Social media is sometimes regarded as a double-edged sword.
On the one hand, short of getting all your customers, vendors, employees, partners and prospects together in one room, there is no better way to directly interact with key people quickly and effectively. Not to mention that should you ever try the all-together-in-one -room idea, it would get out of control very quickly: social media makes keeping track of interactions more manageable and, of course, the Internet allows for a variety of multimedia to be used and shared during any interaction. In this regard, one edge of the social media sword makes it a very useful business weapon.
The other edge of the sword is that social media is still a vast, uncharted, constantly-changing environment that makes it seem difficult for companies to ensure it is used safely and productively. Not having the proper measures in place to guard corporate data, secure connections and protect against increasingly-common malicious attacks via these channels can quickly make social media a losing proposition for any organization.
However, the fact of the matter is that plenty of companies use social media regularly, and to great effect. Similarly, more companies are accommodating ‘generation standby’ employees who expect to lead their social lives online throughout the work day in exchange for being expected to respond to work requirements after hours. There are still potential pitfalls, but the World’s corporations that have allowed social media use have clearly not suffered as a result, which means they must be able to dull the potential problem edge of the social media sword. What’s the key to making social media safe and effective?
Three things you definitely should NOT do:
- Create a new rulebook: The first thing to know about social media security is that, at its root, it’s still web security! Many of the same best practices that work for effective web and email security work well for social media security. Perhaps the only somewhat-meaningful difference is that social media security might require a stronger emphasis on outbound security: social media, after all, is much more of a two-way street than typical Internet traffic. Strong content management and filtering systems on the upload side of the connection are worth investing in so that corporate data stays where it should.
- Expect IT to do it all: Even the best IT team can’t see understand the full requirements of every department in your organization. Just as you would with other security policies, enlisting managers from various departments will have the dual benefit of a) allowing the nuances of HR security or financial compliance regulations, for example, to be integrated in to a more complete security policy, and b) not over-burdening the IT department by forcing them to judge what is acceptable or unacceptable behavior and make decisions that paint them as either ‘overprotecting’ the business and stifling the free flow of information or ‘under-protecting’ and allowing serious breaches to go un-blocked. Share the load. Be more protected.
- Block it and forget it: Blocking specific URLs works in some cases, but it is not a silver bullet. This holds even truer for social media as it is one of the most rapidly-evolving technology sectors these days. Take Facebook and Google, for example. Your company might not like the idea of allowing full access to Facebook, but might think Google applications are OK. But in the last few months, Google has experimented with a set of more social applications, most notably the now-defunct Google Buzz, which enabled many similar functions to Facebook. Blocking one site like Facebook might solve your problems one day, but before that day is out a rival social media site or service might launch with similar functions to the blocked site. Rather than wholesale blocking of sites, focus on security policies and systems that are more about the actual content being shared.
Three things you absolutely should do:
- Be clear: IT security has always had a mystique about it — like it is best conducted in secret by those who might actually use the phrase “you’re on a need to know basis.” This is an outdated, ineffective way of approaching security. A UK retail giant had a hard time dismissing an employee over a blog post they claimed damaged the company’s reputation when he defended himself by pointing out that the company had no clear policy on blogging. If the point is to keep problems from occurring in the first place, then making social media, Web, email and other security-related policies clear to employees is a more logical path to take. Bring security out of the black box.
- Be granular: Blanket security policies generally don’t work — even more so for social media. Many companies choose to assign ownership of interactions for certain online social mediums: one person for Facebook, another for customer forums, another for LinkedIn, for example. Not only does this mean that these people might need additional network privileges that others don’t, but the company might choose to share different kinds of data on LinkedIn than on Facebook. Different people. Different roles. Different sites. Different mediums. They all require different rules.
- Unify and simplify: We love smartphones because they let us do so much from just one device: talk, text, surf the web, email, listen to music — even access social media applications. Where possible, don’t complicate the issue of managing security across Web, email, remote workstations, social media policies etc. by trying to keep track of a different system for each. Increasingly-common are unified solutions that can federate content-inspection and encryption policies in one place and create reports and new policies in real-time across all digital communications channels.
People are used to being able to live their lives online whilst at work, and to shut out the mechanisms that make that possible — social media — is not just detrimental to employee productivity and motivation but can also be a potential revenue loss for the company as social media is turning in to a viable sales channel. It can seem like a situation that requires new tools and new people. In reality, it just requires more of the same strategies that have been proven to work already: personalization of policies, getting more people involved in the decision making and protection policy process, integrating solutions where possible, and making security policies transparent. So, as you were people.
Phil Vasic is Regional Director, APAC at Clearswift, the software security company, www.clearswift.com.