We return to the security management aspects of using social media. Whether you work for a business or government, a basic message seems to be that online conduct should not be any different from off-line, and things which employees might think are private may well not be.
In our May issue we featured social media and security management. Security departments may want to embrace social media like the rest of us, to push out messages – that can get through to the young in particular; and in a crisis, such as a bomb threat on a campus, can maybe be the difference between life and death, and answer fears of fretting parents far from their children. We featured the University of Durham, hosts of the university security managers’ body AUCSO annual conference last Easter. Unis, like businesses and indeed government, have come to see social media as a tool. But how to guard against a breach of security (even if by an over-enthusiastic blogger or thoughtless tweeter, rather than someone malicious); and what of the IT, hacking threats?
Whether it’s a fill-in manager of a retail chain who says unkind things about Barrow in Furness, where he’s been sent as a relief man; or Kent’s teenage youth police and crime commissioner, Paris Brown, last year: things we say on social media can make the TV news and embarrass us, and (more to the point?) our employer. Bernadette Palmer, Head of Communications, The Security Company, said last year: “Of course social media is a useful business tool but employees need to be clear about what and how they discuss their employers online. In particular, care should be taken where employees are disillusioned or disgruntled as they may feel justified in voicing their anger and frustrations through social media. Some organisations have prudently recognised that it is practically impossible to prevent employees from using social networks so they have created policies that detail how employees may use company resources for personal purposes and how they are expected to represent the company online.” She advised:
Create a social media policy and detail how you expect employees to behave online.
Educate your employees about the consequences of ‘dissing’ the company on social media sites both from a reputational damage perspective and for the individual involved.
Communicate with your employees, regularly, to ensure they don’t forget.
As Coca-Cola points out to its staff: “Remember the internet is permanent.” Coca-Cola says that it wants the company’s more than 150,000 ‘associates’ in more than 200 countries to join conversations, represent the company, and in its words ‘share the optimistic and positive spirits of our brands’. As the drinks firm puts it: “We encourage you to get online and have fun, but use sound judgment and common sense.” More specifically, it says (among other things) that Coca-Cola will protect its consumers’ privacy; and ‘reasonably monitor’ its behaviour in the ‘social media space’.
Security managers may be sceptical; but it’s not only businesses looking to connect with the young that are using social media. As the Government-wide social media guidance for civil servants points out: “When social media first came to prominence, the risks (in terms, for example, of security, departmental reputation and staff productivity) far outweighed any perceived business benefits. As a result, many departments placed technical restrictions on accessing certain types of websites, including social media sites. However, whilst many of the risks remain, there are now significant benefits …” The document also suggests updating and publishing policies, and educating staff, about the use of the internet and social media; to mitigate risk. And, the guidance advises, you should not just tell staff dos and don’ts: “… it is better to empower them to use these services safely and responsibly”. Security is one department the guide suggests that should have a say in the policy – besides the likes of PR, HR, and trade unions.
The University of York, like Coca-Cola, speaks of a ‘common-sense approach’ in its social media guidelines. York reminds employees that they should use the same safeguards as they would with any other form of communication about the university. The uni is then more specific, saying staff should not breach confidentiality; be bullying or offensive; or bring the university into disrepute; or breach copyright. Some of this has more to do with the Security department than others; and like other unis, York makes plain that social media is the domain of its ‘Communications Office’. And staff who are forever on Facebook (’employees should not spend an excessive amount of time while at work using social media websites’) are a matter for HR or whoever is their manager. As for what ‘excessive’ means, the University of Edinburgh suggests ‘access for personal purposes should be kept to a minimum and should generally be made during permitted breaks from work or outside of work time’. Edinburgh expects its employees to ‘behave professionally’ on social media. As a rule of thumb, the uni advises staff ‘to avoid posting anything online that they would not wish managers or colleagues (both internal and external) to see’.
