David Scott, author of IT Wars and a business consultant, knows first hand the risks social networking can pose to the enterprise through his work with clients who’ve faced these very threats. But how does IT fit into it? The following guest post offers some strategies on where your IT department fits in fighting the wide variety of risks while still reaping the rewards the technology can offer. Like what you’ve read? Check out our Bookworm Blog for a free chapter download of David’s book, or buy it on Amazon.
Organizations have long faced liability in an environment of e-mail, instant messaging, blogs, and downloads. Critical dependencies and vulnerabilities abound. But a fairly recent, yet established, challenge has materialized in the workplace: that of social networking. In addition to high profile sites such as Facebook, Twitter, LinkedIn, et al., there are countless other sites – some friendly, some professional, and some neither friendly nor professional. For an exposure to the latter, just try Googling “vent your job,” “rant about your job,” etc.
In the recent past, it was enough to have a prudent e-mail policy as part of an Acceptable Use policy for information systems at large. Most of it was obvious, though necessary: no harassment, no abuse in terms of too much personal e-mailing of family and friends, no e-mailing of negative views, such as political or corporate, and no posting of any kind to questionable forums – under the aegis of the corporate domain. That is, don’t use your corporate e-mail or user account for anything that could adversely reflect on the organization or you as a representative of that organization.
But today, often in the lag of policy, social networking has employees toggling between “friending” on Facebook, Twitter, etc. one moment, and “businessing” on corporate systems the next. In the case of small businesses, many find themselves taking advantage of social networks in the interests of client-building, marketing, communication, and general exposure. This is inexpensive and efficient – but here, the blend is a blur.
Of course, social networking has that universal business peril: wasted time. But this switch between friending and businessing can pose an extreme peril to any organization’s #1 asset – its reputation – in an age that grants enormous power to individuals. For example, Genesis HealthCare System, of Ohio, recently had to counsel healthcare professionals not to make negative postings online; personnel were discussing patients and referring to them by room number. Going the other way, employees too often have the temptation to bring an inappropriately lighter sensibility to business communications, having just exited the “party” of social networking.
Another peril in the blend of friending and businessing is the security concern. There is a proliferation of sites that offer to import contacts from other systems – be it your corporate account or other social networking sites. This blending of corporate and personal contacts can group people together for communications that may be inappropriate for either half of the group. These sites can also deliver malware, which in turn can monitor keystrokes, steal sensitive data (one need only refer to the Privacy Rights Clearinghouse, and its Chronology of Data Breaches report, for a little perspective), and can direct users to other websites of further harm. Beyond, these activities can consume bandwidth and crimp resources better devoted to legitimate business, robbing Internet speed for other employees and online customers. Organizations must understand that when employees access outside systems, they risk exposure of confidential information, and open a possibility for hacking, spyware, viruses and, ultimately, potential lawsuits.
In the same vein, organizations must also look at how employees are accessing what they access. Today’s blended environment includes personal and business assets: In the era of remote and home offices, employees access corporate networks with their own PCs and laptops. Are these computers secure? Do they have virus protection? Is it updated? How often? Just as importantly, when employees take corporate laptops offsite, do they utilize them on secure WiFi networks? If a corporate laptop prompts for a download and update, does the employee know enough to vet and accept, or decline, the update? Would some employees decline a legitimate security update?
In a furtherance of blending, consider data’s portability: CDs, DVDs, thumb drives, mobile phones with huge storage capacity… who is transporting your organization’s data, and how? If an employee takes data off-site, is there a standard operating procedure for how that data is transported? Must the employee utilize a company asset for a critical transfer? Or is it enough that the employee shows up “with the goods”?
So – what to do? Companies are varied and no “one-size-fits-all” solution exists. Small Business, with limited budget, is exploiting social networking for all it’s worth; it is free, far reaching and effective. Some big companies are totally down on it as their client base, boards, and senior management can have a more conservative business sense. But in either case, smart organizations have always leveraged and protected content (information, business data), as well as the blended environment of personal and business assets. They now must do so with an immediacy for modern awareness, issues and resolutions. In this blending of the corporate and public domains, and of corporate and employee assets, a robust Acceptable Use policy and its maintenance have never been more important.
Fortunately, for diverse organizations, there are more options than extreme positions of green-lighting all social networking access, or red-lighting any access at all as a total denial. There is also the option to manage limits in between. Subsets of users can have partial or all-access; different sites can be available to certain users according to their role in the organization; some users may indeed have no access; and there may be conditional access based on projects and temporary need. The leading cause of data breaches is negligence, according to CIOZone, making control and education paramount. So, by adding necessary precautions and education, you should be well-poised for what some call “The Wild West” of social networking.
In getting there, IT Governance (Business) must engage. It is Business, after all, that owns “business” – the doing – even in a tech company. Business must understand the payoff and the perils, the benefit to risk, and must insist on a fully qualified user body and a regime of standards in service to present and evolving realities. Everyone needs to be a mini-security officer: Every activity must be viewed through security’s prism. IT must help to shape policy, in fully informing and serving Business, by making known the risks and exposures, and IT can enforce compliance to standards through regularized training and monitoring of activity. But the important thing is to mount a new awareness and to hammer policy and plans into shape based on your organization’s needs, vulnerabilities, size, budget, culture, etc. A good planning and policy panel is a Business Implementation Team (BIT), comprised of qualified Business, IT, and User counterparts.
In the realm of risk, unmanaged possibilities become probabilities. Security is only as good as its weakest link: an untrained or uncaring employee, a laptop with disabled virus protection, a data breach, a damaging Facebook post, or a ranting Comment to a news article by Firstname_Lastname@YourBusinessDomain.com – these can do extraordinary damage. Failed events and circumstances have a common point: It’s the failure to identify a true need – resulting in the denial of an appropriate solution.
Today and tomorrow, prudent business needs to managing an accelerating, even forced, evolution of critical technical empowerments and their best use. Organizations need to manage their progression through a world of accelerative change. A good part of this will be directing their employee’s use of, or avoidance to, social networking and other outside sites. Further, there should be a regularized schedule for review and updates to Acceptable Use policies and reinforcing training. Organizations should also survey their blended assets for protection, update, and best use.
In today’s blended environment, don’t wait – your domain hangs in the balance.
David Scott is the author of the MBA-text, I.T. WARS: MANAGING THE BUSINESS-TECHNOLOGY WEAVE IN THE NEW MILLENNIUM, and is a business consultant. For more information about him, visit his homepage or professional profile on The Business Forum.