Why You Need to Focus on Social Networking in Your Company

Transcription

1 y Why You Need to Focus on Social Networking in Your Company An Osterman Research White Paper Published July 2010 SPONSORED BY #$!#%&'()*(!!!!!"#$!#%&'()*( Osterman Research, Inc. P.O. Box 1058 Black Diamond, Washington Tel: Fax:

2 Executive Summary THE UPSIDE AND DOWNSIDE OF SOCIAL NETWORKING Social networking tools like Twitter, Facebook, LinkedIn and many others fill an important gap in electronic communication and information delivery: they allow the broadcast of information in ways not practical with or other collaboration tools, while at the same time allowing a highly granular push and pull model of information delivery, such as rapid back-and-forth dialogue between employees, customers, etc. These tools can be used to build a brand or a company s reputation, monitor perceptions about a wide range of issues, disseminate information, demonstrate industry expertise, and build brand loyalty. Social networking permits individuals to share information and companies to gain competitive advantage in ways not practical or possible with other tools. However, social networking tools used in a corporate context also pose an enormous liability on a number of fronts: These tools make it incredibly easy for individuals to share confidential, sensitive or otherwise private information, both inadvertently and maliciously, potentially violating privacy or other laws. Similarly, they make it easy for employees to post slanderous or libelous content about fellow employees, a company s management, its clients and others. They are another avenue through which business records can be created and in the absence of good archiving tools lost, leading to e-discovery, legal hold, evidence spoliation and other problems. The absence of good security defenses that are devoted specifically to monitoring social networking protocols can offer hackers and other malicious types yet another means to introduce malware into an organization. An inability to link identities from social networks to a corporate identity can pose significant problems from a risk management perspective in the context of things like e-discovery and regulatory compliance. For example, a post to a social networking site by a registered representative is considered by FINRA to be a public appearance 1 a securities firm employing the representative must be able to accurately identify who has made the post. KEY TAKEAWAYS Social networking tools offer substantial benefits to individuals and organizations, but they must be managed properly. Decision makers must understand the risks and benefits from the use of social networking tools in general and also from the specific tools that might be of value. They must develop granular policies about their use and implement the means to enforce these policies. They must also implement the systems that will monitor, review, block and archive social networking content; all while ensuring that social networking can be used in as friction-free a manner as possible Osterman Research, Inc. 1

3 ABOUT THIS WHITE PAPER This white paper presents IT and business decision makers in organizations of all sizes an overview of the benefits and problems inherent in social networking, what they should consider doing to address these problems, and some practical things to consider as they seek to protect their organizations from unfettered use of social networking. Finally, it offers an overview of Smarsh, the sponsor of this white paper. The Growing Use of Social Networking SOCIAL NETWORKING USE IS GROWING RAPIDLY The use of social networking tools, both for corporate and personal use, is increasing at a rapid pace. For example: As of early June 2010, there were 190 million users of Twitter, each of whom post an average of 10.3 tweets per month 2. In February 2008, Twitter had 475,000 unique visitors 3, an increase of 400 times in just 28 months. Also as of June 2010, there are 519 million users of Facebook 4, up from 20 million unique visitors in February , an increase of nearly 26 times during the same period. As of May 2010, LinkedIn a primarily business-oriented tool had 65 million users 6, up from just one million in September Further, Osterman Research has found that corporate users spend an average of 18 minutes on a typical workday using social networking tools, or about 4% of their workday 8, as shown in the following figure Osterman Research, Inc. 2

