Social Networks and Operational Security

Are your executives (or employees) on social networks? Should you care? Is your socially active executive sharing too much information (TMI)?

Social networks are how the billions of us who share this planet have evolved to socialize, both personally, as well as professionally. Among those billions of individuals are many of your employees, your executives, your board members, and, perhaps, even yourself.

Intuitively, we all understand that the use of these free social networks isn’t actually “free” to you. Yes, they are free to use, however, the real price of admission is the data you provide via your participation in those social networks. The data you provide will be used and shared as detailed in the terms of service and privacy statements of each social network (that no one actually reads… we know).

Clearly, many view this price as an acceptable risk, as the community and outreach those networks provide can seem, and often truly can be, invaluable.

Arguably one of the most successful social networks used by both individuals and businesses, Facebook, averages almost two billion active monthly users, of which less than 15 percent are from the U.S. and Canada. While the social network designed for professional engagement, LinkedIn, averages a more modest 106 million active monthly users.

What we share online varies from individual to individual, family to family and company to company.

Why Does What We Share on Social Media Actually Matter in the Grand Scheme of Things?

The scandal sheets are full of salacious pieces describing the latest escapades of the world’s politicians and celebrities (and occasionally our neighbors), as all go about posting their selfies, locations, gossip, and everything else in life.

That content may be appropriate or inappropriate, but those postings exist and will continue to do so. We also know - or should know -  that once posted, that post is there forever to come back and visit with you at the most inappropriate time. If you believe otherwise, visit the internet’s archive “Wayback Machine” and become a believer.

Similarly, we have heard, ad nauseam, that we should never post our child’s or grandchild’s photo with their name, or any other identifying data to allow individuals to collate and identify our loved ones.

And who doesn’t remember the uproar caused by Please Rob Me, who collated every check-in on Foursquare or Tweet which contained a mention of an individual’s location or travel plans. Sharing where you are, also shares where you are not.

The above examples are apropos to every company, and a boon to every competitor or competitive intelligence professional. Like it or not, the posts of your employees and their daily lives paint a picture, which you, as the keeper of the corporate trade secrets or go-to-market strategy, may not have considered as thoroughly as you should.

What Can Your Organization Do to Minimize Risk?

Companies can and should provide basic guidance to every employee. Build the social network and media guide for your colleagues to follow. Make no assumptions your colleagues will triage what is sensitive and what isn’t in the same manner you would. The reality is, most employees think anything they post is their private sharing amongst friends and would never consider themselves a spokesperson for your company. The risk is built right into the platform and how the average person uses it.

While you can’t keep an employee from posting about their vacation to Tahiti, you can make clear that you expect any company travel be omitted from their social network postings. Apps exist to log travel and travel expenses, and many employees may use these apps to keep their friends, family, and interested followers apprised of where they are traveling to next (a bit of professional, “Where’s Waldo” at play). Rarely does one think through how this same piece of data fills a piece in the competitive intelligence mosaic, which may be being built by a malicious actor or an eager competitor.

Similarly, when employees want to post their professional experiences, help them with the content. Do you really want a competitor to know precisely how large the team is conducting the R&D on your latest product, what applications or systems are being utilized, and the size of the budget? All of those pieces are a common means by which individuals may differentiate themselves on LinkedIn - all of which is harvestable by anyone else on the Internet.

When your competitor can (and they will) build your organizational chart, assign monetary values to specific efforts, and identify linchpin activities, they truly are grazing in high grass.

What Should Go Into That Guide You Hand Your Employees?

Your guide should align with your security policies and should be scrutinized by your chief security officer along with your corporate communications team. Your guide should also address the “why” behind any admonishments, so that you don’t just sound as if your goal is to censor your employees.

  • Address why corporate public relations speaks for the company and addresses the “complaints” arriving over the social network feeds.
  • Describe why the requirement to clear all blog posts mentioning company technologies go through a review process.
  • Explain why the employee will be held accountable (and responsible) for his/her social media engagement.
  • Also provide a means for the employee to self-triage and reach out for clarification. Be sure to stress that no question is a “bad” question and that you will be happy to guide a proactive employee through what content is reasonable and what should be reconsidered and how.

Remember, the goal of the guide is not to stifle social network engagement, but to channel that portion which pertains the inside information which may leak out via social network postings. Consider encouraging employees, instead, to act as thought leaders and to share interesting news articles and content that relates to your industry, building up their own network of influencers in the process.  

About Christopher Burgess

About Christopher Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher served 30+ years within the Central Intelligence Agency. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, Secrets Stolen, Fortunes Lost - Preventing Intellectual Property Theft and Economic Espionage in the 21st Century (Syngress, March 2008).