Social Media at Work: Balancing Risks and Rewards

By Jose Granado & Chip Tsantes  |  Posted 02-02-2011

Social Media at Work: Balancing Risks and Rewards

Joe, a sales executive at a professional services firm, decided to walk back to the office after a meeting. The meeting with his target client went well -- so well he felt sure that he had secured the business. He pulled out his mobile device to update his social networking status. "Walking down 5th Ave. On my way back to the office. Great meeting with potential client."

Across town, Martin, who works at a competing professional services firm, was taking a break from his busy morning and logged into a social networking site on his laptop. Seeing the post, Martin knew exactly who Joe had been meeting with that morning. Martin picked up the phone and scheduled a meeting of his own. Soon after, Martin had secured the new business, leaving Joe to wonder how such a good opportunity had slipped through his fingers.

Assessing the dangers

As technologies advance and converge, they provide an increasingly mobile workforce with seemingly endless ways to connect and interact with colleagues, customers and clients. But at what risk?

Companies recognize that anywhere/anytime access presents enormous opportunities to improve customer relationships, boost sales and accelerate growth. But there are also risks in terms of data access and data leakage. The rise of social media heightens the risk that corporate strategies, new product development or other sensitive information could be inadvertently -- or intentionally -- shared with competitors or other inappropriate counterparties. Employees may also harm the business and its brand though simple association, uploading inappropriate comments or other content in their personal lives that is perceived to reflect on the company.

Ernst & Young's 2010 Global Information Security Survey found that 60% of organizations perceive an increase in the level of risk they face due to social networking, cloud computing and the use of personal devices. In truth, given these new technologies and practices, such risks can include "Joe's"minor lapse in judgment or a truly severe enterprise security breach.

Your company can establish barriers that severely limit the embrace of mobility, networking, blogs, wikis, tweets and other forms of user-generated, content. But, in doing so, you not only discourage creativity, you also forfeit opportunities for breakthroughs in collaborative capability and overall performance. The failure to embrace mobility and networking can leave your business at a significant disadvantage relative to your peers.

Mobility and Social Media: Embrace and Respond

Embrace and respond to mobility, social media trends

It will behoove you and your organization to recognize that mobility and social media are here to stay. Instead of banning mobile devices and social networking sites at work, you can mitigate the risks by simultaneously taking steps to safeguard your company's most critical access points and information assets, while creating a culture of risk awareness and compliance. The first step is to identify the key access points that must be secured. These will most likely be associated with access to primary information assets such as intellectual property, customer lists or corporate email traffic. Once these are identified, you can implement a data leakage prevention program.  On the process front, your organization should make a distinction between what is available on mobile devices versus what can be accessed from a secure location. The right people should be permitted to obtain the data they need where and when they need it without unnecessarily exposing themselves to any data risk.

Next, access to sensitive data, mobile or otherwise, should be restricted on a "need to access" basis. You'll want to establish protocols requiring that data stewards be notified of access to critical data. In terms of your people, those with access to sensitive information should be well briefed about the reasons data security is essential, as well as educated about the basics, such as safeguarding and regularly updating passwords. Implement processes to develop awareness and ensure compliance with security requirements.

As for technology, it's worth evaluating the full range of data leakage prevention tools. Such tools include firewalls and related intrusion prevention software, data encryption and products that inspect content while it's in transit or at rest. As it relates to mobility, remote wiping devices and the ability to quickly disable access are two essential measures to limit the damage of a lost or stolen device. The best companies will also be proactive, seeking to detect and mitigate minor issues before they become major incidents.

Mobility and Social Media Trends: Instilling Risk Awareness

Instilling risk awareness

Encourage your enterprise to develop a collective understanding of the nature of informational and reputational risk -- and gain employee support to help identify, manage and control that risk. Provide awareness training for staff at all levels about the overall risks of networking and mobility. Those employees working in areas of particular vulnerability, whether to information assets or corporate reputation, need especially focused training.

It is also important to set the right tone -- from the top. As CIO, you -- along with other key members of your company's senior management team -- should champion mobility and networking. Serving as a role model, your daily routine should provide guidance as to appropriate mobile and networking behavior.

A mobile, socially networked workplace offers profound advantages, as well as an array of new and fast-evolving risks. The answer is to embrace these ever-evolving technological advances in a way that leverages the business advantages to your organization. But at the same time, implementation of the appropriate information security policies, tools, and training will be critical.

With a 100% secure environment a thing of the past, companies that blend the latest security and privacy controls with a culture of risk awareness have the best chance of success in finding a middle ground that balances the risks and rewards.

Jose Granado is a Principal and the America's Practice Leader for Information Security Services within Ernst & Young. George "Chip" Tsantes is a Principal at Ernst & Young LLP's Financial Services Office within the Information Technology Advisory Services group. The views expressed herein are those of the authors and do not necessarily reflect the views of Ernst & Young LLP.