Security Risks Associated with Social Media within an Organization
There are considerable risks associated with social media. The biggest I think is the security and potential exposures of confidential information that should be protected. It combines not only what employees do at work with social media applications but also on their ‘personal time’ using social media from the workplace. Now, all this falls under the litigation umbrella and all information is fair game in lawsuits, regardless if it is ‘personal’ or ‘business’. As long as it was created using corporate resources – the organization is liable.
The simple response is to train employees on the risks and obligations to protect corporate information and the corporate guidelines covering the use of their own social media applications while in the business setting. Social media (and even emails) can be exploited and used in cyber security crimes, often bringing down organizations as well as negatively impacting the organizational brand.
What if I put on my Facebook page that my boss is a jerk and continually lies on his expense reports and he just happens to be head of Finance. Or you found errors and inconsistencies in a financial report and he/she wouldn’t change them. Facebook information is also considered fair game in litigation.
Is training enough? How can the organization reduce corporate risk and potential litigation, non-compliance, and data exposures? We do have a solution in that we can identify any organizational descriptors and concepts as content is ingested or created, segregating and securing any information the organization considers confidential. This renders it unavailable internally as well as externally and prevents the ability, if it is secured, to be taken and placed on a thumb drive or other device.
But not all organizations use our technology. Some security applications will identify social security numbers and other information related to PII and PHI but most are not flexible enough to address specific organizational challenges for security, which does change as the business changes. None can identify the concepts from within content and apply it to security rules.
Does your organization address this or are they waiting for the accident to occur first? What have you found are some limitations in your security processes?