Were you scrolling through your Facebook or Twitter feed when you saw the CampusGuard newsletter arrive in your inbox? If you were, you are not alone. A study by the Ponemon Institute found that 60 percent of social networking users spend at least 30 minutes a day on these sites while at work.
Social media has become a major part of our culture and changed the way people communicate. As a result, the lines between peoples’ personal and professional lives have also begun to blur. Should employees be banned from accessing social media sites while at work? Should you be keeping track of what staff and faculty are posting and tweeting? Are they able to freely post anything on their social networks? What if it is information that pertains to your organization?
Your organization must effectively address the various privacy and information security risks that come along with the use of different networking sites. Below are several best practices to keep in mind:
-
Social Media Policy
Having a clearly defined social media policy is an important first step. This policy should outline employee use, both for organization-affiliated accounts as well as references to work-related topics mentioned in personal accounts. It should outline acceptable use, legal requirements, allowed content, use of photos, use of branding/logos, records retention, copyright rules, etc. Much of the information following will also be included within your policy or related procedures.
-
Data Classification
Your organization will need to define exactly what information is considered sensitive or confidential, and what can be shared publicly. Based on the assigned tier of the information, the policy should then outline who is authorized to access it and how that information can be used or shared. You may need to have the policy specify “permission to share” certain data types based on staff role. For example, news of a new CFO should not come from a Chemistry undergrad who happens to be an intern in the Finance Department.
-
Affiliation
You may also want to define what can be shared on different social media sites. For example, is it acceptable for employees to include their affiliation to your organization and job title on a professional social media site like LinkedIn? Is this same information ok to be shared on their personal Instagram account? You may also want to have employees brand their profiles to make it clear that their posts are personal and not affiliated with or representing the position of the organization.
-
Acceptable Use
This is probably the most important component of your Social Media policy. You will need to proactively train employees and be very clear about what is considered proper use of organizational information. Be specific! Tell them what they can and cannot say about the organization on social networking sites. Employees should understand that posting sensitive organizational data or any personal information regarding staff, students, or patients is not allowed. Obviously, there should be no sharing of information that is covered by FERPA or HIPAA. You should also reinforce that any dishonorable content such as racial, ethnic, sexual, religious, and physical disability slurs will not be tolerated. For many employees, sharing their thoughts via social media has become such a normal part of their daily life that they may not realize how information innocently posted on a social network site or blog can cause reputational damage to themselves and/or your organization. Employees need to understand that when they identify themselves as an employee, they are in many ways representing the organization. Depending on the circumstances, your organization may also be accountable for an employee’s social media postings. For example, if a professor is hosting a class discussion board on Google+, the university could be negatively impacted by what is said within that discussion. Make sure your acceptable use policy outlines how social media can be used, what situations are acceptable, and what information may be shared.
-
Just Say “NO” to Oversharing
Remind employees to think before they post and to never post anything they aren’t comfortable being made fully public; remember comments can always be copied or forwarded to others. Employees should keep a clean professional online presence. This is especially important in higher education as students will often follow institutional accounts or the social media accounts, blogs, etc. of their classroom professors. Remind staff to be thoughtful about their content and always aware of their potential audiences.
-
Social Media Monitoring
It is possible to minimize your risk by keeping up with what is being said online about your organization. Actively monitoring your name (full legal name, abbreviations, etc.) helps to ensure that policy requirements are being followed and that sensitive information, if shared, is removed as quickly as possible. You can use Google Alerts or sign up for a monitoring service as both will notify you if the organization’s name is mentioned online. These services allow you to include key words or phrases to monitor for other specific combinations of words.
-
Understand (and use) Privacy Settings
It has been reported that 25 percent of Facebook users don’t even attempt to implement any privacy settings. This means that anyone, including cyber criminals trolling social networks, can view their profile and all information that has been posted. If a criminal can harvest enough information to steal an employee’s identity, they may be able to also obtain details that allow them to log into an organizational network and potentially gain access to sensitive information. Encourage employees to make their online profiles as private as possible.
-
Security Awareness/Education
Social media sites are also known to spread malicious software. Educate your staff on how to safely use social media sites, including only connect with individuals they know, avoid clicking on unknown/unverified links, etc. Implement an ongoing employee education program focused on the potential pitfalls of social media. The risks of malware, viruses, phishing, data loss, spam, scams, and other threats should be covered. Use real-life scenarios, plucked from the headlines, which explain the potential impact to both the individual and your organization if their accounts or connected devices were to be compromised. When it comes to protecting your organization’s data, your best bet is to keep this in front of your staff by providing continuous education and reminders for staying safe online.
-
Access Credentials
It is a common practice for individuals to re-use the same usernames and passwords across multiple sites and applications. This can be difficult to control in a business environment but should be addressed. Consider stating in your procedures that employees should have unique usernames and passwords for work that are not similar to the usernames and passwords they are using for social media sites. You should require password updates for your organizational accounts at least every few months or sooner if required (e.g. PCI-related access requires a 90 day rotation).
-
Use of Mobile Devices
Mobile devices, like smart phones and tablets, are all common targets for attackers, and users are typically less proactive in securing these devices with anti-virus software or ensuring current updates are installed. Your policy should clearly define whether or not employees are allowed to access social networking sites from personal mobile devices while accessing the organizational network. Some of this can be managed via the network configuration but including it in the policies helps to ensure the staff are aware of the restriction.
-
Consequences for Non-compliance
Your policy should fully explain the consequences for improper use of social media. We have seen numerous instances where faculty members and employees have been fired following posts made online.
-
Legal Requirements
Every state is different, so work with your general counsel when creating your social media policy. You may also want to refer to this reference from Seyfarth Shaw, LLP. It has social media laws listed by state, along with employer and employee rights regarding requested access to social media accounts, employer’s abilities to restrict use of equipment, disclosure of passwords to employer accounts, access to publicly available information, compliance with workplace and law enforcement investigations, etc.
In higher education environments, social media often plays a huge role in student recruitment and to actively engage students in campus activities and organizations, promote faculty achievements, and connect with donors and alumni. Social networking sites are also used to communicate safety information to students, weather updates, etc. We also often hear the term “academic freedom” used on campuses. It is important for your social media policy to outline what is and what is not permissible, and exactly how academic freedom is defined. We don’t want to discourage use, but instead provide staff with guidance on how to effectively harness the power of social media, use it securely, and in a positive manner.
Some additional guidance from the CampusGuard Marketing below:
[Liberman]: Too often when planning for a social media management strategy, the protocols, processes, and permissions that are important for overseeing these channels are not well documented. All too often during staff turnover, an institution’s brand and reputation, data security, and sometimes even unwanted attention and headlines are at risk. Making sure that a smooth transition and reassigning of passwords during planned departures, re-assignments, extended leaves, or dismissals can prevent any embarrassing incidents.
