Safeguarding use of social media in the enterprise

While organisations are keen to flex their social media muscles beyond the traditional applications of marketing and communications, the risks of providing staff access to Web 2.0 in the workplace are holding many back. CEO John Fison outlines how Australia’s Netbox Blue is seeking to safeguard the new platforms whether on or off the company network.

There is no doubt 2011 promises to be an interesting year for uptake of corporate social media. Whilst marketing and communications retain their dominance as the main reason companies use social, media, there are new priorities emerging in customer service, employee engagement and product development.

Web 2.0 monitoring has leapt to front of mind for many information professionals in 2011 with the move by the Victorian Government to legislate against workplace “cyber-bullying.”

Workplace bullying is also covered under the Occupational Health & Safety (OH&S) act and the responsibility to provide a safe workplace is still with the employer. Company directors may be held liable personally if bullying is found to have occurred and they have turned a blind eye.

Companies that embrace and allow social media must also be aware that they can be found liable for something posted by an employee, even when they’ve done it at home.

To deal with this issue, Australia’s Netbox Blue has developed a platform called SafeChat. This evolved from the anti-cyber bullying features of the Netbox education solution, an appliance originally developed for schools around Australia that provides keyword scanning on internal and external email, as well as a host of other features. Netbox solutions include a range of security and internet and email filtering and management features in one appliance.

The SafeChat platform is designed to identify the most common forms of social media communication and moderate these in real-time according to organisational policies. The technology is incredibly flexible and can provide separate policies for different groups – for example allowing more open access for marketing as opposed to a finance department.

In addition rules can be set to allow staff to access their Facebook site, or other social media applications, at agreed times of the day – lunchtimes as an example. Many firms also use the technology to apply corporate disclaimers to social media messages – in the same way as most companies do with company email to avoid liability and confidentiality issues arising.  We have developed a concept called the Borderless Internet Compliance (BIC) framework, to allow organisations to implement social media policies on devices wherever they are located.

The system works in two ways. Firstly – all traffic on the organisation’s network is filtered through the gateway Netbox appliance and the common social media applications are managed and moderated in real-time – preventing any inappropriate communications from being posted – for example on Facebook or Twitter, on any device using the corporate network. This applies to PCs, iPhones, other Smartphones and tablet devices.

Secondly, as many workers now use mobile devices, such as laptops or Macbooks outside the network (on WiFi, 3G or home networks) a local agent can be deployed on the device to provide the same level of controls over social media use with full alerting back to designated managers or administrators.  Policies can be flexibly updated and for the mobile workers these new policies are pushed out to the device by the centralised management system.

So whether you are plugged into the company network, or using a company device on an external network, SafeChat is able to undertake real-time management and moderation of the most popular social media channels, allowing companies to control the language, to block bullying and other anti-social or reputation damaging communications.

Most companies now are realising that the workplace is borderless and, with mobile workers and staff accessing email and other work-based applications away from the office, that their Acceptable Use Policies need to govern the employees’ communications, no matter where or when they make them.

With the risks of bullying, data leakage, discrimination and reputational damage rising by the day, staff have to understand that what they post on Facebook at a weekend about their boss, their employer or their products may well have legal repercussions.

Social networking, instant messaging and other Web 2.0 type communications are now an integral part of education and business. Yet they have also become the ‘virtual toilet wall’ of the modern world – a place for anyone to get their grievances off their chest, bully other students, teachers and to criticise colleagues. SafeChat enables administrators to control the language used on popular sites to dramatically reduce bullying and other anti-social communications.

SafeChat also enables administrators to prevent people posting negative comments about their school or business. In this way, SafeChat can help avoid reputational damage.

SafeChat scans the traffic stream on popular Web 2.0 applications against a highly customisable list of dictionaries to determine what action may need to be taken.  Communications can be blocked and an administrator, business manager or principal can be alerted about any policy breach.

One of Queensland’s largest independent schools, John Paul College, is one of the first to make use of the new technology.  SafeChat is deployed on the school network and on the school’s 2000 laptop computers. If a student uses inappropriate language in an email or on a Facebook account, SafeChat detects it, blocks the offending words and alerts the school the instant it occurs.

