6 Tips for Keeping Your Sensitive Company Info Off Social Media

Don Tennant
Slide Show

Important Advice on Surviving an Employee Data Breach

When your employees spend a lot of time on social media at work, the problem could be a lot more serious than lost productivity. The culture of information sharing that the use of social media has created can also lead to lost trade secrets and the exposure of sensitive company information.

That warning is being sounded by James Pooley, an information security consultant and former Silicon Valley trial lawyer who represented clients in patent, trade secret and technology litigation. Also a former deputy director general of the World Intellectual Property Organization in Geneva, Pooley is the author of the recent book, “Secrets: Managing Information Assets in the Age of Cyberespionage.” Pooley’s pedigree was enough for me to take notice when he released a list of six tips that can help you avoid having sensitive company information compromised on social media. If you’re inclined to come up with a plan during your holiday downtime to ensure you have social media usage in the workplace under control, these tips should help.

  1. Understand that you're asking employees to go against their "digital instincts." By their very nature, social media platforms encourage users to publicly disclose the minutiae of their lives (usually the more, the better). The Facebook generation is conditioned to casually communicate, swapping files and using the cloud to store and access photos, music, and more. They are experts at revealing a lot using only 140 characters. Making sure that social media doesn't become a hole through which your company's secrets leak is an especially challenging task, because you're essentially asking employees to check their habits at the door. They'll need to learn to operate based on a different set of standards that often contradict how they deal with information in their private lives.
  2. Put social media policies in writing. Don't assume that a few informal warnings and cautionary tales will keep all your employees from tweeting and posting what they shouldn't. If your company already has general policies about the disclosure of information assets, make sure those policies become part of the official set of rules that govern employees' use of social media. These policies will reinforce the need to keep personal and work issues separated and not to post about what is going on inside the company. Larger companies need to have these policies reviewed by legal counsel, since broad confidentiality restrictions can typically violate labor laws that guarantee employees the right to discuss their working conditions. Additionally, companies need to decide if social media business contacts belong to them or to their staff. According to recent court decisions, if this isn't clearly specified in the company's policies, those contacts and the social media account itself can be claimed by the employee when he leaves.
  3. Train, train, and then train some more. In many organizations, after initial orientation, data protection policies are left on the shelf and more or less ignored. That's dangerous, because staff can easily forget about the rules or lose respect for the dangers of noncompliance. Meanwhile, they may be working on collaborative projects, examining acquisition possibilities, receiving development proposals, and more. All of these situations can lead to personal social media connections, where you will be relying on the knowledge and good judgement of your employees to control risks. You can mitigate much of this risk by creating a quality training program that engages your employees as part of the security defense team. They'll make fewer mistakes themselves on social media (and elsewhere), and they'll also be on the lookout for the mistakes of others. Keep in mind that the best training is continuous, careful, upbeat, and professional, and does not rely on threats. And be sure to include everyone—not just key knowledge workers—in social media security training. That includes contractors, temporary employees, and interns.
  4. Know which devices might represent a risk. The growing popularity of BYOD policies means that many of your employees may well be storing sensitive information on the same laptops, smartphones, and tablets they use to scroll through status updates in the evenings. That's cause for concern, because cyber thieves can gain access to the content of these devices and your company's systems through relatively easy-to-hack social media accounts and apps. In addition to establishing clear policies on social media use and providing continuing training, consider technical mitigation measures. Mobile device management (MDM) tools can remotely configure devices, monitor what's on them, and even erase their data if lost. MDM techniques can also include encryption for data stored on or communicated from the device.
  5. Teach employees to spot social media scams. In addition to using MDM tools, training employees on methods that information thieves often use can help them avoid falling prey to traps on social media. For instance, social media profiles give hackers a lot of information that they can use to compose realistic-looking, customized email phishing messages. But beyond that, websites themselves can be used directly to fool people into joining a fake group, survey, or event, sometimes using a money coupon as a lure. Other traps involve fake “like” buttons, browser extensions offered for download, or compelling offers designed to make the viewer want to share them with friends. All of these social network scams are grounded in the idea that we are all so used to rapidly connecting, sharing, and exposing that we'll do it more or less automatically with anything that looks attractive. Teaching employees to think twice before clicking can help secrets stay secret.
  6. Be aware of your official social media presence. While you may not be able to fully control what your employees post on their personal social media accounts, you can certainly keep a close eye on official company Twitter, Facebook, and other social media pages. Have a safety net of trusted employees monitoring and maintaining your company's presence on social media to stop potentially revealing posts from ever reaching the public eye. Also, regularly change passwords to lock out account thieves who may have successfully procured your company's login information.

A contributing writer on IT management and career topics with IT Business Edge since 2009, Don Tennant began his technology journalism career in 1990 in Hong Kong, where he served as editor of the Hong Kong edition of Computerworld. After returning to the U.S. in 2000, he became Editor in Chief of the U.S. edition of Computerworld, and later assumed the editorial directorship of Computerworld and InfoWorld. Don was presented with the 2007 Timothy White Award for Editorial Integrity by American Business Media, and he is a recipient of the Jesse H. Neal National Business Journalism Award for editorial excellence in news coverage. Follow him on Twitter @dontennant.

Add Comment      Leave a comment on this blog post
Dec 29, 2015 5:33 AM flavia flavia  says:
Yes ,a quality training program is necessary because latest updates revision of basic rules in every organisation is must to achieve the desired goal. so training is must.For fast progress it need to provide a good training program to the employees. Reply
Jan 19, 2016 5:55 PM INOC | Optical Network Service INOC | Optical Network Service  says:
Social media is a great way to connect to people as well as share information but like other great things, there are risks that most people remain ignorant to. I agree that people shouldn’t share every bit of personal information online because you don’t know who could be lurking and waiting to exploit your information. I also like the idea of putting all regulations regarding social media posting, especially on company information, be put to writing so it becomes legitimate and to ensure that your employees will indeed abide by the rule. Finally, it pays to be proactive and be aware of scams how social media can put you at risk. Reply
Jan 25, 2016 4:29 AM Lars Lars  says:
Good post. I totally agree. The problem is twofold: lost productivity; and lost trade secrets and sensitive business information. But, the companies must train and monitor the responsible employees for official company's presence on social media. Thank you for sharing. Reply
Jan 25, 2016 6:42 AM CDNsun CDNsun  says:
Yes, the employees' distraction on the social media - is a big problem! Lots of thanks for these pieces of advice. As for putting social media policies in writing, does it really work and is considered the actual nowadays? I mean, most of the employees are used to printing...However it may be interesting for the middle-aged workers and older. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.