4 Minutes Spent per User per Day Employing Various Communication Tools SOCIAL NETWORKING OFFERS A NUMBER OF IMPORTANT BENEFITS While much has been made of social networking tools being used to announce what individuals had for breakfast or distributing other fairly trivial content, these tools are actually being used for real world business applications. For example, social networking tools can be used for a variety of business purposes, such as generating new business, making product announcements, distributing company information, establishing industry expertise with a group of prospects, managing a brand, monitoring user opinions or consumer sentiment, and so forth. Social networking tools provide a unique channel for receiving and disseminating information that other media simply do not offer..but IT ALSO INCREASES OVERALL CORPORATE RISK Despite the many benefits of social networking and the unique opportunity it offers to gain competitive advantage, educate prospects and the like, it also increases corporate risk substantially. For example, among the risks that organizations face when their users employ social networking are the following: Unauthorized sharing of sensitive or confidential information Consider the following tweets from early July 2010 (tweeters names removed): o o work is getting fired next month...i wanna tell them, should I, jobs r hard 2 come by, and I think they need a heads up, HELP!!! I love to see when my boss is drunk and its 8:30 pm (@ [COMPANY NAME REMOVED]) [MAP TO COMPANY LOCATION REMOVED] 2010 Osterman Research, Inc. 3

5 Inappropriate comments made by employees Employees will at times make comments using social networking tools that could reflect poorly on their employer. For example, in early 2009, an employee of Ketchum, a public relations firm, used Twitter to post some derogatory comments about the city of Memphis shortly before presenting to the worldwide communications group at FedEx Memphis largest employer. An employee of FedEx discovered the tweet, responded to the tweeter, and then copied FedEx s senior managers, the management of FedEx s communication department and the powers that be at Ketchum 9. Identity management An organization that cannot prove the identity of individuals purporting to be representatives of their company, or that cannot tie social networking identities to corporate identities, faces significant risks from a compliance perspective. Another venue for malware infiltration Social networking tools, by virtue of the fact that they use newer techniques like short URLs, can allow malware to enter a corporate network in ways it could not via or the Web. Also, the growing availability of third-party applications for which there is no quality assurance testing or the like, such as many of the 40,000-plus applications available on Facebook, increases malware risk. Business records lost that should be retained Social networking posts sometimes contain business records that should be retained. For example, the Financial Industry Regulatory Authority (FINRA) issued Regulatory Notice in January 2010 that requires retention of relevant posts to social networking sites made by broker-dealers. Local governments that make announcements on social networking sites will often need to retain this content as part of sunshine or freedom-of-information laws. Some courts have already begun using posts to social networking sites as part of e-discovery proceedings 10. Organizations cannot rely on social networking site operators to retain posts. For example, Facebook retains content only for 30 days, Twitter retains only the last 3,200 tweets, and so forth. Clearly, organizations must retain data and they cannot rely on social networking operators to do this for them. Most organizations today do not have the ability to capture relevant content from social networking sites and retain it for long periods as many do for other types of business records. Nor do they have the ability to monitor employee posts to social networking venues to check for inappropriate content that could result in a lawsuit or quash a merger or damage their corporate reputation. The result is that organizations are increasingly at risk as the use of social networking tools continues to grow. This risk is multi-faceted and includes the potential spoliation of evidence, a failure to prevent sexual harassment between employees, charges of libel and other quite negative consequences. It is also important to note that there are thousands of social networks in use the problems discussed in this white paper are not limited just to Twitter, Facebook and 2010 Osterman Research, Inc. 4

6 LinkedIn. For example, Orkut is the most widely used social network in Brazil, Skyrock is the most popular in France, and bulletin board systems are the most popular social networking tools used in China. In short, the growth of social networking has far outstripped decision makers awareness of the risks they face from its use, as well as the technologies that have been implemented to address the risks. And, the problem has been compounded because much of the growth in the use of social networking tools has occurred during a period in which IT budgets were being cut and decision makers attention has been focused elsewhere. Social Networking is Too Important Not to Manage DECISION MAKERS CAN NO LONGER IGNORE SOCIAL NETWORKING Clearly, decision makers can ignore the risks of inappropriate use of social networking tools only at the risk of facing enormous legal judgments, regulatory compliance problems, or significant damage to their corporate reputation. On the flip side, they cannot avoid the use of social networking tools, particularly in highly competitive industries, because these tools offer the opportunity to win new customers, derive additional revenue from existing customers, position a company in a new market, etc. The bottom line is that social networking is now too important not to be considered carefully by corporate IT and business decision makers. HOWEVER, MOST ORGANIZATIONS DO NOT HAVE POLICIES OR TOOLS FOCUSED ON MANAGING THE USE OF SOCIAL NETWORKING Osterman Research has discovered that most organizations either have no policy focused on the use of social networking tools, or whatever policies that do exist are relatively basic. For example, as shown in the following figure, the three leading social networking tools used in corporate environments are the three tools least governed by any sort of corporate policy Osterman Research, Inc. 5

