The social embrace: How to enforce acceptable use policies for social media in the workplace

Consumer services such as Facebook and personal devices such as netbooks, the iPad and the iPhone are increasingly being used within businesses, eroding the line between business and leisure communications.

However, some employees have found that sharing business information over channels normally reserved for chatting with friends can lead to a more relaxed attitude. This can have unintended and unwelcome consequences, such as inadvertently revealing confidential information, or offending readers and generating adverse publicity. However, more and more companies are citing the benefits of social media for communicating with customers.

So how can companies embrace social media to enhance communications with customers, potential employees and partner organisations, without losing control of sensitive information; exposing the network to malware; or bringing the company into disrepute?

The move to social media

Industry analyst, Gartner, has predicted that by 2014, social media use will overtake email as the primary form of communication for business users and recommends that organisations develop policies to manage the use of consumer services for business.

As mentioned, the key reasons for developing a policy governing social media use are to protect the confidentiality of company information; to maintain the reputation of the company; to avoid the loss of intellectual property, to maintain a safe and productive working environment and to avoid offending readers of your social media posts.

When updating acceptable use policies (AUPs) to manage social media use, the following points should be borne in mind so that employees can work unimpeded, without suffering the corporate or personal side effects of giving out too much information online.

AUP and social media – what is “acceptable”?

In a very recent case, a former employee of RBS was fired by her employer after she repeatedly posted updates on Facebook relating to her impending redundancy. RBS terminated her employment on the grounds that her posts had breached its secrecy policy and the employee missed out on her anticipated £6,000 redundancy payment.

This case demonstrates the blurring of the lines between business communications and, “what essentially amounts to having a chat with my mates outside work,” as the RBS employee put it. Similarly, a homophobic Tweet by a Vodafone employee led to a public apology from the mobile operator and termination of the Tweeter’s employment.

Two years ago, Virgin Atlantic dismissed thirteen cabin crew after they exchanged derogatory remarks about passengers on Facebook as well as posting comments on the cleanliness of the aircraft. The key issue in all of these cases is to ensure that all employees are made aware of what is acceptable to post, whether during, or outside of, working hours. Under UK employment law, employers can take disciplinary action against employees who post defamatory comments online that bring their company into disrepute.

Essentially, if your employee is Tweeting under your company name, or referencing your brand or company name in a post, then they are representing your brand and therefore bound by company rules, no matter what time of day, or what day of the week it is. A growing trend is the practice of ensuring that employees have different profiles to use for the business versus social use. A practice such as this should be defined in an organization’s AUP.

Protecting staff from cyber bullying

With every disruptive technology comes major benefits and pitfalls. One of the biggest downsides of social media is that it opens up the potential for cyber bullying. This is not just the preserve of school children posting malicious comments on Bebo. Cyber bullying in the work place is a real issue, causing genuine distress to the victims and so it too must be covered within any social media AUP.

Using technology that can identify, block and alert HR teams to the attempted use of specific words, and perhaps imagery, can help to reinforce AUPs before unpleasant comments are posted on social media sites. This can also assist HR teams in identifying when members of staff may require assistance and intervention.

Quite apart from the social responsibility, employers must maintain a safe working environment for their staff. They are bound by the UK’s vicarious liability laws and are liable for their employees’ activities online. Employers have a duty to prevent cyber bullying, or offensive imagery or language from being circulated between employees via email, Webmail or social media sites. So it is worth spending some time looking at the type of employee posts that you want to avoid and putting policies in place to protect your employees from harmful comments online.

Developing an AUP to cover social media

As mentioned, before using technology you must carefully plan which elements need to be managed within your social media strategy and educate your staff about the new social media policy:

  • Start by expanding your company’s existing acceptable use policies governing email and Web communications
  • Clearly specify what is acceptable and what is inappropriate to post to social media sites
  • State what can be posted during business hours and outside of business hours (if indeed there is any difference). Where there is no differentiation, clearly state this in the policy
  • Let staff know that messages posted to social media sites will be monitored. This is vital
  • Review all privacy settings on social media sites that contain your corporate profile. Educate staff about privacy settings too. Opting for minimal settings can expose your network to malware directed at popular social media sites
  • Consider developing multiple AUPs for globally distributed staff, to cater for the laws of different countries.

Once you have taken these first steps, technology then can be used to remind employees of their responsibilities to protect company reputation and information. Rulesets within your email and Web content management can then be used to enforce the social media AUP.

Basic content filters that can be used to enforce your social media policies include:

  • Preventing the posting of Inappropriate language or brand names to social media sites
  • Preventing inappropriate images from being posted
  • Blocking of incoming or outgoing file types over social media (e.g. Excel spreadsheets and databases)
  • Blocking access to dangerous Websites, such as gambling sites, that are known to be hosting malware
  • Dividing Websites into work-related and non work-related sites, to track usage
  • Dividing social media access by job description, to manage non work-related usage
  • Applying granular social media controls, such as read only rules on the corporate Facebook account, depending on employees’ roles. Look for granular social network controls that can be set by network
  • Enforce AUP by allowing timed access to social media sites during working hours, to maintain productivity
  • Enforce AUP by allowing timed access to non-work related sites and Webmail during lunch breaks, before 9am and after 5pm
  • Limit the installation of plug-ins such as games on social network sites, as these can impact productivity and network security. Look for granular social network controls that can be set by network.

Risks from incoming traffic

In addition to the risks that employees pose to their employer’s information and reputation through their outbound communications, the inbound traffic from social media sites carries its own perils. To assist us in developing protection against email and Web-based exploits, my company monitors for the emergence of new Web-based threats. We have noted an increase in the number of legitimate Web sites being infected with malicious code.

The most popular Web sites are the ones that are targeted by cyber criminals. Inevitably, that means that sites like Facebook, Bebo, Twitter and LinkedIn have unwittingly played host to some malware. As well as risking infecting the network with malware, individuals may be at risk of identity theft if they post too much information online.

Once again, education has a role to play here, in conjunction with technology, to protect employees in and out of the workplace. If you are embracing social media as part of your corporate communications strategy, make sure that you have the security technology in place to protect your network and computers from being infected as staff innocently post company updates to social media sites.

Conclusion

Social media can make your staff more productive, speeding their decisions by providing them with instant information and feedback from customers and prospects. However, like all disruptive technologies, Web 2.0 has its risks and these need to be properly managed. A combination of education, technology and enforcement will enable employees to keep communication channels open and maintain productivity. Combining AUP education with AUP enforcement enables employees to embrace social media in the workplace and gain the attendant advantages, while protecting against defamation, data loss and Web-based attacks.

Bradley Anstis is Director of Technology Strategy at M86 Security. Bradley has been with M86 Security (formerly Marshal) since early 2004. He re-established Marshal's R&D centre following the management buy-out from NetIQ. As VP of Technology Strategy he is responsible for the development and improvement of M86 Security solutions, ensuring that M86 Security keeps ahead of emerging security trends and market requirements. Bradley is a 20-year veteran of the IT industry and previously held technical management positions with Protocom Development Systems and Citrix.