AKIBIA'S PRACTICAL GUIDE TO ENTERPRISE TECHNOLOGY
Thursday, August 06, 2009
Implement, educate and enforce strict Social Media usage policies – in that order
For several years I have championed for organizations of all sizes and industries to review and update their IT security policies - while simultaneously imploring companies to implement policies when none exist. If the proliferation of compliance and regulatory requirements still has not convinced you to take IT policy and procedure seriously, then prepare for Web 2.0 to force it upon you!
In recent days, the debate surrounding how organizations ought to govern and manage Social Media sites came to the forefront with the Marine Corps' ban on sites such as Facebook, MySpace and Twitter. As Clint Boulton writes in eWEEK, the ban is controversial as many Social Media proponents argue good policy and governance in the use of Social Media sites could reduce or eliminate the operational risk feared by the military.
As Richard Sandomir points out in the New York Times, ESPN further flamed the debate by issuing 12 guidelines on the use of social media. Of course, one of its NBA analysts immediately sent out a tweet complaining about the “hammer” coming down on ESPN employees.
While the total ban of these sites by the Marine Corps may seem extreme to some, from a security standpoint, it was the best course of action. The Marines clearly were not prepared with a well-thought out policy around Social Media usage, or the necessary education and training for its geographically-dispersed troops. ESPN took the additional step of developing a strong and thoughtful policy on Social Media. It is concisely written and includes stated consequences for violations.
Still, ESPN fell flat in an important area – Employee Training and Awareness regarding the policy. With more knowledge about why the policy was put in place, it’s likely the disgruntled “tweet” never would have happened. Employees need to understand the rationale behind the policy and the impact comments made on social networking sites could have on their employer, their product and brand image.
Every organization should follow these steps in regards to Social Media:
- Document policies and acceptable usage in order to protect sensitive organizational information, personnel policies and its reputation.
- Clearly articulate consequences for violation of these policies and they must be enforced.
- Provide awareness training on not just what the policy is, but also the reasoning behind them.
This last step - awareness training – is perhaps the most important aspect of any security policy so that the employees can understand and embrace the logic behind these decisions and avoid unintentional violations.
So, when was the last time that you received Computer/Internet Security Awareness training from your employer?