7 Existence of Policies for Various Communication and Social Networking Tools (% of Organizations That Have Established a Policy) Many decision makers have not bothered to establish policies for use of social networking tools in large part because a) they often underestimate the penetration and reach of these tools in their organizations, and b) they simply don t realize the risks associated with unmanaged and unfettered use of these tools. This puts organizations at serious risk, as discussed above. Further, the lack of policies focused on appropriate and inappropriate use of social networking means that organizations have not taken the critical step necessary for them to implement the right tools and procedures for managing the use of social networking without policies, it is virtually impossible to deploy and manage the right systems, since these system exist simply to enforce policies. SOCIAL NETWORKING MUST BE PROPERLY MANAGED There are three things that any organization should do in the context of managing social networking in their organization: Monitor content posted by representatives of the organization Organizations should monitor all posts to externally facing social networking sites like Facebook, Twitter, LinkedIn, etc. These posts can contain a variety of sensitive content, such as information about an impending merger, upcoming layoffs, the identity of a new customer, a recently discovered technical problem in a product, or 2010 Osterman Research, Inc. 6

8 other content that senior management may not want publicly divulged. The principle that should be used in managing social networking content should be largely the same as that used for any type of data leak prevention as it applies to , instant messaging and other electronic tools. Monitor content sent within the organization Information that is sent using internally facing social networking tools, such as Lotus Connections or Microsoft SharePoint, should also be monitored closely for content that could be harmful. As with other electronic communication tools, employees can send racially or sexually offensive content to one another, they could share trade secrets internally that should not be distributed to employees without appropriate clearance, or they could make statements about other employees that could violate privacy requirements. Further, some industries have strict regulatory obligations to limit the transfer of certain types of information between different operations within a company. For example, in a vertically integrated energy company, Federal Energy Regulatory Commission (FERC) Order No. 717 requires companies to create an ethical wall between the transmission and marketing functions of their business. Similarly, various laws focused on the financial services industry exist to prevent inappropriate communication between research and trading operations. Archive business records contained within social networking posts It is also critically important to retain relevant content within social networking posts for purposes of regulatory compliance and e-discovery, as well as for internal demands for things like informal early case assessment. Because a tweet/retweet, Facebook post or LinkedIn testimonial can contain a business record, there is no distinction between this type of record and one contained in an or instant messaging conversation. Further, because most social networking tools forward notifications to , there is a good chance that an organization s social networking content is being stored in other organizations archives. An organization s retention of relevant social networking content clearly demonstrates appropriate management of its electronic records. As discussed above, FINRA codified the requirement to retain relevant social networking posts in Regulatory Notice That document reads, in part, Every firm that intends to communicate, or permit its associated persons to communicate, through social media sites must first ensure that it can retain records of those communications as required by Rules 17a-3 and 17a-4 under the Securities Exchange Act of 1934 and NASD Rule A Four-Step Plan for Managing Social Networking Osterman Research recommends that any organization that is using or is considering using social networking capabilities of any kind undertake a four-step process for protecting against the risks associated with the use of these technologies, while at the same time maximizing the value they derive from them Osterman Research, Inc. 7

