In order to compete in the modern marketplace, your company probably has to be on social media. Even if your company isn’t, your employees will be, and they are likely using it every day, often from your computers, which creates potentials for risk.
Your employees will always be the weak link in your security solution. Unlike the computers, they cannot be programmed to avoid bad behaviors. They cannot be given a list of URLs to avoid, and be counted on to actually avoid them. Your employees can only be taught to avoid security risks, and it’s up to you to make sure their training is as effective as possible.
Public social media training
Public social networks are what we typically think of when we think of social media — a category that includes Facebook, Twitter, and Google+. Employees should be trained at least annually on some of the basics of security threats present in social media. At a minimum, employees should be taught how to avoid malware by approaching links with suspicion. Employees should be told that IT will always keep drivers up-to-date, so they will never have to update drivers on their machines and requests to do so are likely attempts to place malware on machines.
Employees should also be told to be wary of requests to connect from people they don’t actually know outside the social media site. They should be taught the hallmarks of a fake profile.
Employees should be warned about requests to log back into the service they just left. These login requests are attempts to get user names and passwords, which can compromise not just personal accounts, but the corporate accounts as well. This type of attack is why Twitter introduced its 2-step login. Employees can check that they are still logged in by using the back button or opening the service in a new tab or window.
Another type of security risk is oversharing. Remind employees that much of the information they have access to is sensitive. Make it clear what company information can and cannot be shared. Also tell them to assume that all posted information is public, no matter what their privacy and posting settings may be. Even if they think information won’t be shared publicly, sensitive information is not to be shared.
Internal social media
Seeing the success of social media, many companies are trying to harness their dynamic to increase the efficiency of collaborative projects. Salesforce Chatter is the leading commercial application, but Yammer is an alternative and even instant message groups and shared docs become a form of internal social media. Because the group is largely “trusted,” the risk of malware is greatly reduced, so training should focus on information control.
Training should be made specific to each collaborative group. When a group is made up of people who do not normally work together, it’s important to identify all group members. Employees should be told when a collaborative group includes members from outside the organization and told exactly what information can and can’t be shared with each individual.
Make your training effective
Ineffective training eats up your company’s valuable man-hours and can diminish morale. Here are some tips for making your training more effective:
- Try to keep the training as short as possible to cover the necessary information
- Whenever possible, share the rationale behind restrictions — people are more likely to obey policies they understand.
- Only give people information relevant to their job. If some information is only relevant to certain employees, use breakout groups to communicate specialized information. People don’t like being told information that’s not pertinent to them, and it can make them ignore or tune out relevant information.
- Make sure managers lead by example. Employees are less likely to follow policies if management doesn’t.
And, of course, remember that no training is going to be universally effective. Make sure you have additional layers of security with antivirus, firewalls, and more. Parcel information so that employees only get what they need to do their jobs — they can’t share what they don’t know.
Matthew Candelaria is a freelance writer with expertise on computer security, renewable energy, personal injury law, and medicine. He has experience writing B2B and B2C articles. He can be reached for comment and for hire at www.writermc.com.