Kathryn Priol, Director of ICT at John Paul College says Netbox Blue’s technology enables the school to protect students in a way that simply was not possible before.

“The chances of a cyber bullying incident occurring are now greatly reduced, which is reassuring for students, staff and parents,” Ms Priol says.

Companies themselves share some of the responsibility as many employees are often unaware of the consequences of posting to social media sites. Despite the fact that 54% of companies use social media sites such as Twitter, Facebook and LinkedIn, 75% of employers reported that their business did not have a formal policy regarding the on-the-job use of social networking sites, while 20% reported that they did according to the 2010 report Employer Perspectives on Social Media.

There are many other areas of genuine concern, not the least being the potential for productivity loss from staff wasting time on Facebook instead of doing their job.

It is understandable that the natural inclination, given the risk level, would be to block access to social media sites. In fact, it is estimated that more than 60% believe this is the way to go.

However, it is not a matter of simply opening the floodgates to give employees uncontrolled and unfettered access to social media sites.

The sensible approach for businesses is to identify and understand the risks, and to develop a social media strategy that includes a Legal and HR framework. For instance businesses should review all employment contracts and include terms obliging employees not to disparage their employer, both during and after employment ceases.

You will need a social networking policy that explicitly lays out what is and isn’t permissible, both on the company’s network and outside of it if they’re presenting themselves as representatives of the company. However, 75% of companies have no formal social media policy or guidelines.

Media monitoring should be set up with Google Alerts and other tools or services to provide real-time monitoring of blogs, forums, Twitter and other social networking sites. This will enable you to respond to positive and negative comments quickly and decisively as well as to take any legal action required.

In order to take advantage of social networking, companies of all sizes need to create policies and guidelines to regulate social media usage at work and to educate its employees about defamation, sexual harassment and copyright infringement. They also need to explain the penalties for uploading offensive comments, downloading inappropriate content or using social networks as a vehicle for bullying, discriminating or intimidating others.

Companies need to audit their technology solution to ensure that it addresses the new threats that Web 2.0 technology poses.

Employees are no longer tied to the office and the desktop computer - they are mobile; the office is anywhere there is a 3G or Wi-Fi connection; they connect to the Internet and download content to mobile phones, laptops and iPads; they communicate using email, instant messaging, text and any number of social media applications.

It is therefore important that your technology solution should extend the ability to monitor and control any device on or off the network for any company-owned Windows and Mac OS devices.

New and innovative technologies will go a long way to reducing the risks and concerns many businesses have with social media.

These new technologies need to protect businesses from growing cyber criminal attacks, malware, identify theft, intentional and unintentional data leakage.

They should also provide detailed reporting and alerting capability. Users should be able to access reports via a web browser or have them emailed to them automatically. You should also be able to set up real-time alerts to inform administrators or managers when rules or policies have been breached.

Web 2.0 security checklist

It is important to review your current technology infrastructure to ensure that it works with Web 2.0 technology as many traditional IT security and control technologies simply do not address the risks associated with accessing content in real time via social networking sites.

Network firewalls provide little protection as Web 2.0 relies primarily on standard HTTP and HTTPS protocols that simply can’t be blocked without cutting off Web access. Applications such as gaming, instant messaging or Peer to Peer services can be launched from a USB device and are applications as opposed to websites. These need controlling at the application level as opposed to by traditional and often outdated web filtering technologies.

• Ensure that current security and filtering technology can inspect HTTPS sites as most sites now have secure versions of their websites that staff can access without detection.
• Traditional anti-virus is limited to inspecting file transfers and many of the greatest “drive-by” threats encountered today are contained in browser scripts that are invisible to anti-malware filters.
• Web reputation services alone are ineffective as some of the most valuable sites on the Web, such as Google or Yahoo, have fallen victim to hosting malicious code, and simply blocking access to these sites is not an acceptable answer for most businesses.
• Simple URL filtering that blocks objectionable or time-wasting content based on the home page address of the Web site no longer works when sites now commonly aggregate information from multiple sources.