A positive approach to the social media problem
Like it or not, social networking is a part of your organisation. Facebook, LinkedIn, Twitter and all those other time-wasting pastimes — or effective communications channels, if you prefer — are occupying at least a part of your workers’ time.
The dangers are familiar, including data leaks and reputational damage. And the countermeasures are equally varied, including banning the use of social media entirely. Indeed, most responses to the dangers are negative, based around restricting what people do and attempting to close stable doors. At least one person, however, thinks we should have a more positive attitude.
“Social networking is one of the biggest social experiments we’ve ever undertaken,” explained Adrian Davis of the Information Security Forum (ISF), when we took tea in London recently.
Many big companies have now appointed social media executives in an attempt to manage their organisations’ public image via these channels: something like 200 out of the Fortune 500 firms now have such executives. But, says Davis: “Most companies are still at the ‘whoah! what do we do?’ stage.”
What they should be doing, he adds, is finding ways of using social media to make their processes better.
“What are you trying to achieve?” he asks. “Do you just want to be part of it, project your arguments or generate sales? If you’re doing it for the sake of doing it, that’s where you start losing control.”
Perhaps one of the key issues is that attitudes to social media have been formed outside of the workplace. Indeed, people are more accustomed to using social networking services at home and, now that these same services are being adopted, or at least tolerated, at work, people are bringing their personal habits into the workplace.
Davis puts it more succinctly: “People assume it’s okay to post stuff online.”
Quite. People — and especially young people — have an expectation that they can communicate — and a desire to do so. But a tweet-everything, information-wants-to-be-free philosophy does not translate well into the workplace. While, in theory, this enthusiasm to share can be harnessed for the good of the organisation, getting this right involves some work if you are to head off what Davis sees as some of the biggest threats to the organisation — leakage of intellectual property and privacy issues (ie, embarrassing and potentially damaging data leaks).
“The big issue,” says Davis, “is, where is my information and who can look at it?”
So a good start is to implement proper data classification. Done properly, this will automatically define what information can and can’t go public. It has to be carried out in depth and with sufficient detail because the social media environment has a habit of blurring information classification boundaries. There is often no clear indication whether a piece of information, which may be relatively informal (“hey, we’ve just won a new contract!”), can go public. This is even more difficult when the information has a personal relevance and doesn’t immediately appear to be sensitive. “I’m joining the new team in Swansea” might seem an innocuous piece of personal gossip, unless the new team is meant to be a secret — from competitors, journalists or colleagues.
Where data classification systems end, education begins. Typically, educating your staff about social media has meant telling them what they’re not allowed to do. Davis, on the other hand, emphasises the benefits of being positive.
“Tell people what they can do,” he says.
He suggests giving staff three golden rules that define the limits of what’s acceptable, but in a positive way, saying not just what’s allowed but how they (and the company) might benefit.
“The trick,” he says, “is making it relevant.”
