Enterprises from all backgrounds have heard the social media call. Breathless marketing executives presented the C-suite with crisp PowerPoint presentations showing case studies that encouraged them to reap the benefits of being open, social and transparent. That forced true change, with the C-suite altering practices and asking for more social activity and collaboration throughout the organization.
There’s only one problem: The whole idea has the security folks tied up in knots. The key challenge here is that as employees communicate openly with customers, partners, prospects and competitors, private and otherwise proprietary information within content management systems and on hard drives may leak out. And for many companies, a serious breach has already happened, as evidenced by recent headlines of significant fines that organizations such as the FTC, the Department of Health and Human Services, and others have imposed.
This isn’t just about malicious activity and employees out to do harm, but about employees who want to do the right thing when it comes to information security, but either don’t know, don’t understand or don’t remember the rules.
It’s also about creating and enforcing those rules.
Most corporations that have installed SharePoint 2010, for example, have taken one look at the social media components and either failed to deploy them or deliberately turned them off, fearful of the unregulated Wild West that they understand social media to be. But tools exist that can integrate seamlessly into SharePoint and other collaboration platforms that can scan posts prior to publication, as well as monitor existing content and file stores, and either block, quarantine, or simply notify the appropriate security staff about anything from profanity to the secret merger codename that only the executive team should know about.
How does a company protect itself from its own employees? And what type of personalities should employers be on the lookout for when trying to safeguard private or other confidential information? The following are the three worst offenders.
Foul-Mouthed Social Media Monster
The Social Media Monster has a lot to say and wants to tell everyone about it. She’s out on Twitter and Facebook, she’s answering questions on LinkedIn and Quora, and she’s interacting in the forums. She does all of this with good intentions: to keep herself and her company in front of prospects. It’s a valid marketing strategy.
Only, she’s not always using appropriate language and sometimes forgets that she’s there to represent a brand as much as herself.
It’s key that companies present clear guidance on what is expected of employees in the online universe, then monitor the various locations to determine who is saying what.
A better bet is to keep the foul-mouthed behavior from ever happening.
The Clueless Uploader means no harm, as his name implies. He’s happily sharing documents with the rest of the company, and in some cases, with the public, just as he’s expected to do as part of his job. But one day he posts a file that has customer social security information within it. Not his fault, really. It was embedded on one of the multiple tabs within the spreadsheet, probably five layers in.
Still, it’s out there for all to see, and now his company runs the risk of fines or worse due to compliance violations. Never mind the public relations nightmare that awaits once word gets out.
This isn’t just about social security numbers; it could be any piece of information that is considered confidential, whether that’s a skunkworks project that’s critical to your next product release, sensitive information about a client, interview and reference notes about the newly hired VP of Sales, or even talk of a strategic partnership or merger.
Making sure that employees know what’s in every content layer of the document is very important. Some document management systems handle this automatically. For others, there are add-ons that can alert employees when a document is about to go live that should be held back.
Executive Assistant with Slippery Fingers
While executive assistants are trusted to manage the calendars and information for the executive team, many do not know (or consider) the sensitivity of some of the information with which they are trusted. When that information is posted internally and is accessible to the entire organization, confidential merger talks, reorganization strategies, even layoff plans can be jeopardized.
Managing the workflow of employees at every level can protect the confidentiality of information. Technology that does not interrupt daily activity but prevents the spread of sensitive information can mean the difference between a successful and failed merger.
What Can Be Done
Once executives identify problem personalities and characters, these final steps can help eliminate problem behaviors and stop information leakage in its tracks.
Policies: Create clear, documented policies as part of your content strategy before implementation or rollout, including rules about permissible content. CIOs must take time to consider what should and shouldn’t be shared through social media channels, forums and internal platforms like SharePoint, as well as the proper ways to use these tools.
Education: It’s important that employees understand the privacy and confidentiality rules as they have been designed, including how they protect both the company and the individual employee. While many companies require employees to sign a confidentiality agreement upon hire, very few employees read the full document or understand how it applies to their daily work life. On one level this means simple user training, including “hands-on” sessions for various content contributors, but it could also mean creating a “terms of service” screen that comes up as users are creating their own SharePoint MySite, for example, or e-mail alerts that notify employees about when and why specific content slated for publication is not permissible.
Awareness and Enforcement: Once the business rules are in place, you must enforce these regulations and communicate to users when violations occur in order to prevent more serious breaches. Organizations can provide the community with a way to tag content they consider to be “inappropriate.” New automated solutions can also check content intended for internal and external SharePoint sites before it’s published, including content scans and validation against specific business rules. These rules could include scanning for personally identifiable information or personal health details, as well as almost anything else that would constitute a breach. These systems can prevent the posting of non-compliant content, in effect preventing privacy breaches and confidentiality leaks.
Finding the Balance: A true balance lies in being able to support collaboration and information sharing with rules that protect the organization and, in some cases, its customers and business partners, while preventing exposures that can result in harmful penalties—both financial and reputational.
Thomas Logan is the CTO of HiSoftware.