3

One of my clients is looking at allowing their employees to access Twitter and Facebook from work. I have highlighted the need for training, and I have material to present, but what do you think should be covered?

  • disclosing customer data
  • disclosing internal operations/employees
  • social phishing
  • malicious link awareness
  • and ...

What would you think of a 'watchdog' policy, where if someone wants to use Facebook at work, that a member of IT Security be 'friended\following' so that there can be oversight? This would require HR feedback, to be sure, but it might give an employee pause to know that a co-worker is looking out for them (we do have access to their email and browsing histories ....).

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • You should also consider legislation on these subjects. For example, some of these proposed policies are illegal due to privacy infringement. Even keeping e-mail and browsing history can be a privacy infringement if the employees are not informed beforehand and strictly forbidden to use their office PC for personal use, as it has become quite common to also use your office e-mailadress for personal e-mail. (Disclaimer: truth of statements may vary depending on jurisdiction.) – Legolas Mar 19 '12 at 15:06
  • I would like to choose an answer, but both D.W. and Ninefingers have decent answers. I'm going with D.W. for reminding me about having multiple twitter accounts, but I took away value from both of them. – schroeder Jun 29 '12 at 03:30

2 Answers2

4

Twitter and Facebook are very different. Many people successfully use Twitter for professional activities: either tweeting, or following others. If you are tweeting, it is easy to set up a separate Twitter account for your professional life, to keep work and personal life separate. I think your client should probably allow people to use Twitter for their professional work. Offering training is not a bad idea.

Expecting employees to let someone from HR friend them on Facebook, though, raises a whole host of issues. I do not recommend going there.

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • I'm aware of the potential pitfalls of allowing a Security member be friended on Facebook, but if the policy is to use Facebook for professional reasons only, and the user sets up 'lists', it might be an attractive option to solve a couple problems. – schroeder Mar 15 '12 at 19:33
  • +1 setting up separate twitter accounts wasn't something I thought of, silly me. – schroeder Mar 15 '12 at 19:33
  • @schroeder, yeah. Unfortunately Facebook terms of service prohibit setting up two separate Facebook profiles for yourself, one for your professional life and one for your personal life, so that trick doesn't work for Facebook. – D.W. Mar 15 '12 at 21:09
0

What would you think of a 'watchdog' policy, where if someone wants to use Facebook at work, that a member of IT Security be 'friended\following' so that there can be oversight?

I can't help but feel this misses the point slightly. Firstly, although not necessarily true of Twitter, other social networks such as Facebook/LinkedIn offer much greater privacy options such that I, your employee, could trivially hide my misdemeanors from the HR watcher.

The second issue I wanted to raise was the fact you've tied having a facebook/twitter account to "at work". Facebook and twitter can easily be used both at home on company accounts and at home on home accounts to damaging effect.

For example, the following scenarios aren't covered by what you propose:

  • Discussing customers/clients between friends/colleagues on personal facebook accounts from home.
  • Responding to queries from competitors on LinkedIn.
  • Making unflattering remarks about your co-workers on a personal twitter account.

And so on. I guess the point I'm trying to get across is that whilst use at work provides a slight additional pure-IT risk (malicious code), inappropriate use of social networks by employees could put your business at risk whether or not you ultimately decide to allow it in work.

If these are company twitter/facebook accounts you're proposing, or ones especially created for individuals for the company, then whilst they may belong to the individual in a sense, they are still company resources that should be monitored appropriately. You shouldn't need to have to follow the account to monitor it; any sufficiently authorised member should be able to log in and audit the account.

Ultimately, I think if there is a risk to the business from corporate espionage or damaging coverage on social networks (due to say, being a high profile client) I'd be inclined to implement some form of safety training anyway. I've worked at two organisations that had such courses for the more general "using the internet" scenario.

I'd also say check your employment contracts to ensure they include the standard clauses about protecting intellectual property and business image - most do.

To be clear: I'm not actually saying don't use these resources - lets face it, at least someone in your organisation if it is of any size will probably be controlling the twitter account. They're a great resource for promotion.

  • Yes, your points make sense, and I had already considered that anyone at any time could use their personal devices to say anything about anything at any time, but the burring of the lines between work and personal by using the same device within moments of doing work means there is not the inherent mental barrier between those two domains. Hence, I believe there is a greater risk of accidental disclosures. Intentional disclosures will occur regardless of legal clauses. I want to find an effective measure to create that barrier while permitting access. – schroeder Mar 19 '12 at 14:20