Enterprises from all backgrounds have heard the social media
call. Breathless marketing executives presented the C-suite with
crisp PowerPoint presentations showing case studies that encouraged
them to reap the benefits of being open, social and transparent.
That forced true change, with the C-suite altering practices and
asking for more social activity and collaboration throughout the
There’s only one problem: the whole idea has the security folks
tied up in knots. The key challenge here is that as employees
communicate openly with customers, partners, prospects and
competitors, private and otherwise proprietary information within
content management systems and on hard drives may leak out. And for
many companies, a serious breach has already happened, as evidenced
by recent headlines of significant fines that organizations such as
the FTC, the Department of Health and Human Services, and others
This isn’t just about malicious activity and employees out to do
harm, but about employees who want to do the right thing
when it comes to information security, but either don’t know, don’t
understand or don’t remember the rules.
It’s also about creating and enforcing those rules.
Most corporations that have installed SharePoint 2010, for
example, have taken one look at the social media components and
either failed to deploy them, or deliberately turned them off,
fearful of the unregulated Wild West that they understand social
media to be. But tools exist that can integrate seamlessly into
SharePoint and other collaboration platforms that can scan posts
prior to publication, as well as monitor existing content and file
stores, and either block, quarantine, or simply notify the
appropriate security staff about anything from profanity to
the secret merger code name that only the executive team should
How does a company protect itself from its own employees? And
what type of personalities should employers be on the look out for
when trying to safeguard private or other confidential information?
Following are the 3 worst offenders.
Foul Mouthed Social Media Monster
The Social Media Monster has a lot to say and wants to tell
everyone about it. She’s out on Twitter and Facebook, she’s
answering questions on LinkedIn and Quora and she’s interacting in
the forums. She does all of this with good intentions: to keep
herself and her company in front of prospects. It’s a valid
Only, she’s not always using appropriate language and sometimes
forgets that she’s there to represent a brand as much as
It’s key that companies present clear guidance on what is
expected of employees in the online universe, then monitor
the various locations to determine who is saying what.
A better bet is to keep the foul-mouthed behavior from ever
The Clueless Uploader means no harm, as his name implies. He’s
happily sharing documents with the rest of the company, and in some
cases, with the public, just as he’s expected to do as part of his
job. But one day he posts a file that has customer social security
information within it. Not his fault, really. It was embedded on
one of the multiple tabs within the spreadsheet, probably 5 layers
the risk of fines or worse due to compliance violations. Never mind
the public relations nightmare that awaits once word gets out.
This isn’t just about social security numbers, but could
be any piece of information which is considered confidential,
whether that’s a skunkworks project that’s critical to your next
product release, sensitive information about a client, interview
and reference notes about the newly hired VP of Sales, or even talk
of a strategic partnership or merger.
Making sure that employees know what’s in every content layer of
the document is very important. Some document management systems
handle this automatically. For others there are add-ons that can
help and keep employees alerted when a document is about to go live
that should be held back.
The Executive Assistant with Slippery Fingers
While Executive Assistants are trusted to manage the calendars
and information for the executive team, many do not know, or
consider, the sensitivity of some of the information with which
they are trusted. When that information is posted internally and is
accessible to the entire organization, confidential merger talks,
reorganization strategies, even lay-off plans can be
Managing the workflow of employees at every level can protect
the confidentiality of information. Technology that does not
interrupt daily activity but prevents the spread of sensitive
information can mean the difference between a successful and failed
What Can Be Done
Once executives identify problem personalities and characters,
these final steps can help eliminate problem behaviors and stop
information leakage in its tracks.
Policies: Create clear, documented policies as part of
your content strategy before implementation or roll-out, including
rules about permissible content. CIOs must take time to
consider what should and shouldn’t be shared through social media
channels, forums and internal platforms like SharePoint, as well as
the proper ways to use these tools.
Education: It’s important that employees understand the
privacy and confidentiality rules as they have been designed,
including how they protect both the company and the individual
employee. While many companies require employees to sign a
confidentiality agreement upon hire, very few employees read the
full document or understand how it applies to their daily work
life. On one level this means simple user training, including
“hands-on” sessions for various content contributors, but it could
also mean creating a “terms of service” screen that comes up as
users are creating their own SharePoint MySite, for example, or
email alerts that notify employees about when and why specific
content slated for publication is not permissible.
Awareness and Enforcement: Once the business rules are
in place, you must enforce these regulations and communicate to
users when violations occur in order to prevent more serious
breaches. Organizations can provide the community with a way to tag
content they consider to be “inappropriate.” New automated
solutions now available can also check content intended for
internal and external SharePoint sites before it’s
published, including content scans and validation against specific
business rules. These rules could include scanning for personally
identifiable information or personal health details, as well as
almost anything else that would constitute a breach. These systems
can prevent the posting of non-compliant content, in effect
preventing privacy breaches and confidentiality leaks.
Finding the Balance: A true balance lies in being able
to support collaboration and information sharing with rules that
protect the organization and in some cases, its customers and
business partners, while preventing exposures that can result in
harmful penalties – both financial and reputational.