Social Media in the Marketplace

By now most companies know that blocking social media is a) impossible and b) may hinder beneficial marketing efforts for the company, among other reasons. Marketing, public relations, and HR departments at many organizations leverage LinkedIn, Twitter, Facebook, and other services to gain customers and market share, extend their brand, and conduct informal background checks on employee candidates. Yet uttering the term “social media” still strikes fear in the hearts of security professionals.

Social media has long been a topic of angst among IANS clients and they’ve been debating how to allow (or not allow) access to social media sites from company networks.

Because of this we’ve decided to highlight a discussion between IANS Faculty Aaron Turner and a current IANS client. The main question:

How far reaching should a social media policy be and what types of enforcements actions can one take?

As a rule, most companies are in reactive state right now. As stated above, there is increasing pressure to open up access to social media from the workplace, and today only those organizations that have a strong legal mandate to do so are taking a hard line on blocking.

Here are a few suggestions on creating a social media policy:

First, write a policy that requires all employees of your company to “friend” or link to the main company page on the designated social media site. This “friending” action provides much better insight into what employees are posting because your administrators can now more easily track everyone connected to your page or group. Regardless of what policy you want to promote, that first tier is extremely important since it makes enforcement easier.

The next step is to create an example of an appropriate post on the social network and place it in the policy. Turner says that, to date, he is not aware of any precedent enforcement of a social media policy, but if you’ve clearly stated what is acceptable and what is not, it will be easier for your organization to take action should the employee’s post be egregious enough to warrant it.

So what are your best real bets in terms of enforcement? Promote education on appropriate use of these services and awareness that employees are representing the company.

In terms of specific actions you can take from a technology standpoint, Turner suggests leveraging DLP tools and using them to make it a policy to regularly inspect outbound network traffic. From there, take a look at who the most active social media posters at your company are and use that data to build out a use case. When presenting a use case to senior executives or lines of business, it is always recommended to show statistics (“we have 185 active users who post on average 2.5 times per day. The most frequent postings on Facebook happen at around 2 pm on Tuesday”) as opposed to presenting hypothetical FUD (“If someone hacks your personal LinkedIn account and writes something negative about the company, Mr. CEO, you could be personally liable!"), as you will gain more advocates with hard data than theories.

For your phase 2, Turner recommends conducting a Facebook query to identify anyone who has associated themselves with your company as a current or past employee and creating a heat map of those most active posters; these posters potentially represent the highest risk to your organization. Once you have baseline of who’s doing what where and when, you can start making decisions on what will be most effective for your organization. Know your boundaries, formulate a policy, and have the usage statics of what is actually happening just in case you do need to take action.