9 UNDERSTAND HOW AND WHY SOCIAL NETWORKING IS USED It is important for any organization to understand how and why social networking is used in the organization. For example, if the only use of these tools is personal, that will have different ramifications for the technologies that are deployed to monitor and archive content than if social networking is used for established business purposes. Consequently, IT should conduct a thorough audit of how social networking is used, which tools are used, why they are used and so forth. This audit should also include a forward-looking focus on how these tools might be used in the future, how competing firms are using these tools, and new capabilities that might be employed in the future. It is important to note that there may be a significant disconnect between what IT perceives as a legitimate application of social networking and what individual users or business units perceive as legitimate. The goal, of course, is to balance the competing interests of both groups and derive the greatest benefit from the use of social networking while still remaining compliant with corporate policies and security requirements, which could include: Marketing, communications, PR teams and spokespeople who want the ability to post commentary, create events and utilize the full functionality of social networks. Corporate users, such as Human Resources and legal staff who need to research new hires and investigate shared content. Regulatory compliance teams who must not only maintain records of shared content and activities, but also approve and moderate subject matter. Employees who utilize social networks to prospect for business, network with customers and partners and collaborate with suppliers. UNDERSTAND THE RISKS OF INADEQUATE MANAGEMENT Next, it is important to understand the consequences that can result when social networking content is not monitored, when business records in social networking posts are not retained, and so forth. It would be appropriate at this phase of the evaluation process to understand the potential consequences associated with not managing social networking use adequately. For example: If employees want to discuss work conditions or complain about their benefits, for example, employers are not permitted to interfere with these communications according to rules codified in the National Labor Relations Act. This means that employers must tread a fine line between monitoring and blocking social networking for inappropriate use or sharing of content in an inappropriate way and preserving the rights of employees to share information. Further complicating the issue is the need for multinational organizations to satisfy the diverse requirements of each territory in which it operates. If business records or actionable information are sent via social networking tools, management s decision to purge this content could be seen as spoliation of evidence in a lawsuit. For example, if management decides not to preserve sexually harassing 2010 Osterman Research, Inc. 8

10 direct messages sent using Twitter, a party offended by this content that takes legal action may be entitled to access the archives of these posts as part of an e-discovery exercise and could claim spoliation in their absence. The ramifications of spoliation can be substantial and include fines and sanctions imposed by the court, the requirement to pay the prevailing party s legal fees, attorneys costs for additional motions, and other serious consequences. The US Federal Trade Commission has issued a ruling that restricts organizations use of testimonials by bloggers, if bloggers have been paid to endorse a product, and so forth. Somewhat related to the point above is that investment advisers cannot be the beneficiary of a testimonial or recommendation on LinkedIn because of the potential violation of Rule 206(4) of the Investment Advisers Act of This rule makes it illegal for an investment adviser to publish or benefit from an advertisement or testimonial that deals with their conduct as an adviser. Registered representatives are subject to scrutiny when they post content on social networking sites, including monitoring of their posts and retention of their communications. IMPLEMENT POLICIES FOCUSED ON APPROPRIATE USE OF SOCIAL NETWORKING The next requirement is to implement policies that will attempt to strike the appropriate balance between employee freedom to communicate via social networking tools, the business benefits that will come from the use of these tools, compliance with industry regulations, and advice from legal counsel. Considerations for these policies include: Policies about the use of social networking tools should be part of an overall messaging and communication policy that covers the use of corporate , personal Webmail, instant messaging, collaboration workspaces, cloud-based storage tools and any venue through which individuals might share corporate information. Sufficient granularity should be included so that differing roles within the organization are clearly subject to different policies. For example, energy and securities traders should have different rules about their use of social networking than clerical staff, senior managers should be subject to different policies when communicating with external auditors than when they communicate with employees, formal communications that represent a company position should be subject to different scrutiny than personal communications, and so on. Policies should also include a detailed discussion about appropriate use of social networking tools, including requirements not to post sexually or racially offensive comments or images, not to include links to inappropriate Web sites, not to defame or slander others, not to post content that could run afoul of copyright laws, not to post personnel records or other sensitive information, and the like Osterman Research, Inc. 9

