Social Media and security

Social media incidents cost a typical company $4 million over the past 12 months, according to the results of a Symantec survey published today.

There have been a number of legal actions about social media in recent years, including a Financial Industry Regulation Authority (FINRA) regulatory notice, the Romano vs Steelcase Inc and Bass vs Ms. Porter’s School cases (where both plaintiffs were granted discovery of the defendant’s Facebook Profile), and the sexual harassment case EEOC vs Simple Storage Management LLC (where a US District Court held that social networking sites — or SNS for short — were discoverable).  This means that what your employees do on their personal time on SNSs can open your company to embarassment and litigation.  The survey, then, sought to find out how big this problem is in the enterprise. They hired Applied Research to interview IT professionals from 1200+ enterprises with 1000+ employees.

45% of respondents use SNSs for personal use, and 42% use them for company use.  IT folks are worried about employees sharing too much information (46%), the loss or exposure of confidential information (41%), damage to the brand (40%), exposure to litigation (37%), malware (37%), and violating regulatory rules (36%). 

The respondents to the survey listed 9 social media “incidents” in the past 12 months, with 94% of those incidents having consequences, including damage to the brand (28%), loss of data (27%), or lost revenue (25%).  The average cost of a social media incident was listed as $4.3M!

Most of the companies are discussing creating a social media policy, training their employees, putting processes to capture confidential information, and putting technology in place to stop these things from happening as well.  However, what was suprising was that — while almost 90% of respondents felt they  needed to have these things in place, only 24% had a social media policy, 22% were training their employees on social media, and about 20% were using technology to control this process.

Folks, it’s happening and it isn’t going away.  The very least you can do is to create a social media policy and train your employees why it is important.  Those employees who are allowed to blog about company matters need to be continually reminded that their actions are discoverable.  Even if their personal site may not be demonstrated to be official company policy, it surely states the opinion of one of its employees — and those employees make up the company.  And if it can be shown that one of its employees was continually doing something damaging on a publicly accessible social site and the company did nothing to stop it, that can be actionable.

Just remember: It’s really easy to be a jerk on the Internet where you’re not facing the person you’re talking to.  You might want to dial it down a notch or two.  Just a thought.

Update 25 Jul 2011: I was given a briefing about this survey and didn’t read the press release until today. During the briefing, Symantec seemed to be playing down the role that technology had to play in helping to solve this problem.  However, in the press release, it seems as if they’re saying that Enterprise Vault is going to handle this by archiving social media content.  First, I have no idea why anyone who is not required to archive any content — be it email or twitter — would do such a thing.  If you’re not required to keep something and keeping it adds no value to your business — don’t keep it!  Second, even if you did archive it, I’m trying to understand how that would help you in a discovery situation.  If someone wants to see your Facebook logs, they’re going to subpoena Facebook.  That’s what happened in the cases listed in this article.  So if you did archive it, now you’re required to produce it.  So why would you do this if you weren’t being forced?  And how would doing this help you in a trial?

----- Signature and Disclaimer -----

Written by W. Curtis Preston (@wcpreston). For those of you unfamiliar with my work, I've specialized in backup & recovery since 1993. I've written the O'Reilly books on backup and have worked with a number of native and commercial tools. I am now Chief Technical Evangelist at Druva, the leading provider of cloud-based data protection and data management tools for endpoints, infrastructure, and cloud applications. These posts reflect my own opinion and are not necessarily the opinion of my employer.

2 thoughts on “Social Media and security

  1. Sean Regan says:

    Totally agree. Social Media has become the internet. Every device, every webpage is an opportunity to say what is on your mind. No surprise discovery can become important at times. What I found interesting in the survey was that IT had learned form their experiences using E-Mail, IM and other forms of communications. As a result they were pretty clear on the risks and actions they can take to mitigate them and enable social. As for companies that want to block social media at this stage, I’d suggest they are missing out and should question whether sharing a policy with China is the right approach to social media. Companies like Zappos, Old Spice, Ikea and Dunkin Donuts have transformed their business using social media.

  2. cpjlboss says:

    There are two issues at stake here. It started with personal phone calls in the 50s-80s, browsing the web in the 90s, and now twitter/FB/etc use, companies have always fought for the attention of the people they are paying to do their jobs. That, IMO, is the first reason companies block SNSs. As an employer myself, I can certainly understand the concern of your employers chatting up their friends all day and not getting any “work” done.

    The second reason is security, IMO. The problem is that this problem CANNOT be stopped technologically. You may be able to stop people from FBing/Tweeting/blogging at work, but you’ll never stop their ability to do it at home. And you’re still potentially liable for the actions of your employee even when they’re on their “own time.” Consider three scenarios.

    Janice has a public, personal blog that she only does from home. On this blog, she continually states how she doesn’t like a particular group of people — a group that is a protected class. She’s not in trouble unless she’s inciting to violence, etc. The company has a potential liability if they are notified of the site and choose not to disassociate themselves with the person. Their choice (and risk) comes when they learn of the site.

    Fred, on is own time, computer, and home Internet connection, blogs ABOUT HIS JOB. Suppose he’s dumb enough to blog about his exploits on the job, the female coworkers he’s hit on, etc. Suppose that what to him is innocent flirtation is deemed by readers to be sexual harassment. Suppose he slips in there things about how his boss knows about his activities and doesn’t do anything about it. Now we have a real problem. The company is open to a lawsuit, and someone’s personal blog will be used as evidence.

    Finally, there’s Joe. He’s a stock analyst that gives financial advice on his personal blog (on his own time). He gives bad advice to someone and they sue the company.

    BTW, this is no different than the NPR guy being taped at lunch a few months back. He was stating his own opinion on his own time, but it was NPR that took all the heat.

    You see where I’m going. My point is that technology can help, but policies and continuing education are the best tools for this job.

Comments are closed.