Infosec: Robust policies key to enabling workplace social media use

The use of social media by employees must be controlled by robust policies and rigorous awareness-raising campaigns if organisations are to tap its potential without falling victim to a data breach or reputation damage, according to a panel of IT security chiefs.

The panel argued that, while social media use can be largely managed by controlling access to the corporate network, the increasing prevalence of smartphones and other web-enabled mobile devices, as well as the opportunity to use social media outside the office, has opened up organisations to increased risks.

These include the posting online of inappropriate content or sensitive corporate data, which could damage an organisation's reputation, harm competitiveness, or even lead to loss of life in the case of the Ministry of Defence.

"There's been a huge shift which I don't think people have understood when it comes to Web 2.0: now everyone is a publisher," said David Cripps, chief information security officer at Investec Bank.

"If one of your employees does something illegal you can be held liable. I get very nervous when the marketing guys say: 'We want everyone on Twitter.'"

The assembled chief information security officers explained that their organisations have reaped many benefits from allowing access to and use of social networking sites at work.

In the case of the Ministry of Defence it has been a morale-boosting way of allowing servicemen and women to connect with their families while on duty, while for the Cobra Group, Facebook and LinkedIn have been useful recruitment tools.

"We started on Facebook two years ago and our recruitment jumped 40 per cent," explained Steve Whittle, chief technology officer of the Cobra Group.

"It has probably increased our ability to reach an additional three million people in the UK, and the quality of people we're attracting has improved."

However, a cast iron acceptable use policy is essential for the information security department to prevent abuse of social media and ensure that the organisation has recourse to discipline the staff member involved if they disobey, the experts agreed.

Key messages that firms should communicate to staff include not to bring the organisation into disrepute via social networking sites, and to claim to be a spokesperson only if that privilege has been explicitly granted.