|
|
DIGITAL RISK
Managing the Business Risk of Blogs
Blogs let anyone publish their latest thoughts to the world. Make sure your employees are crystal clear on what is OK to discuss in a personal blog -- and what isn't.
A colleague recently made the observation that if someone hasn't heard of blogs or blogging, they must have been living under a rock for the past year. Even if people don't understand the utility of blogging and other social software as a marketing and internal collaboration tool, they have still probably heard of some of the high-profile cases of employees being fired because of content in their personal blogs.
Even though blogging is the hottest trend on the Web right now, it might not be on your compliance team's radar. Start getting policies in place now, so employees are clear on what's OK -- and not OK -- to discuss on their blogs.
- Delta fired one of its flight attendants for wearing her uniform in a photograph published on her personal blog.
- Google fired an employee for writing about the company's financial statements before they were made public.
- Friendster fired an employee for talking about coding and architecture changes to the company's Web site.
- An employee of an independent analyst firm posted venomous responses on public blogs using fake names, and e-mailed employers of the blog owners demanding they be fired for their writing and behavior on the blogs. The employee was publically found out and the result was serious damage to the credibility of the firm.
Each of these examples represents different vulnerabilities and risks for companies. Like it or not, they present issues for companies as more and more people blog or use other forms of social software.
Before discussing these examples in more depth, it would be useful to get an understanding of social software, what it is, and how it has evolved. We'll then revisit the examples to discuss risk assessments in the hope of highlighting the importance of having enforceable, written policies to minimize risk and exposure.
What are blogs and social software?
Blogs and bloggers have helped to shape political campaigns and issues, refute major broadcast and print news stories, and provide more timely coverage of natural disasters than traditional media could. But not all blogging is grass-roots. Many companies are starting to use blogs as part of their internal collaboration toolkit, and many enterprises, including IBM, Sun Microsystems, Boeing, and General Motors are using official blogs to communicate with customers. Going one step further, other enterprises, including Microsoft, are actively encouraging their employees to set up unofficial blogs to help get their message out and put a more personalized face on the company image.
Depending on your source of data, there are more than five, eight, or ten million blogs on the Internet. If you've taken the time to think about what those numbers mean, you may have realized that the odds are fairly good that when you’re hearing people talk about bloggers, they might be including one or more of your own employees.
Anyone with access to a computer, a browser, and the Internet can be a blogger. At their core, blogs are just Web sites organized into a format that separates content into date-stamped articles. There are many specialized tools that people can use to maintain blogs and read blogs, and there is a rich (and rapidly evolving) feature set these tools add to the basic chronological Web page that defines a minimal blog.
There are also Web sites that provide ready-made blogging and blog reading tools, so the technology bar is set very low. Employees don’t need to install any special software on their home or office computer to become full-fledged members of the "blogosphere."
Undertaking a risk assessment
When it comes time to develop policies in your company, the risk assessment is the core task to undertake before you do anything else. The risk assessment must take include a cross-section of people from across the company, and you must have the support of the highest levels of management.
Who should be on the team? In her book, The ePolicy Handbook, Nancy Flynn suggests that the team include the following people:
- Senior company official
- Research consultant
- Human resources manager
- Chief information officer
- Risk management consultant
- Computer security expert
- Cyber-insurance broker
- Training specialist
- Writing coach
- Public relations manager
By assembling a team in this manner, it's easier to develop consensus early on in the process. For a couple of reasons, building consensus shouldn't be treated as secondary. The first is that you can't put policy in place by edict, or employees will balk. The second is that risk assessment is highly subjective by nature, and there needs to be a holistic approach and view to be successful.
Risks and vulnerabilities associated with social software
There are a number of risks and vulnerabilities associated with the use of social software. To appreciate how likely they are to occur, you must acknowledge that employees will use these blogging tools whether you want them to or not, especially outside of the workplace. The challenge comes in balancing employee rights versus employer responsibilities. There are a number of examples in case law where employers have been held responsible for the acts of their employees.
Some of the more common vulnerabilities include:
- Sending/receipt of inappropriate content
- Release of confidential business information
- Failure to retain cusiness records
- SPIM/phishing/social engineering attacks
- Virus/worm attacks
- Employee Misbehavior
- Viewing innapropriate content
- Misuse of corporate assets
- Release of confidential business information
- Introduction of viruses/worms
- Vulnerability to phishing/social engineering attacks
- Employee misbehavior
Of course, with these vulnerabilities are related business risks that include:
- Litigation
- Sexual harassment claims
- Lost time/productivity
- Network attacks/lost data
- Litigation
- Lost customers
- Lost opportunities
- Bad public relations/press
A close look at some examples
At the start of this article, I listed four specific examples, each touching on a different area of risk for a company. First, there's the blogging flight attendant. Delta Airlines first suspended and then fired the flight attendant because of content she posted in her personal blog. She claimed Delta was violating her first-amendment rights and was the victim of discrimination. She also claims she did no wrong because Delta didn't have a policy prohibiting employees from having blogs. However, it wasn't the blog per se that led to her suspension and subsequent termination. It was the fact that she posted a photograph of herself, wearing her flight attendant uniform (with a few buttons undone), reclining on top of a row of seats on the aircraft. This violated a company rule that states that pilots and flight attendants may not appear in public in their uniforms without the express written permission of Delta for each appearance. Until she posted that picture, nobody knew what airline she worked for. With the picture everybody knew.
