Social media offers government agencies tremendous opportunity for collaboration, marketing, reduced expenses and greater efficiency. But agencies’ activity on those same social media sites also can open the door for hackers, identity thieves and data mining entities gathering competitive intelligence.
Verizon’s 2013 Data Breach Investigations Report notes that “social tactics … contributed to 29 percent of attacks,” in 2012, four times more than in 2011. Verizon’s 2014 report shows that those numbers are continuing to climb. When an attack succeeds, the breach can be costly: $8.9 million on average, according to Ponemon Institute’s 2012 study of IT and IT security practitioners.
Many government employees, like employees in all industries, are active on social networking sites. While it is not practical or realistic to prevent employees from social media interaction, agencies should promote these 11 practical steps to balance social media openness and collaboration with security and confidentiality.
If your agency doesn’t have a social media policy, work with your HR and legal departments to develop one. Based on your agency’s risk profile, the policy should include topics such as marketing outreach, employees’ social media use during work and non-work hours, IP and data protection, and employment disclosures. The key is for a policy to reflect an agency’s expectations regarding social media use. In the past few years, litigation by employees on social media use has increased, along with decisions from the National Labor Relations Board on employees’ right to engage in concerted activity related to social media use. Therefore, it is highly advisable that an agency seek an opinion or direction from legal counsel when planning to discipline an employee for social media use that violates an agency’s social media policy.
Review social media sites’ terms of service, which usually are available via a link at the top or bottom of a site’s page. These terms spell out who owns posted information and how it can be used. Set privacy settings so posts are viewable to select, known persons or entities. This simple step minimizes risk of becoming a target by taking social media posts out of view of the world at large.
Give employees guidelines for incorporating industry or agency information into their own social media conversations without running afoul of the agency’s policy. This could mean requiring an employee who mentions his agency affiliation to state that any opinions expressed are personal and not necessarily a reflection of the agency’s views. Guidelines also will help employees understand that confidential agency information and other content are off limits for any posting anywhere on the Internet. Managers should lead by example, which should help promote understanding and adoption of guidelines by agency employees.
Protect every agency device that connects to the Internet by taking advantage of available technical tools. In addition to anti-virus and firewalls, an additional layer of security, such as a data leak prevention tool, can keep sensitive agency data from leaking out through employees’ personal and business social media communications.
Employee training should extend to the importance of security in social networking. Hackers, identity thieves and spammers closely follow social network traffic and often target them for criminal activity. Employee training should include guidance, including, but not limited to: