In the first part of this blog series we discussed the role of social media usage in the workplace and its possible effects on security. We closed the piece by suggesting that companies address the issue with the creation of a formal Communications Security Policy. Today we are going to be offering some common-sense pointers on just how that should be done:
A first step in creating a social media security strategy is classification of business information so staff understand exactly what is — and isn’t — sensitive data. This method also ought to specifically delineate who is permitted to access corporate content and the way that information is used.
Policies can vary by worker role and by social media website. for example, a employee may be permitted to incorporate employer affiliation and job title on a public profile on a business media web site, but not on a private one; human resources staff may be allowed to provide more company data because doing so is crucial to recruiting.
Remember that hackers currently heavily target mobile devices like smartphones and tablet PCs. Businesses should specify whether or not staff are permitted to access social networking sites from these devices and which apps may be used to do so.
Once policies are established, it’s going to be necessary to strengthen them with a carefully considered combination of network observance and data protection technologies. In some cases, these technologies might already be in place as a part of standard IT security measures. If so, they should be configured to incorporate social networking controls.
The Challenges of Changing Worker Behavior
With social media, even a fastidiously planned mix of policies and technology might not be effective enough. That’s because you can’t stop staff from posting data on social media after they go home at night; individuals can do what they want, in spite of company policy. What can you do? Implement a rigorous and continuous worker education program on the appropriate use of social media.
• A business ought to proactively train staff and be very clear regarding what it considers the correct use of company data. Be specific: Tell them what they can and can’t say on social networking sites about the company. Staff should understand that posting corporate knowledge is totally forbidden — unless it’s expressly encouraged.
• Tailor the education program to meet the security knowledge level of your staff. The risks of malware, data loss and other threats should be described in very real situations that specify impacts to the individual and also the business.
• Show staff how to recognize current scams utilized in social media attacks and how to spot a phishing website. Training should demonstrate how these threats propagate on social media and the way they’ll be downloaded to a user’s laptop or mobile device and then infiltrate the enterprise network. Emphasize that this knowledge will be as useful at home as it is in the workplace.
• Education shouldn’t be completely technical, however. For many staff, sharing via social media has become so reflexive that they may not realize however innocently information is posted on a public social network it may hurt a business. Employees also should understand that when they identify themselves as an employee they’re representing the company to the digital world.
• Finally, fully explain the implications of failure to follow company policies on use of social media. Be very clear: Jobs are in danger for those that violate the company code of conduct for privacy, client confidentiality and property. As harsh as that might sound there really do need to be clear consequences for those who still continue to put the security of corporate data – and even corporate systems – at risk.
GIVE US A CALL 1-800-730-3468. We ensure you that we give a good quality service.