences for "the most serious infractions".
Cooperation, not coercion
In Ogneva's view, ensuring that staff comply with social media guidelines starts first with "proper education and training", not monitoring.
The training, she added, is not limited to a one-time session, but an ongoing and open dialogue, so employees do not feel "smothered or forgotten about". The key, said Ogneva, is not to enforce policies, but empower employees to do the right thing. To that end, organizations must establish "enough internal governance" such that the staff community is able to "police" itself.
Asked if policy guidelines should extend to an employee's personal social media account, Ogenva said she was "not advocating monitoring people's personal accounts with the same rigor you monitor professional accounts".
Personal accounts do not come under the same scrutiny as corporate accounts, but one needs to be "clear about what action constitutes an infraction", such as disclosing confidential information, or disparaging customers, partners or competitors, she added.
However, Durbin from ISF noted that such a situation is a "legal minefield" and is dependent on various governing laws and regulations. For instance, he questioned whether a company has a responsibility to step in and take action, if a staff posts something less than complimentary about a fellow worker, using a corporate system during work hours.
The same debates and challenges arose when e-mail was first introduced into organizations, he said. Ultimately, it is down to a judgment call on the part of the worker and the employer of what is permissible or not, Durbin reasoned.
"The social media policy should cover these eventualities and provide the framework within which both the employer and employee are able to work."