Meanwhile at the Foreign Office (FO), Foreign Secretary William Hague has said that diplomats should be ‘well-versed in modern communication including social media’. Why? Briefly, to ‘harvest information’ and get the UK’s message across; also, to better manage a crisis. (Likewise, in our May 2013 feature, we showed how during last year’s terror in Boston in the US, the university MIT used social media to warn staff and students after the shooting of a campus police officer.) The FO says it expects social media to be ‘a core part of the toolkit of a modern diplomat’. The FO does add: “Do not disclose information that is classified or privileged, or that may put you or your colleagues at risk, whether from crime, terrorism, or espionage.” As the FO points out, saying that your views are personal ‘is no insurance against negative media or other publicity’; overseas, readers might see you as representing the Foreign Office. As the FO admits, mistakes do happen. And it says: “Your online conduct is subject to the same disciplinary rules as your offline conduct.”
Edinburgh council, to take an example from local government, says in its ‘acceptable use policy’ that it (as opposed to political councillors) must be politically neutral. Hence the council says that it will remove any comments that, in its view, may ‘compromise its obligation to maintain political neutrality’, especially before elections.
The Law Society too warns about confidentiality (’your presence on social media channels like weblogs and micro-blogging sites may inadvertently impact on your professional obligations towards your clients’). Might lawyers breach the Solicitors Regulation Authority code? For example: If a lawyers says on Twitter that they are in a certain location at a certain time, they may unintentionally disclose that they are working with a client. On a more practical note, the society suggests you always ensure you log out of social media sites, ‘particularly if you share a machine with other colleagues’.
Some laws to think of:
Data Protection Act (see the ICO website for guidance)
Human Rights Act (freedom of expression; and at unis the principle of academic freedom)
Public Interest Disclosure Act (the right of staff to ‘blow the whistle’ in the public interest).
Regulation of Investigatory Powers Act (if you are a public body and monitoring social media, are you doing it covertly and falling foul of RIPA?)
http://www.acas.org.uk/media/pdf/f/q/1111_Workplaces_and_Social_Networking-accessible-version-Apr-2012.pdf
The employment mediation body Acas has a research paper Workplaces and Social Networking: The Implications for Employment Relations from the Institute for Employment Studies, commissioned by Acas and first published in 2010.
It made the point that social media ‘provides a much greater scope for employers to monitor their employees. New methods for monitoring employees in the workplace include Radio Frequency Identification (chips which track an employee throughout the building), wearable computers and voice technology, satellite and cellular phone tracking, video monitoring, e-mail and web monitoring, keystroke monitoring and telephone call monitoring. Furthermore, as the discussion of the use of social media by employees highlights, employers may be tempted to monitor employees’ activities outside work as well. This has been of particular concern to trade unionists using social media to organise, where the concern is that the storing of personal information by social network sites may be used by employers to break up organising attempts.’
The paper showed that social networking sites tend to blur traditional relationship boundaries – ‘individuals may have a large number of ‘friends’ on their Facebook site, some of whom may not actually be friends in the conventional sense of the word, and indeed whom they may never have actually met. Similarly, within the workplace, social networking sites can also disrupt traditional boundaries, relationships and hierarchies between employees. For example, individuals may want to consider whether they should ‘accept’ a Facebook ‘friend request’ from their boss.’
The document recommended that an internet/social media use policy ‘must set out clearly and explicitly the organisation’s expectations of and definitions of acceptable and unacceptable behaviour, and the consequences of violation. These should be consistent with disciplinary procedures and cross-refer to them.’
“The policy could be included within general guides on codes of conduct and amalgamated with the organisation’s policy on data security and email. The policy should also contain a statement on employer use of the internet in relation to employees’ activities outside work.
The Acas guide had this to say about ‘brand control’: “Employers may be keen for employees to promote the brand but it can be hard to control everything employees are saying about their place of work or its products or services. Just one misplaced comment could cause a great deal of negative publicity. Employers may be unaware that employees have the right to access information kept about them – such as sickness and disciplinary records, appraisal reviews and general personal files. Employers’ response to comments made about the company on social networking sites may not be proportionate to the perceived offence. Acas research suggests that employers consider the ‘moral intensity’ of the published content – in other words, what damage has been done?
