Uncharted Territories: the personal-corporate-social-web-mashup

Corporate web communications have grown from simple web pages to massive and complex applications. The security department has mostly kept up and maintained a secure perimeter—even when that perimeter included outsourced and vendor systems. Contracts were in place, systems were secured, and life was good—even when the executives had their own blogs.


But just when everyone was getting comfortable again--enter the social web: MySpace, Twitter, and Facebook. People started using them and corporations followed.  Born of this are the corporate MySpace pages, Facebook groups, Facebook fan pages, management’s Twitter accounts, LinkedIn recruiting pages and more…


Did you see what happened there? No? It’s okay, neither did the security department.


So what was it? The customer contact point shifted from the corporate web environment to one controlled by a third-party.


Unlike most arrangements made with third-party vendors, this relationship is likely not covered by any type of contract, agreement or partnership. There is no guarantee for reliability, privacy, security or any type of regulatory controls. Your corporate users/administrators, as well as your customers, are bound by the third-party’s terms of service and policies, not yours, and you are also at their whim with regard to functionality and design.


These are no small issues when you consider the spider-web of laws, regulations and agencies that may cover many large businesses: Sarbanes-Oxley, HIPAA, GLB, etc. The security team, human resources and PR/brand all have a vested interest in keeping your sites and customer information secured, protected and private, and they just lost control of a key piece of the infrastructure.


This is not a completely theoretical risk. Looking at the news for the past few years, it’s easy to come up with examples that could have business, customer or employee impact. Even if no laws were violated or charges filed, in the internet age a negative story can spread like wildfire and damage brand.


Here are a few quick examples:


These are simply a few recent examples, but represent the tip of the iceberg. It’s hard to find news stories of confidential or proprietary corporate information posted to these sites, but you can safely bet it happens.


As marketing and PR types take a bigger interest in these channels to reach additional markets, and more and more users flock to these sites, the corporate presence there is going increase drastically.


So what should a company do? With regard to employees, here are a few suggestions:


  • Remind employees it is their responsibility to safeguard corporate and customer information.
  •  Incorporate messages about social networking into existing employee training and policies, and if applicable, give employees refresher courses.
  • Ensure employees realize the internet isn’t actually anonymous, and that they should behave ethically and in a manner that that doesn’t reflect poorly on themselves or the company.


If the company is creating an official presence on third-party web sites, some additional suggestions come to mind:


  • Determine the proper ownership for these channels—perhaps marketing or public relations—and establish a centralized point of contact.
  • Implement policies, guidelines and/or a code of ethics which clearly determine what information can and cannot be posted, and have a review procedure for anything questionable.
  • Implement policies/procedures for managing accounts and passwords to third-party systems, which include controls for changing passwords after employee attrition, choosing strong passwords, etc.
  • Implement procedures for monitoring the sites on a regular basis to ensure the messages, conversations and the brand “image” are appropriate (this can be contracted to other parties).
  • With the legal department, review the terms and conditions of the web site to look for potential pitfalls with regard to marketing through the site as well as ownership of uploaded content.
  • Thoroughly investigate privacy and security settings on the web site, and determine which should be enabled to best protect the company, customers and the user accounts.
  • If any relationship becomes mission critical or an important piece of the business, pursue contracts with the site operators which attempt to establish things like official support, uptime guarantees, additional security features, etc.   

These may all seem like daunting tasks, but any company with even a partially mature security department and polices should be able to integrate these types of changes fairly easily—in almost every case these are simply extensions, additions or clarifications to things already present in the corporate culture.


Given the immense popularity of these sites and their growth rates, the problem isn’t going away any time soon. Before the next wave of change comes to the internet, social networking policies and changes should be dealt with in a way that respects what employees do in their off-hours, protects the company and provides a new opportunity for corporate growth. The company that sticks its head in the sand may find itself in a nasty situation that could have been easily avoided with a little forethought.

Wh1t3Rabbit | ‎06-24-2009 09:28 PM

Great post Chris!  It's crazy to take a step back and look at the disappearing border between personal "social media" and the corporate boundary - worse, with all the gadgets and widgets that are built for these sites the mash-up of data continues to get worse.

I miss the days when you could do security by turning off ports on the firewall :0

Chris Sullo | ‎06-26-2009 02:09 PM

Unfortunately, I believe a lot of organizations still think having a firewall is enough to protect themselves.

The topic of widgets and gadgets is certainly fodder for another rant about bringing external resources into a trusted environment... another day :smileyhappy:

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Showing results for 
Search instead for 
Do you mean 
About the Author

Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.