As many have learned the hard way, placing information on a company intranet, extranet or the internet can open up a world of unintended consequences.
Whether you're a public sector organization, global enterprise, small business or an individual, other actors can take and use your information in unintended ways, regardless of your original intent.
To counteract this potential chaos, organizations practice information assurance (IA) to manage risks related to the use, processing, storage and transmission of information or data and the systems and processes used for those purposes.
Blurring Personal and Work Online
Social media technologies like Twitter, Facebook and LinkedIn as well as internal social networks like Yammer, Slack and Jive make it easy for employees to share information that can potentially put themselves or others at risk.
As The Department of Navy’s social media handbook warns, “Loose tweets sink fleets.” This serves as a reminder to service men and women to remember that their audience is likely much larger than they think.
Individuals are typically more tolerant or willing to have personal details shared with others. However, this changes dramatically when it comes to an organization’s social media policies. A poorly constructed tweet or post can cause dramatic reputational or financial harm to a business in a short amount of time.
Similarly, inappropriate social posting using internal, enterprise social tools can have reputational, legal and even financial consequences to a company.
Employees have increasingly blurred the lines between their online personal and work lives. Many individuals use personal social media regularly to communicate with their friends, family and work colleagues.
But sometimes they miss the mark in understanding the balance of free expression and appropriate positions for their organization. Technologies like Slack, OneDrive and Dropbox further blur the lines between personal and business content — especially as mobile access to data increases for employees.
Establishing Social Checks and Balances
Many corporate risk and security officers fear the prospect of creating company social media plans because they think it could hand employees tools on which they'll say anything, without checks and balances.
A perfect illustration of this are a few statements made years ago about Microsoft's acquisition of Yammer: “What used to be the water cooler conversations of the past will now be able to be broadcast to the enterprise” and “rather than working in silos, businesses can collaborate and share information internally.”
Both of these statements have value, but having personally been a part of some very sensitive water cooler conversations in the past and some necessarily siloed work streams, my belief is that not all information is appropriate for every employee.
Simply put, understanding the difference between what can and what should be shared is key.
All enterprise organizations collect and manage sensitive information from a number of sources including employees, customers, vendors, business partners, other businesses, government agencies and competitors. This data may include personal information, health information, financial information or a wide range of other information such as:
- Travel plans
- Business transactions
- Security information
- Logistical information
- Dignitary visits
- Energy grid schematics
- Emergency management response plans
Any of this data can create privacy or security threats that a third party could exploit — especially when shared via social media. This type of information can create unintended consequences that carry civil or criminal penalties and fines, monetary damages, and even risks to national security.
Beyond the inappropriate sharing of this kind of information via social media, you could expose your organization to civil action as a result of inappropriate communications.
Social and Security Can Work Together
The most important thing for risk officers or compliance workers to do is decide what defines "risk" in their organization. Analysis of this requires a balance of standards, exposure and what that means to your business.
A robust risk management program should integrate policy with people, processes and technology — including education, monitoring and enforcement. Risk officers must continually assess and review who needs access to what types of information and work with their IT counterparts to automate controls around their enterprise systems to make it easier for employees to do the right thing than it is to do the wrong thing.
With this kind of analysis, companies can make informed decisions about which social tools to deploy, both inside and outside of the organization. They can then balance the value of the free flow of information that stems from connecting people with each other with the data protection and security controls required to maintain work-appropriate communications
I believe we can have the transparency that we desire from social media alongside security if we make the proper investment in information assurance. The key is not to block social technologies, but ensure they are used properly.