11 Steps for Using Social Media Securely (Industry Perspective)

Social media offers government agencies tremendous opportunity for collaboration, marketing, reduced expenses and greater efficiency. But agencies’ activity on those same social media sites also can open the door for hackers, identity thieves and data mining entities gathering competitive intelligence. 

Verizon’s 2013 Data Breach Investigations Report notes that “social tactics … contributed to 29 percent of attacks,” in 2012, four times more than in 2011. Verizon’s 2014 report shows that those numbers are continuing to climb. When an attack succeeds, the breach can be costly: $8.9 million on average, according to Ponemon Institute’s 2012 study of IT and IT security practitioners.

Many government employees, like employees in all industries, are active on social networking sites. While it is not practical or realistic to prevent employees from social media interaction, agencies should promote these 11 practical steps to balance social media openness and collaboration with security and confidentiality.

• If your agency doesn’t have a social media policy, work with your HR and legal departments to develop one. Based on your agency’s risk profile, the policy should include topics such as marketing outreach, employees’ social media use during work and non-work hours, IP and data protection, and employment disclosures. The key is for a policy to reflect an agency’s expectations regarding social media use. In the past few years, litigation by employees on social media use has increased, along with decisions from the National Labor Relations Board on employees’ right to engage in concerted activity related to social media use. Therefore, it is highly advisable that an agency seek an opinion or direction from legal counsel when planning to discipline an employee for social media use that violates an agency’s social media policy. 
  
  
• Review social media sites’ terms of service, which usually are available via a link at the top or bottom of a site’s page. These terms spell out who owns posted information and how it can be used. Set privacy settings so posts are viewable to select, known persons or entities. This simple step minimizes risk of becoming a target by taking social media posts out of view of the world at large.
  
  
• Give employees guidelines for incorporating industry or agency information into their own social media conversations without running afoul of the agency’s policy. This could mean requiring an employee who mentions his agency affiliation to state that any opinions expressed are personal and not necessarily a reflection of the agency’s views. Guidelines also will help employees understand that confidential agency information and other content are off limits for any posting anywhere on the Internet. Managers should lead by example, which should help promote understanding and adoption of guidelines by agency employees.
  
  

• Protect every agency device that connects to the Internet by taking advantage of available technical tools. In addition to anti-virus and firewalls, an additional layer of security, such as a data leak prevention tool, can keep sensitive agency data from leaking out through employees’ personal and business social media communications.
  
  

• Conduct regular employee training on how to use social media to benefit the agency. Examples include responding quickly to customer inquiries and proactively networking to generate leads, recruit new hires and boost agency morale.

Employee training should extend to the importance of security in social networking. Hackers, identity thieves and spammers closely follow social network traffic and often target them for criminal activity. Employee training should include guidance, including, but not limited to:

• Assume that anything you put on a social media site can never be deleted. Hackers like to exploit this information to get even more potentially sensitive information from you. 
• Be on your guard against phishing scams, including fake friend requests and posts from individuals or companies inviting you to visit pages or sites that may contain malware.
• Use caution when clicking on links from “friends” because you may be unknowingly installing malware or downloading viruses that can be used to steal information or take control over your computer.
• Make sure you know the identity of the person you are communicating with, because it could be a hacker trying to get more personal information from you. 
• Use caution in downloading third-party applications from social networking sites, as they may contain viruses and malware used by hackers to compromise your personal information.
• Use the privacy features on the social networking site to restrict strangers’ access to your profile and be careful about who you let join your network. 

Social media offers enormous benefits, allowing government agencies to exchange information and ideas quickly, market their services, communicate with constituents and enhance employees’ ability and opportunity to collaborate. At the same time, public CIOs must be aware of the legal and security risks associated with social media use and proceed cautiously.
 
Jayne Friedland Holland is chief security officer and associate general counsel at NIC Inc. Contact her at jayne@egov.com.