Sharing is good.

When customers share great stories about your company, that positive word of mouth helps you build brand equity and attract more customers. Likewise when employees tweet about happy customers, their fun working environment, or amazing managers.

Yes, sharing is good.

But what happens when employees share too much? Should companies worry about the threat of sensitive company information getting out on social media?

James Pooley, author of Secrets: Managing Information Assets in the Age of Cyberespionage, says companies should be very worried.

james pooley“We have a fundamental tension that exists between the business that has to control and manage the confidence of important information, and people who work with the business who, for most of their lives, are encouraged by social media to talk about themselves,” he said.

“In that environment, the risk of somebody stealing something inadvertently is extraordinarily high.”

So, how can companies protect themselves from seeing their latest product prototypes posted on Twitter or Instagram?

CMSWire asked Pooley to give us some of his best tips for keeping company secrets off of social media.

6 Social Media Strategies

1. Know that you're asking employees to go against their digital instincts

Pooley explained that business leaders need to prepare themselves for addressing this phenomenon of secrecy in the age of social media, and part of that preparation is understanding exactly what you’re dealing with.

“You can’t say that these people need to understand that we live and breathe our assets – and that our success depends on keeping information confidential,” he said.

“No, they don’t. Their way of thinking is that they should be telling everyone about everything going on in their lives.”

As long as you understand and appreciate what you’re up against, he added, you’ll be better armed to make decisions.

2. Put your policies in writing

Pooley advises putting policies in place that spell out not only what people are supposed to do on social media when they represent the company, but what they shouldn’t do, as well. This helps employees focus, he said.

Regarding ownership of social media accounts, he recommends instituting a policy stating that the business owns the account that the employee is using in order to ensure that all of those accounts stay with the company if the employee leaves.

“Businesses need to separate personal and business accounts,” said Pooley. “There are a number of companies that have been surprised to find that a lot of the information built up inside a LinkedIn account goes away when an employee leaves because the account belongs to them.” 

3. Train employees on an ongoing basis

Because people are now wired to share things on social media, it can be counterintuitive to ask them to keep information confidential, said Pooley.

“You can’t expect that people will come in for their orientation where they learn the company org chart, you tell them about social media policies, and they’ll take it in and everything will be fine,” he said.

“Because this is so important and tends to run against the grain of the natural tendency of people to share, you need to continuously provide training in how their conscious commitment to policy will be challenged by every day events. Keep people alert to situations in which they may let their guard down.”

Why is Pooley such an advocate of training? Because he says that training has shown to be the most effective tool in stemming the risk of information loss.

4. Know which devices might pose a risk

Part of the modern business environment is that companies have lost control over mobile data, said Pooley. Because of this, leaders need to understand which employee devices could be a threat to the company.

“It used to be that a company issued Blackberrys to everyone, and had total control over the system they were connected to and the device,” he said.

Not the case today, he added.

“Employees have pushed back, wanting the convenience of using their own phones and tablets,” said Pooley. “Companies face an important new challenge – how to manage different devices connected to the company network.”

He advises companies to look into tools built for BYOD that can help them manage mobile devices.

5. Help employees recognize social media scams

In order to prevent employees from inadvertently introducing viruses into company systems, Pooley recommends educating them to spot phishing and other types of scams.

“With people expressing themselves so robustly out in the open, the bad guys can go into social media platforms and scrape a lot of personal information,” said Pooley.

They can then create a message that looks like it came from one of your friends, he added. When someone clicks, the malicious software enters into the system.

“Helping people understand what those suspicious messages might look like and how to become skeptical about those kinds of things is a part of the general struggle to keep your systems under control.”

6. Keep tabs on your official social media presence

Pooley’s final tip on keeping your company secrets off of social media? Keep your eyes open.

“The positive side of social media for businesses is that it represents huge opportunities for connectivity, but like all other corporate messaging, it’s something you can lose track of unless you pay attention to it,” he said. “It’s critical for information security purposes that you watch what’s going on so you can pick up signs that something might be going awry.”

Pooley added that keeping this issue front and center is the best way to prevent proprietary information from being released into cyberspace.

“The problem is that we have businesses to run and there are always fires to put out. The great challenge for management is maintaining a sense of priority about the kinds of information security issues that are new and emerging. We need to keep this top of mind because, as hacker incidents have shown, it can bite really hard.”

Title image by London Scout