This example illustrates the delicate balance between "on" and "off" the clock. As companies catch up with the fact that they need to have policies governing employee behavior in this area, it's clear that the policies cannot and do not operate in a vacuum. Meanwhile, Delta, already facing a financial battle to stay afloat, had this situation added to the mix. How the courts decide this will be very interesting to watch as the impact will be measurable.
What about employees who write about their work on their own time, but the readers of their content know full well who the employer is? In the case of Microsoft, there are posted positions for "evangelists" who are required to blog about their work. They have pretty much free reign in what they are writing. Most "corporate" bloggers are very careful about what they write and when they write it, in order to avoid running afoul of corporate policies. However, it's difficult for many of their readers to distinguish between the individual private blogger and his or her corporate identity.
This is what many believe led Friendster to fire one of its programmers for writing about the coding and architecture overhaul of the corporate Web site, which is the company's product. The irony in this termination is that Friendster is social software and the information the employee published was fairly common knowledge in the programming community. As with the Delta example, this employee felt wronged because there was no corporate policy banning employee blogging and she was writing on her own time.
If you're helping develop policies for your company, they need to address this gray area. Where does the identity of a person end and the identity of the corporation begin? What significant risks are posed in this scenario? What if an employee really does release confidential information or trade secrets? As an employer, you have to be careful in developing policies to cover this. It's clear that you can't stop employees from using social software on their own time, but you do have the right and obligation to your shareholders to make clear what they can and can't write about from the workplace.
The next example takes this a step further. What happens when an employee posts financial information that can get the company into potential trouble with the Securities and Exchange Commission (SEC)? That’s what got a Google employee fired in his first week on the job. He attended an internal meeting where financials were discussed and he was so enamored with what he heard that he posted the information that night on his blog. The next day (or so) he was fired, and with good reason. Google executives were already in hot water over their pre-IPO Playboy interview and they couldn't accept the risk resulting from what this employee did on his own time.
Again this comes down to the initial risk assessment. What areas are of most concern to you and your organization? What risks are acceptable to you? Of course, like all things in life, not every risk can be identified. An independent analyst firm in California found this out the hard way last year when an employee took it upon himself to post anonymous comments to public blogs defending his employer.
This is called "astroturfing," or creating a fake grass-roots movement. A new media marketing company in the Northeast got burned very publicly for doing this to generate false enthusiasm for soap operas on a broadcast television network. In the case of the analyst firm, the employee made public postings on a number of public blogs criticizing people who were critical of a report he had written. This same employee then wrote to employers of the blog owners, using fake names and e-mail addresses, demanding that these people be fired for their postings. Unfortunately, this individual attacked a strong community that very quickly organized and traced the postings and e-mails back to a computer owned by the analyst firm. The saga took on a life of its own and was picked up by the mainstream technical media. It was so well documented on another piece of social software called a "Wiki" that anybody searching for this company by name is presented with a link to the whole documented incident at the top of the search results.
This example goes beyond risk to a reality that publicly harmed the employer, destroying credibility for a firm that relies on credibility to survive. How does one begin to measure this risk? For most people, it would be cut and dry. The employee used company resources to do these acts on company time. If there had been a policy in place, this might not have occurred.
Companies that have been burned quickly learn and adapt. The question is do you want to wait until your organization gets burned, or do you want to take a proactive approach to manage the potential risks up front? Social software is one piece of a larger puzzle when it comes to acceptable use policies, but as its use grows so does the risk to your organization.
 Christopher Byrne, CISA, IBM CAAD (Lotus Notes & Domino R4, R5, ND6)/IBM CASA (Lotus Notes & Domino R5, ND6), is vice president and practice manager for the information systems audit and assurance practice of The Cayuga Group, LLC located in Athens, Georgia. He has extensive experience conducting management reviews and control self-assessments for a wide range of areas. He is a Certified Information Systems Auditor (CISA), and passed the Uniform CPA Examination in 1995. A member of the Compliance Solutions Advisor Editorial Council, he writes about corporate governance, IS governance, and business control issues on his blog at http://www.controlscaddy.com.
 Richard Schwartz is the founder of RHS Consulting in Nashua, NH, a member of Penumbra Group and an IBM Business Partner. He has more than 20 years experience with communication and collaboration technologies, and has been working with, writing, and speaking about Lotus Notes and Domino since 1993. http://www.rhs.com
Keyword Tags: Blogs, Collaboration, Compliance, Corporate Compliance, Instant Messaging (IM)
ADVISORAMA It goes far toward reconciling me to being a woman when I reflect I am thus in no danger of marrying one. -- Lady Mary Montagu (1689-1792)
|
ARTICLE INFO
 FREE ACCESS
|
SUBSCRIPTION STATUSYou are not signed-in. If you are a subscriber to this publication, sign-in above to access locked articles. To subscribe or renew go to www.AdvisorStore.com.
|
 ![]()
Read the advanced guide to creating custom business database solutions with FileMaker software. Subscribe now to gain access to all the archives and downloads.![]()
Learn the fundamentals of using FileMaker Pro software. Every issue gives you step-by-step instructions on creating the databases you need. Subscribe now!![]()
![]()
![]() ![]()
Submit your tips, techniques and advice and let Advisor promote your business and build your career. Show the world what you know!![]() ![]()
|
|