Does your organization use social media? How do you know for sure? Social media usually require no special technology, little or no involvement from IT, and no official project plan or explicit permissions to get started. Social media involve the creation and dissemination of information through social networks using the Internet. Social media tools include blogs, product review sites, Twitter, Facebook, LinkedIn, YouTube, Wikipedia and many other outlets.
Any Internet site that allows individual users to supply content can be considered a type of social media. Managing the risks from social media requires that the organization have a social media strategy, sound policy and a plan to address the risks that accompany social media technology. Here are some considerations for using social media in your organization:
1) Understand that blocking access to social media sites is not sufficient to prevent their use since many organizations use the tools to interact with customers or prospective employees. Blocking access also does not preclude the use of social media on employee-owned equipment.
2) Conduct a risk assessment to map the risks to the organization from the use of social media. The top five risks from social media as identified include:
- Brand hijacking
- Lack of control over content
- Unrealistic customer expectations of “Internet-speed” service
- Noncompliance with record management regulations
3) Develop policies to address the risks of social media. Existing policies on conflict of interest, professional conduct, acceptable use, privacy, client confidentiality, intellectual property and similar issues can and should be extended to apply in the context of social media. Things to cover in these policies include:
- Whether these sites are allowed for business use
- Personal use in the workplace and personal use outside the workplace
- The process to gain approval for use
- Standard disclaimers if the organization is identified
- Copyright or other content rights to information posted to these sites
- Scope of business-related content allowed
- What is inappropriate
- Escalation procedures for customer issues
- Disciplinary procedures for violation of policy
4) Ensure that the business processes that utilize social media are aligned with the policies and standards of the organization.5) Social media are just other forms of electronic communication. Understand the retention regulations or e-discovery requirements. Poor policies governing the use of social media increase the costs of social media forensics coming from an external inquiry, litigation or audit request and may result in regulatory sanctions, fines or adverse legal actions.
6) Include social media training in the organization’s regular awareness communications or information security training curriculum. Users need to understand what is (and is not) appropriate and how to protect themselves and the organization when using social media.