Allowing access to social networking sites can open businesses up to a plethora of security risks. The key to success, Forrester Research says, is a strong acceptable use policy. Here's how to craft one.
It's a Catch-22 for many companies and IT departments: Allow access to social media sites such as Facebook, Twitter and LinkedIn, and the company is opened up to malicious content, phishing schemes and account hijackings. Block all social media sites, and the business risks losing young talent to competitors or will challenge employees to find workarounds. Which can be equally dangerous.
But because IT execs don't own these social networking sites and thus have no influence in enforcing strong passwords and vulnerability management, the key to achieving a safe compromise, a new Forrester Research report says, is focusing on what IT execs can influence: a corporate acceptable use policy.
Policies should encompass the following five questions, according to Forrester's report: To Facebook or Not to Facebook. Additionally, companies have to take into consideration whether these policies extend to remote groups outside the corporate network—such as remote workers and contractors—and if so, under what conditions these policies would be in effect.
1. Do all employees need the same level of access to social networking sites? Most likely, the report says, the answer is no. Marketing and sales, for example, may require more liberal policies if they're regularly posting videos and tweeting; a policy for the finance or sales departments, however, may need to be more restrictive. It's important to consider the company culture when writing the policy—how liberal or restrictive is it in terms of personal computing in the workplace?
2. Is there a need for employees to download software? Third-party Facebook applications, for example, can present security risks, so if the company allows access to the site, consider blocking the ability to download software from it. "This will of course dilute the social networking experience, but in many ways, it's an acceptable compromise for workplace access," the report says.
3. Should there be "anytime, anywhere" access? Finding the balance between personal use of social media and workplace productivity is the key. Do executives trust employees to use their best judgment, or does the company want to enforce a stricter monitoring method such as bandwidth-based limitation on social networking sites?
4. What information are employees allowed to post? Microblogging poses a potential data leak threat to corporations, so executives and IT policy have to make it clear what they consider inappropriate for employees to post to public social networks. Also, be very specific about corporate proprietary information, confidential data and seemingly innocuous updates that could infer sensitive information, the report recommends.
5. What are the consequences for policy violations? Consequences will most likely vary depending on the violation and the circumstances. Be sure to clearly articulate what the violation penalty will be, if any. "For instance," the report recommends, "violation of a data loss policy may incur a heavier penalty than those who simply waste time social networking. Often, the simple statement of a penalty is enough to deter reckless behaviors."