11 The specific tools that can and cannot be used should be specified clearly, preferably along with a rationale for the decision. Where appropriate and where possible, disclaimers should be included for communications like Facebook posts or blogs. Obviously, disclaimers will not be practical for tweets and other space-limited communication tools (unless, possibly, a short URL is included that points to a corporate disclaimer). Policies should clearly spell out that management reserves the right to monitor employee communication via social networking, when it has the right to act on this information, and that content may be retained for an indefinite period. Policies should also spell out the corporate reaction to and consequences of a breach of policy. DEPLOY THE RIGHT TECHNOLOGIES Finally, any organization should deploy technologies that will do the following: Monitor posts Monitor employee posts on every social networking protocol that might be used. This monitoring may be after the fact, such as sampling employee posts to check for inappropriate content; or it might be in real time to monitor posts before they leave the organization. Control the use of unauthorized tools Osterman Research has found that while many IT decision makers oppose the use of specific social networking tools or at least find them not to be legitimate for use in a business context, far fewer actually do anything to prevent their use. Archive and log content Archive and log all relevant content that might constitute a business record and that might need to be retained. It is generally easier to simply archive or log all social networking content than take the risk that some important content might slip through and not be retained, but this will depend to a large extent on the industry in which an organization operates and other factors. A key part of content logging is to ensure that the identity of the individuals who use social networking tools is clear and that content can be tied back to their corporate identity. Most organizations will want to integrate their social networking archive with their primary electronic content archive. This makes legal holds, as well as searching across all electronic content during early case assessment and e-discovery, much easier and less time-consuming. Block threats It is also vitally important to block threats that can enter an organization through social networking tools. This is particularly important given a) the widespread use of short URLs that offer the user no visual cues about the veracity of the link, and b) the fact that many social networking tools can display content provided by 2010 Osterman Research, Inc. 10

12 individuals to whom users have not given permission to display posts. One of the key problems with social networking from a security perspective is that these tools are generally less well defended than more established tools like . Given the rapid increase in the use of many of these tools, many IT departments are scrambling to keep up with the rapid growth of social networking tools, leaving organizations vulnerable to malware infiltration. For example, an Osterman Research survey conducted during May 2010 revealed that 12% of mid-sized and large organizations in North America had been the victim of malware infiltration during the previous 12 months, while 9% of organizations had had sensitive or confidential information accidentally or maliciously leaked through a social networking or Web 2.0 application 12. Sponsor of This White Paper Smarsh 921 SW Washington St. Suite 540 Portland, OR encryption. Smarsh provides hosted solutions for archiving electronic communications, including , instant messaging and social media platforms such as Facebook, LinkedIn and Twitter. Founded in 2001, the company helps over 10,000 organizations manage and enforce flexible, secure and cost-effective compliance and records retention strategies and mitigate risk. Smarsh also offers integrated modules within its archiving suite for classification and policy management, data-leak prevention and All services are centrally administrated through the Web-based Smarsh Management Con-sole. Permissioned administrators can review electronic communication, implement classification, DLP and encryption policies and produce selected data on-demand. All actions taken through any component of the suite are audited and logged, and customizable reports on system usage and message/system audit history can be produced on-demand. The SaaS (software as a service) delivery model enables clients to eliminate IT infrastructure costs and minimize operating burden, while benefiting from Smarsh expertise in hosting large volumes of mission-critical client data. For more information, visit or follow Smarsh at Osterman Research, Inc. 11

13 2010 Osterman Research, Inc. All rights reserved. No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior written authorization of Osterman Research, Inc. Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the reader s compliance with any laws (including but not limited to any act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively, Laws )) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the information contained in this document. THIS DOCUMENT IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL Unpublished Osterman Research survey data, May Source: Messaging and Web Security Market Trends, ; Osterman Research, Inc Osterman Research, Inc. 12