Given that reality, it’s important for entities to draw up strong acceptable-use policies or to reevaluate existing ones.
One element of a strong policy, particularly for highly regulated organizations, is to include language forbidding employees, unless expressly authorized, from representing the company, as opposed to themselves, online, says Tsantes. Some policies also require that employees never mention their employing organization, or even anything about their work, unless that is part of their job.
In addition to being told about the specific provisions of the policy, employees must be made to understand why it is important to follow the protocols not only at work but when using social media in their personal lives, says Tsantes. “If you explain it in the context of protecting their family and friends and then apply the same principles at the company, I think it will create a greater attention to the problem and more awareness.”
Training can include sending information to employees via e-mail or an internal Web site. It can also be helpful to train an employee after a security incident, such as a malware infection.
Management should create a culture in which it’s considered acceptable for employees to report if they may have had a malware infection or other security incident related to networking and similar sites, he says. “You want to try to reward the behavior.”
But the company must also make sure that there are negative consequences for those who do not follow the policies. A policy that is not enforced will serve no purpose.
Apart from setting parameters on what should be said on social networking sites, the company may want to monitor such activity to assess riskiness to the extent that doing so is legal and pertains to the work-related concerns. Certain networking sites can present greater risks than others. Some entities may want to familiarize themselves with the types of security measures taken by certain sites. Some more popular sites are actually stronger in protecting users’ security and privacy. Facebook, for instance, is “one of the safer sites” in numerous respects, Tsantes says. If a site seems insecure, the company may want to deny access to it from the company network.