The advent of social media platforms is continually transforming the way organizations interact with customers, build brands, and engage with the world. While certain organizations have eagerly participated in social media as a means to garner long-term marketing benefits, other organizations are hesitant to address employee interaction in the new interconnected world of social media. However, simply looking the other way is no longer a viable option. The statistics are staggering and can’t be ignored: Facebook with over 500 million users, Twitter with nearly 200 million registered accounts, and LinkedIn with 100 million users.
This is a primer on how to help your organization defend itself by identifying the potential risks associated with employee use of social media, providing recommendations on how to mitigate those risks, and sharing Cisco’s approach.
Pitfalls of Social Media
Failing to acknowledge the social media revolution and that it has quickly become a key communication vehicle for business relationships has several key risks:
Malicious Code on the social networking site itself or mobile applications associated with the site, including inside advertisements through third-party apps, can hack your network directly. Social networks, like Twitter, are especially vulnerable to this type of hacking due to shorted URLs which trick users into visiting malicious sites.
“Malvertising” (malicious advertising) is found even on the most reputable sites. Paths to malware can easily be found on social networking sites where there are numerous advertisements in an environment where social networkers have a sense of false security. For additional background and guidance, see “Social Media Brings a New Wave of Threats.”
Regulatory and legal actions, such as a violation of FTC guidelines around endorsements, are more likely if employees are left to use their own personal judgment as to online conduct and activities relating to a company’s business, and are unaware of potential consequences of participating in social media sites, which may lead to liability for both the company and the individual.
Social engineering is the act of obtaining information from someone to access the system versus breaking into the system itself. On social networks, people are more comfortable and willing to share personal information about themselves than they are when meeting someone in person. This creates an increased risk of employees sharing proprietary and confidential information over social networks. For additional background and guidance, see “Social Engineering a Threat Vector.”
Mitigating the Risks
Social media security and usage is complex and continually evolving. However, by considering the recommendations below, you can help your organization defend itself.
- Familiarize yourself with social media privacy policies to inform users on how their personal information is being used. To visit a few popular social networking policies, click on the following hyperlinks: Facebook, Twitter, LinkedIn.
- Build security into your system as a means to protect both within and beyond your network perimeter. For more guidance and information, click here.
- Create a Use Policy. Creating a social media policy is one of the most important aspects of mitigating risk. There are many publicly available policies to help you get started. http://socialmediagovernance.com/policies.php. The policy, however, should reflect your company’s culture, values, and existing policies by outlining objectives, strategy for achieving your social media objectives, and the role employees can play to help. A social media policy must offer guidance on how to participate effectively while protecting both the employees and the organization. Social media has several inherently positive aspects – such as building brand awareness, product marketing, and communicating industry news — and the policy should be structured to address them.
- Educate Employees on policies, best practices and their responsibilities. Then, educate employees again when your organization’s policies, practices and responsibilities change. Educating employees is the only way to manage the ever-growing world of social media tools and associated risks and is key to the implementation of a successful social media initiative.
Cisco’s Approach: More than just a policy
Acknowledging that social media has likely become a part of personal and professional lives of our employees, Cisco does not block access to social networking sites and has developed a comprehensive social media policy document with guidelines and FAQs with clear language as to what is expected of employees in terms of online conduct, which includes: (i) requiring our employees to be transparent so if employee is discussing Cisco, they must use their name, not an alias; (ii) disclaimer text for both Cisco-sponsored sites and third-party sites (such as a personal blog); (iii) clarifying to the reader that the opinions are the author’s; and (iv) a reminder not to share our intellectual property, confidential and non-public financial data, and not to infringe upon the intellectual property of others. Click here for the Cisco Social Media Policy, Guidelines and FAQs. For additional background, see the blog “Social Media – The Efficacy of the Corporate Guide.”
The Cisco Social Media Policy is also integrated into our Code of Business Conduct along with a requirement for employees to sign an annual statement acknowledging that they have read and understood it. To further raise awareness, a brief web-based video was created to highlight how our social media policy aligns with our corporate culture of transparency, authenticity and openness, and shares one of our executive’s own personal lessons learned.
With the rise of new media and the evolving set of next generation communication tools, the way in which employees can communicate internally and externally continues to grow. We recognize that social media is always changing, so simply implementing policies and training is not enough. In light of this, Cisco has created an internal on-line collaboration portal to create a community and centralize content regarding the use of a variety of social media tools, including:
- best practices, guidelines, FAQs and short video tips
- templates and frameworks
- blog posts by social media practitioners to share program learnings and best practices
- forum for posting questions and engaging with fellow community members
- email alias for guidance and to submit questions
In sharing our approach, we hope our lessons learned can enable your organization, whether large or small, to engage and reap the benefits of social media while protecting your organization’s interest. We encourage feedback below and hope others pass along how they are addressing social media. For additional information and insight into our privacy compliance program, please visit our Privacy and Security Compliance Journey Website