Every day I see yet another (often another dozen) situation where employees misused, abused or otherwise accused social media sites to the chagrin of their employers.
Businesses need to make a coordinated effort, using a combination of policies, training and technology to mitigate the risks (to personnel as well as the business) of workers using social media sites.
Today let’s consider what organizations should be telling their workers about social media information security and privacy.
What to Tell Workers
Along with social media policies and procedures you also need to provide training and ongoing awareness communications to your personnel. You can’t just show them the policies, although they certainly must read and understand them.
Your training needs to cover *HOW* to do their work, and online activities, to be in compliance with the policies, and to protect not only your business, but also their personal privacy and the privacy of others.
I’ve found that when workers understand how security and privacy practices can protect themselves personally, they will also better understand why they need to keep privacy and security in mind during their daily work activities. So, in training, and also ongoing awareness communications, explain how social media use impacts your workers personally.
Explain how anything posted online could potentially be viewed by anyone, even if the site claims it is restricted. They should understand that anyone using a restricted site can repost information to other, public sites. Advise them to at least ask themselves the following 6 questions.
1. Do you want the whole world to see?
Are you posting anything you, or your friends, family, co-workers, employers, patients, customers or guests don’t want the entire world to see? The Internet is a world-wide accessible network.
Social media sites are openly accessible by default. Internet-based social media sites are public, even many (perhaps most) that say they are “private.” Social media sites on “closed” intranet networks, such as on the organizational business networks, have more controls.
However, if those are not deployed with appropriate controls posts could still leak out into the public cyber world. For example, 10 women in the St. Louis area were recently distressed to discover that their doctor had posted before and after photos of their breast augmentations online, along with their names, reportedly a mistake by the person doing the posting.
2. Do you want the post to be seen forever?
Do you want that post to be seen forever? Remember that once posted on the Internet, information is virtually impossible to remove. Facebook recently announced that they have implemented procedures to allow users to permanently delete photos and other posts.
However, even if posts are deleted, it is quite likely others have already copied the posts, and they could repost them elsewhere. Information posted on internal networks, such as company intranets, is easier to control.
3. What if the information is taken out of context?
What are the consequences of your posts being used out of context? Explain the consequences of how posts can be taken out of context and misinterpreted, leading to harassment, or worse.
Point out how easy it is for others to take what is posted, alter it, and re-post it elsewhere. It is also possible that your hard work, posted online, may be used inappropriately by others.
4. Could the information put you or others in danger?
Could your post put you, or your family, friends, co-workers, customers or patients in danger? Criminals like to see posts stating when people will be at specific locations, away from their home, etc. Then then plan their crimes based upon that information.
For example, a young Nigerian woman was recently stalked online, and when she posted about traveling alone, the two men stalking her robbed and killed her. In another recent example, a New Zealand celebrity was sent to the hospital as a result of a cyberbullying attack on Twitter.
Crooks also use information posted to social networks to cause financial harm and identity theft. Identity theft is on the rise, and criminals are targeting particularly vulnerable groups, such as the elderly and children. The FTC reports that since 2009 there were over 57,000 child identity theft cases reports to them, with some of the victims small babies.
5. Are you violating any laws?
New laws are being enacted to govern what is posted online. For example, New Jersey recently enacted legislation to protect privacy rights of accident victims as a way to prevent situations such as the incident in 2009 when a first responder to an accident posted photographs of a woman who was killed in a car accident to Facebook.
Are you violating any healthcare, financial, or other federal, state or international laws or regulations? Several HIPAA violations have already occurred through inappropriate online posts.
And the public is noticing and taking action. For example, it was recently reported that “most state medical licensing boards have received at least one complaint about unprofessional online behavior by physicians.”
Are you committing copyright or licensing infringement with the information you post? Not only do you need to make sure that what you post is not plagiarizing someone, but you should also be aware that someone may steal your information and claim it as theirs. It happened recently to an author of a food blog who discovered someone had taken her recipes and put every recipe verbatim into an e-book sold on Amazon. Remind your employees that just because something is found online it doesn’t mean it is free for the taking; copyright and licensing rules must still be observed.
Are you stating something as fact that really isn’t? Could what you post put you at risk of being accused of slander? Ask your workers to always check to ensure their posts are not violating any company policies, and not violating any types of laws or regulations. After all, we are a litigious society.
6. Is your message clear?
Be sure you are not unintentionally breaking cultural norms or putting out something unintentionally offensive. Meet the expectations of company communications for internal sharing. And also remind them that when posting, especially about or on behalf of the business, that they should ensure the message is clear and meets business requirements.
Bottom line for all organizations, from the largest to the smallest
Your workers need to understand that:
2) Once posted online information will have a virtually eternal life.
Just because information is found on social networks doesn’t mean it’s true. Anyone could have posted it, proclaiming they are an expert but in actuality they could be as uninformed as a dog, so to speak.
Or as wily as a fox trying to trick people into spreading their lies, or even governments spreading propaganda, such as Russia was just reported to have done. Also, once posted, always posted. So they need to think carefully before hitting that enter key, and ask themselves the six questions above.
Other information about social media privacy and security
Here are some other good articles and reports related to tweeting, using found online information, and otherwise posting to and using social media sites:
- Internet etiquette can lower kids’ risks: Parents’ values, oversight help protect against online dangers
- Social Media Benefits Now Obvious to Midsize IT; Risks Not So Much
- Ontario: Commissioner’s Contest Calls for Videos about Online Privacy and Social Media
- Asian CEOs prefer to keep social media at arm’s length
- California Raises the Bar on Social Media Privacy
- Here Are The States Where Your Boss Can’t Watch Your Every Status Update
- Privacy Is Dead — Really?
- Lawyers still shy on social media, but more are liking Linked In as way to connect
This post was written as part of the IBM for Midsize Business (http://goo.gl/S6P7m) program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.
Cross-posted from Privacy Professor