Socially acceptable - enforcing social media policies in the workplaceby
Consumer services such as Facebook and personal devices such as netbooks, the iPad and the iPhone are increasingly being used within businesses, eroding the line between business and leisure communications. In fact this convergence of business and leisure activity has led social commentators to coin the term, 'bleisure', to describe this shift in working patterns.
However, some employees have found that sharing business information over channels normally reserved for chatting with friends can lead to a more relaxed attitude. This can have unintended and unwelcome consequences, such as inadvertently revealing confidential information, or offending readers and generating adverse publicity. Yet, more and more companies are citing the benefits of social media for communicating with customers.
In this article I will describe how companies can embrace social media to enhance communications with customers, potential employees and partner organisations, without losing control of sensitive information; exposing the network to malware; or bringing the company into disrepute.
The move to social media
Industry analyst, Gartner, has predicted that by 2014, social media use will overtake email as the primary form of communication for business users and recommends that organisations develop policies to manage the use of consumer services for business1.
As mentioned, the key reasons for developing a policy governing social media use are to protect the confidentiality of company information; to maintain the reputation of the company; to avoid the loss of intellectual property, to maintain a safe and productive working environment and to avoid offending readers of your social media posts.
When HR staff update their acceptable use policies (AUPs) to manage social media use, the following points should be borne in mind so that employees can work unimpeded, without suffering the corporate or personal side effects of giving out too much information online.
AUP and social media – what is 'acceptable'?
In a very recent case, a former employee of RBS was fired by her employer after she repeatedly posted updates on Facebook relating to her impending redundancy. RBS terminated her employment on the grounds that her posts had breached its secrecy policy and the employee missed out on her anticipated £6,000 redundancy payment2. This case demonstrates the blurring of the lines between business communications and "what essentially amounts to having a chat with my mates outside work," as the RBS employee put it3.
Similarly, a homophobic Tweet by a Vodafone employee led to a public apology from the mobile operator and termination of the Tweeter's employment4.
Two years ago, Virgin Atlantic dismissed 13 cabin crew after they exchanged derogatory remarks about passengers on Facebook as well as posting comments on the cleanliness of the aircraft5.
The key issue in all of these cases is to ensure that all employees are made aware of what is acceptable to post, whether during, or outside of, working hours. Under UK employment law, employers can take disciplinary action against employees who post defamatory comments online that bring their company into disrepute.
Essentially, if your employee is Tweeting under your company name, or referencing your brand or company name in a post, then they are representing your brand and therefore bound by company rules, no matter what time of day, or what day of the week it is. A growing trend is the practice of ensuring that employees have different profiles to use for the business versus social use, a practice such as this should be defined in an organisation's AUP.
Protecting staff from cyber bullying
With every disruptive technology comes major benefits and pitfalls. One of the biggest downsides of social media is that it opens up the potential for cyber bullying. This is not just the preserve of school children posting malicious comments on Bebo. Cyber bullying in the work place is a real issue, causing genuine distress to the victims and so it too must be covered within any social media AUP.
Using technology that can identify, block and alert HR teams to the attempted use of specific words, and perhaps imagery, can help to reinforce AUPs before unpleasant comments are posted on social media sites. This can also assist HR teams in identifying when members of staff may require assistance and intervention.
Quite apart from the social responsibility, employers must maintain a safe working environment for their staff. They are bound by the UK's vicarious liability laws and are liable for their employees' activities online. Employers have a duty to prevent cyber bullying, or offensive imagery or language from being circulated between employees via email, webmail or social media sites. So it is worth spending some time looking at the type of employee posts that you want to avoid and putting policies in place to protect your employees from harmful comments online.
Developing an AUP to cover social media
As mentioned, before using technology you must carefully plan which elements need to be managed within your social media strategy and educate your staff about the new social media policy:
- Start by expanding your company's existing acceptable use policies governing email and web communications
- Clearly specify what is acceptable and what is inappropriate to post to social media sites
- State what can be posted during business hours and outside of business hours (if indeed there is any difference). Where there is no differentiation, clearly state this in the policy
- Let staff know that messages posted to social media sites will be monitored. This is vital
- Review all privacy settings on social media sites that contain your corporate profile. Educate staff about privacy settings too. Opting for minimal settings can expose your network to malware directed at popular social media sites
- Consider developing multiple AUPs for globally distributed staff, to cater for the laws of different countries
- Once you have taken these first steps, technology then can be used to remind employees of their responsibilities to protect company reputation and information. Rulesets within your email and web content management can then be used to enforce the social media AUP
Basic content filters that can be used to enforce your social media policies include:
- Preventing the posting of inappropriate language or brand names to social media sites
- Preventing inappropriate images from being posted
- Blocking of incoming or outgoing file types over social media (e.g. Excel spreadsheets and databases)
- Blocking access to dangerous websites, such as gambling sites, that are known to be hosting malware
- Dividing websites into work-related and non work-related sites, to track usage
- Dividing social media access by job description, to manage non work-related usage
- Applying granular social media controls, such as read only rules on the corporate Facebook account, depending on employees' roles. Look for granular social network controls that can be set by network
- Enforce AUP by allowing timed access to social media sites during working hours, to maintain productivity
- Enforce AUP by allowing timed access to non-work related sites and webmail during lunch breaks, before 9am and after 5pm
- Limit the installation of plug-ins such as games on social network sites, as these can impact productivity and network security. Look for granular social network controls that can be set by network
Risks from incoming traffic
In addition to the risks that employees pose to their employer's information and reputation through their outbound communications, the inbound traffic from social media sites carries its own perils. To assist us in developing protection against email and web-based exploits, my company monitors for the emergence of new web-based threats. We have noted an increase in the number of legitimate websites being infected with malicious code. The most popular websites are the ones that are targeted by cyber criminals.
Inevitably, that means that sites like Facebook, Bebo, Twitter and LinkedIn have unwittingly played host to some malware. As well as risking infecting the network with malware, individuals may be at risk of identity theft if they post too much information online. Once again, education has a role to play here, in conjunction with technology, to protect employees in and out of the workplace. If you are embracing social media as part of your corporate communications strategy, make sure that you have the security technology in place to protect your network and computers from being infected as staff innocently post company updates to social media sites.
Social media can make your staff more productive, speeding their decisions by providing them with instant information and feedback from customers and prospects. However, like all disruptive technologies, web 2.0 has its risks and these need to be properly managed. A combination of education, technology and enforcement will enable employees to keep communication channels open and maintain productivity. Combining AUP education with AUP enforcement enables employees to embrace social media in the workplace and gain the attendant advantages, while protecting against defamation, data loss and web-based attacks.
- Gartner press release, 2 February, 2010: Gartner Reveals Five Social Software Predictions for 2010 and Beyond
- Facebook boast about £6,000 redundancy payout cost bank worker her job
- ComputerWorldUK.com RBS works says she was sacked for Facebook post
- Vodafone and the homophobic Tweets
- Virgin cabin crew sacked for Facebook comments
A copy of the M86 Security whitepaper: 'Is your Acceptable Use Policy Social Media Proof?' covering the topics outlined in this article can be downloaded from http://www.m86security.com/wp/aup_social_media_proof/
Bradley Anstis, VP technical strategy, M86 Security, is primary spokesperson for the company on aspects related to the evolution of the technical and strategic product direction.