“Depending on the size of your organisation you may need to develop separate guidance on the use of blogs, social networking sites, tweets etc. You should make it clear that employees may face disciplinary action if they post any comments that might damage the company’s reputation. You could also require employees to use a disclaimer on any blogs, for example, stating that the views expressed are those of the employee and are not representative of the employer’s view.
“Inform your employee if you plan to monitor social media activity. This is best done in consultation with employee representatives or a recognised trade union. An employer needs to justify the use of monitoring showing that the benefits outweigh any possible adverse impact. Significant intrusion into private lives will not normally be justified unless there is a real risk of serious business damage.
“Make a judgement about where you stand in terms of confidentiality or privacy versus freedom of speech. Some employers see their employees as valuable outlets for promoting the brand via social networking. Other employers feel the risk of damage to the company name is too great and ban the use of social networking sites at work.”
More technical are IT security issues; namely that social media platforms may be used for hacking.
Snapchat was recently hacked with hackers posting a database containing 4.6 million names and phone numbers of Snapchat users. In an unrelated incident the and Skype Twitter account was hacked , Tim ‘TK’ Keanini, CTO at the IT security firm Lancope said that the two hacks were very different in that the Skype incident was the compromise of Skype’s social media presence and the Snapchat was Snapchat user information being disclosed.
As for the Skype incident, he said: “Keeping your social media accounts for your company safe and secure is not as easy as it sounds with larger organisations. Often, it is an outsourced company that staff’s these Twitter, Facebook, Pinterest accounts and their security practices may not be up to industry standards. They often will not turn on the two-factor authentication because it assumes that a single user will be associated with the account and often times with these large online brands, there are multiple people who staff a single account and two-factor makes it almost impossible to manage.” And regarding the Snapchat incident he said: “Add another 4.6 million user accounts comprised to the growing total in the past six months and we have a real problem on our hands, people. Just in the past month, it seems that the frequency of account comprises are so high that people are having to change our passwords on a weekly basis. This is not sustainable. How bad does it have to get before it starts getting better? The more users you have in your online system, the more attractive you are to the advanced threat. They will work all day and all night to penetrate your systems and in turn, you must work all day and all night to ensure that you defend your system. At some point, product managers of these systems will prioritize security related features over all the other features in the backlog and make it happen sooner than later. Until then, there will be many more stories like this and good luck having to change your password for an upward of 50+ accounts on a weekly basis.
AppRiver advises caution in social media, as many offer too much information that is (the software as a service, SaaS firm says) pure nectar to hackers. Troy Gill, a security analyst at AppRiver says: “Don’t arm hackers with information that can help them socially engineer their way past your security. Before you post, ask yourself how the information might be used by a crook. For the sake of security and your friends’ sanity, remember that less is more — especially when it comes to Facebook.”
McAfee Labs covered social media in its 2014 trends report. And Vincent Weafer, senior vice president of McAfee Labs, said: “With target audiences so large, financing mechanisms so convenient, and cyber-talent so accessible, robust innovation in criminal technology and tactics will continue its surge forward in 2014. The activity in mobile and social is representative of an increasing ‘black hat’ focus on the fastest growing and most digitally active consumer audiences, in which personal information is almost as attractive as banking passwords. The emergence and evolution of advanced evasion techniques represents a new enterprise security battlefront, where the hacker’s deep knowledge of architectures and common security tactics enable attacks that are very hard to uncover.”
‘Social attacks’ will be ubiquitous by the end of 2014, McAfee has warned. The IT security firm said it expects to see more attacks that use social platform features to capture passwords or data about user contacts, location, or business activities. In other words, because Linkedin, Instagram and the like are so big, hackers go there. Such information can be used to target advertising or do virtual or real-world crimes. Whether directly or through third parties, businesses will increasingly use “reconnaissance attacks” to capture user and organisational information, as happened in 2013. The IT firm expects also what it calls ‘false flag’ attacks, that dupe people into giving personal details or their logging-in and authentication details. For instance, an attack might present an ‘urgent’ request to re-set the user’s password. Instead, the attack steals the user name and password and uses the account to collect data. How to prevent all this? Vigilance, in a word.
