Social Media Safety: Acceptable-Use Policies Critical

Do executives trust employees to use their best judgment?

It's a Catch-22 for many companies and IT departments: Allow access to social media sites such as Facebook, Twitter and LinkedIn, and the company is opened up to malicious content, phishing schemes and account hijackings. Block all social media sites, and the business risks losing young talent to competitors or will challenge employees to find workarounds. Which can be equally dangerous.

But because IT execs don't own these social networking sites and thus have no influence in enforcing strong passwords and vulnerability management, the key to achieving a safe compromise, a new Forrester Research report says, is focusing on what IT execs can influence: a corporate acceptable use policy.

Policies should encompass the following five questions, according to Forrester's report: To Facebook or Not to Facebook. Additionally, companies have to take into consideration whether these policies extend to remote groups outside the corporate network-such as remote workers and contractors-and if so, under what conditions these policies would be in effect.

1. Do all employees need the same level of access to social networking sites? Most likely, the report says, the answer is no. Marketing and sales, for example, may require more liberal policies if they're regularly posting videos and tweeting; a policy for the finance or sales departments, however, may need to be more restrictive. It's important to consider the company culture when writing the policy-how liberal or restrictive is it in terms of personal computing in the workplace?

[To learn more about social media policies, read "How to Devise a Stellar Social Media Policy: NASA's Tips."]

2. Is there a need for employees to download software? Third-party Facebook applications, for example, can present security risks, so if the company allows access to the site, consider blocking the ability to download software from it. "This will of course dilute the social networking experience, but in many ways, it's an acceptable compromise for workplace access," the report says.

3. Should there be "anytime, anywhere" access? Finding the balance between personal use of social media and workplace productivity is the key. Do executives trust employees to use their best judgment, or does the company want to enforce a stricter monitoring method such as bandwidth-based limitation on social networking sites?

4. What information are employees allowed to post? Microblogging poses a potential data leak threat to corporations, so executives and IT policy have to make it clear what they consider inappropriate for employees to post to public social networks. Also, be very specific about corporate proprietary information, confidential data and seemingly innocuous updates that could infer sensitive information, the report recommends.

5. What are the consequences for policy violations? Consequences will most likely vary depending on the violation and the circumstances. Be sure to clearly articulate what the violation penalty will be, if any. "For instance," the report recommends, "violation of a data loss policy may incur a heavier penalty than those who simply waste time social networking. Often, the simple statement of a penalty is enough to deter reckless behaviors."

Join the CSO newsletter!

Error: Please check your email address.

Tags data loss preventionsocial mediaprivacy

More about ASAFacebookForrester ResearchNASA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kristin Burnham

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts