How To Write Social Media Policies Designed to Reduce Digital Risks

policy agreementMost organizations already have policies and procedures in place to encourage your employees to act in a professional manner while at work. But in our modern connected age, social media makes it easier than ever for anyone tied to your brand to be a vocal representation of who you are and what you do.

For better or for worse, there is a lot brands need to remain vigilant for when you have active employees using social media. What many may not be as cognizant of is the potential digital incidents or cyber security issues that can also occur there, everything from phishing attacks targeting your employees to someone accidentally sharing private company details, and that means most policies typically don’t cover them.

Preventing these types of incidents is far from easy. A monitoring team or service can certainly help you identify and mitigate incidents as they arise, but the first step is to write social media policies that encourage employees to use social media more consciously in their personal and professional lives.

NOTE: To avoid legal bumps in the road, it’s important to remember that social media policies must comply with National Labor Relations Board guidance.

5 Things Your Social Media Policy

Most organizations have a social media policy by now, but few include elements specifically designed to reduce cyber incidents. It’s also important to include examples of what is and is not allowed on social media, as well as relevant training prior to having someone sign the policy.

Below are a few suggestions that you may want to consider for future updates to your policy:

1. Non-Disparagement? Try Morals Instead

In 2016, Chipotle got into hot water over the inclusion of a non-disparagement clause in their social media policy, primarily because their definition of confidential information was far too broad.

But non-disparagement clauses aren’t the only way to curb negative exposure. Most organizations already have morality clauses in place that prohibit employees from certain behaviors in their private lives; for example, these clauses typically put limitations on how employees are allowed to talk about their employer publicly. Naturally these clauses apply to the use of social media, and this should be explicitly noted in in your social media policy.

2. Information Disclosure

Everyone knows not to share private company information, right? Sometimes it just slips out, other times people feel that their privacy settings are sufficient to ensure the security of any private information they might share. Whatever the reason, if it gets published online it can easily be screen capped, shared with outside entities, leaked to the press, or otherwise circulated more widely than you would have liked.

include an information disclosure section in your policy to highlight that any and all information about the company should be considered private unless noted otherwise.

3. Password Creation

Regardless of what the account is for, a strong password can easily be the difference between a breached account and one that keeps information secured.

While a strong password is important, the other key to avoiding a breach is by not reusing passwords. Sure, trying to remember numerous passwords can be a challenge; however, now there are well established and encrypted password wallets that allow you to easily login to your account using incredibly strong passwords, all without having to remember each individual one.

4. Password Storage

With a strong password in place and not reusing one from another account, storing your password in a secure way is important. If notecards and post-its are your version of secure, you’re going to be in for a rough ride. Within your social media policy encourage the company-wide use or even personal use of a password wallet like LastPass to ensure account credentials are secured and encrypted.

5. Careful Connections

Everyone has their own approach to who they connect with on social media, and typically varies from platform to platform. On Twitter, for example, it takes nothing more than a single click to follow someone, and in reality you don’t even have to connect with someone in order to communicate with them. A strong social media policy should advise employees to carefully consider new connection requests before accepting them, and explain the potential downsides of allowing their private information to be shared with people they don’t really know.

6. Report Suspicious Content

Like email, reporting suspicious content from social media is incredibly helpful to both your organization and the platform it originated from. Including information in your policy about what to look for, how to report suspicious content, and what to do if someone feels they may have accidentally slipped confidential or important information to a threat actor will make typically reactionary situations more controlled.

Policy Backed by Training

Ultimately, while a strong social media policy is essential to managing your organization’s cyber risk, it isn’t enough to change employee behaviors. In order to see genuine and sustainable improvements, you must back up your policy with a strong security training program.

To find out how to build a social media training module that will improve employee security behaviors over time, check out this post:

How To Change Security Behaviors: Social Media

*** This is a Security Bloggers Network syndicated blog from The PhishLabs Blog authored by Elliot Volkman. Read the original post at: