The social network: how to set IT policies that keep the risks at bay

Font size :

As explored in Young guns: how to respond to the risks of tech hungry employees, the line between personal and professional use of IT devices is becoming ever more blurred – posing significant security risks. The use of social media, too, can create substantial security and reputational risks, but how should an organisation go about setting a policy for the acceptable use of social media when there are various departments that need to be involved?

It is well known that without rules chaos abounds. In the business world we protect ourselves against disorder by setting down formidable volumes of policies and procedures. They provide a set of rules that ensure consistency of practice. They also help to guard the organisation against unexpected and unwanted outcomes, and unethical or even illegal behaviours. As circumstances arise, new policies are created and old policies are updated to ensure they remain relevant and practical for the business.

The big question however, is how do you apportion responsibility for creating, reviewing and maintaining policies that cross multiple business disciplines? What if a policy has legal, HR and operational considerations? It's an issue currently confronting numerous organisations as they come to grips with social media and collaborative applications such as Facebook, Twitter, LinkedIn and YouTube.

The complications of a social world

While the rapid uptake of social platforms is allowing businesses to reach audiences in new and exciting ways, staff access of these websites while at work raises any number of issues that may require the rewriting of a company’s Acceptable Use Policy (AUP).

Typically the two biggest concerns are security and productivity. An employee that spends three hours a day on social media is wasting the company's time and money. And, since these applications were not designed for business, most don't contain the built-in security measures essential for the enterprise environment. Instead, they pose a virus and malware threat that should raise a red flag within any IT department.

Other fast-rising concerns and questions to consider include:

How do you determine who within the organisation is authorised to communicate via social media?
How do you know when a tweet is simply an individual's right to comment, or when it should be judged as an employee overstepping the bounds of acceptable behaviour?
Employee comments on social media sites are notorious for their ability to cause damage to an organisation's reputation, not to mention the financial impact.
Sites such as YouTube or peer-to-peer (P2P) websites can consume massive amounts of bandwidth, adding significantly to an organisation's operational costs.

Who owns the policy?

It is clear that the IT department has the requisite knowledge to create social media policies. They understand the issues and the way in which the technologies are used. It is equally clear that there are other departments within the company – HR, legal and finance – that are also stakeholders in this area. All have important input regarding the monitoring, enforcement and compliance of the policy. Yet, according to a study conducted by Forrester Research Group, around 40 per cent of businesses have an application policy that was formulated wholly within IT, without the necessary input of the other departments.

In order for an AUP to be widely accepted and readily implemented, it is best to get all of the relevant stakeholders involved in formulating the policy from the beginning of the process. Departments such as legal, finance and HR all have valuable knowledge that IT can leverage to design a policy that is effective across all business units. Legal plays a critical reviewing role, determining if the draft AUP is non-discriminatory, acceptable and enforceable. Finance is essential in understanding the potential financial exposure involved in breaches of the policy. With all the potential liabilities associated with social media, from intentional misuse to accidental confidential data loss, it is important that legal and finance departments are aware of the compliance risks.

Then, when an employee is hired, HR takes on the role of education. This is when the employee learns about the company's views on internet safety and the specifics of the AUP. Education is critical in informing the employee about the policy, thereby making it enforceable. It also helps to protect the company with limited liability if litigation arises due to staff misuse. Moreover, making employees aware of the problems may prevent accidental spam or virus intrusions, and reduce confidentiality breaches. HR also offers a natural fit for the ongoing role of monitoring and enforcing of the policy.

The writer of this article is Scott Robertson, Vice President, Asia Pacific, WatchGuard Technologies. Part two of this feature explores what an AUP should say, and how to use technology as a means of compliance.

Reach for the clouds: the risks of cloud security solutions explored

Risky business - Share information to stave off hackers

Latest comments

Tony Ridley on 25 Jan 2012 12:54 PM

All stick and no carrot! How is it that this entire article failed to identify and acknowledge the significant benefits associated with social media? I also disagree that IT has the necessary expertise. Very unlikely. If you don't use it, how can you understand or be an expert in it? What about mobile devices? Too many companies make the assumption they have control by limiting desktops and laptops, only to have an employee do anything they like on their phone and tablet. Let's just pretend that a single policy is effective. How do you then prove it works and you have no leaks or issues? Where is the significant section on monitoring to determine commercial and internal breakout issues? "You can not improve what you can not measure". Too narrow and one sided http://tony-ridley.com/