Social networking lands on compliance ‘to do’ list

As enterprise employees augment the traditional forms of social networking tools with newer platforms – wikis, blogs and message boards – these too enter the realm of regulatory compliance and privacy.

While there may be awareness of the need to monitor and control communication channels like chat and e-mail, this may not be the case with new tools that have permeated the enterprise, said Adel Melek, global leader of the security and privacy practice with professional services firm Deloitte.

“There is not as well a developed level of maturity in terms of the understanding of these new forms,” he said.

The risks inherent are damage to reputation and brand, leaks of intellectual property and other forms of confidential data such as customer lists and business news about mergers and acquisitions, he said.

Those organizations that are proactive around eliminating risk are generally those that have experienced mishaps before, otherwise the level of concern is pretty low, said Francis Ho, an executive committee member with the Toronto, Ont.-based Federation of Security Professionals.

“It’s analogous to new technology coming in and the executives eventually become aware and focus in on that, but then the technology will have moved on to somewhere else,” said Ho.

Although the level of cognizance is in general relatively weak around newer social platforms, corporations are beginning to understand the associated negative repercussions, said Brian Babineau, senior analyst with Milford, Mass.-based analyst firm Enterprise Strategy Group.

“They are starting to realize that these can be used as a great means of sharing information but they can also pose risks if there is no editorial process around what happens.”

An editorial process is a proactive way enterprises can attempt to exert control over such platforms both internally and externally, he said. For instance, published material should first be put through analysis and approval for inappropriate content.

Another way is to use software, like data loss prevention tools that can stop confidential information from leaving the organization. He recommended enterprise search software and semantic tools to scan the internet and intranets.

A social media monitoring software product by Rochester, N.Y.-based social media management company Techrigy Inc. aims to help enterprises monitor external blogs, and internal blogs and wikis. “As this new form of communication becomes more and more mainstream, people are just going to have to start listening to it,” said the company’s president and founder, Aaron Newman.

The software addresses challenges of monitoring content, he said, such as legal liability when an employee inadvertently releases confidential information; and performing competitive research and reputation management from user comments about the company’s products or even those of a competitor.

When monitoring internally, the software sits on corporate servers, runs 24/7, and is accessed via a Web-based interface. External search entails creating a profile on Techrigy’s secure data centre where users can specify search terms. Results are then conveyed through reports and e-mails.

That genre of monitoring tool has a lot of potential and makes a lot of sense to Ho, who noted that manually monitoring some 2,000 blogs out there can be a daunting task.

Implementing monitoring software or outsourcing the task to a third party is a good move, agreed Melek. However there should be a “layered approach” that starts with corporate policy. The policy, he said, doesn’t necessarily have to be specific in terms of naming particular sites, but it should be descriptive enough to avoid ambiguity.

Next is an awareness of the associated risks of divulging confidential data on social networking sites. And then, enforcement of the policies when employee behaviour is out of line.

Despite this, monitoring and controlling internal blogs and wikis proves easier to do than on external platforms, said Babineau. Actually, the biggest risk he foresees is not with compliance, but with the sharing of intellectual property on wikis and blogs.

Managing the issue of regulatory compliance and privacy doesn’t fall entirely to the IT department, said Babineau. IT selects and implements the appropriate tool, however, the initiative is generally kick started and championed by a business leader, public relations and risk officers.

Melek agreed: policy and awareness, depending on the organization, are typically the domain of human resources, compliance and privacy.

Related Download
Improving the State of Affairs With Analytics Sponsor: SAS
Improving the State of Affairs With Analytics
Download this case study-rich white paper to learn why data management and analytics are so crucial in the public sector, and how to put it to work in your organization.
Register Now