What is information governance?
AIIM states, “information governance is concerned with defining the accountability for your organization’s information assets — its content and records.”
In a nutshell, information governance, including good social media management, is focused on a) protecting an organization’s information assets and b) making them available for as long as necessary in order to satisfy its policy, legal and regulatory requirements. While information governance generally is applied to email, file shares and collaboration tools, it must also be applied to social media.
Information Governance and Social Media
Most organizations are not meeting their information governance requirements sufficiently in the context of social media management. First, while the vast majority of organizations have implemented tools to scan incoming email for spam, viruses, malware and other malicious content, most have not done so for newer communication and collaboration tools like social media. This, despite the fact that Osterman Research has found that the typical employee spends 51 minutes per workday engaging in work-related social media and so is exposed to a growing array of malware and other risks as a result. Moreover, one-half of North American organizations view Twitter and Facebook as legitimate applications for use in a business context, while 78% view LinkedIn this way.
The dangers that organizations face from not properly managing social media security are many. For example, Trusteer discovered a form of financial malware that gains access to Twitter accounts for the purpose of spreading malware via shortened URLs. One set of researchers was able to purchase more than 120,000 bogus Twitter accounts, each of which could be used to spread malware and spam. Even LinkedIn, which isn’t regarded as a “consumer-focused” social media tool like Twitter or Facebook, has also been used to implant malware in targeted organizations. Because even a single tweet that links to malware could cause enormous damage, organizations that do not scan for malware in social media put themselves at significant risk. Osterman Research has found that 15% of social media users report that their accounts have been hacked or they have been the victims of malware received through social media.
Retaining Social Media Content
Another serious information governance problem that most organizations are not addressing is retention of social media content. For example, Osterman Research has found that only 31-34% of organizations are retaining their “official” Facebook and tweets, while only 11-14% are retaining the “unofficial” Facebook posts and tweets that their employees generate.
A failure to retain official social media posts makes it difficult for an organization to prove the context of these posts and also to demonstrate for how long content was made publicly available. For example, if an organization posts an offer to Facebook in error and shortly thereafter deletes the post, retaining these posts in a suitable archiving system can offer proof of exactly when the errant content was posted and then deleted, information that may be required in a legal action or regulatory audit.
Monitor Social Media Posts
Yet another problem occurs when organizations fail to monitor their employees’ social media posts. Osterman Research has found that only 51% of employers monitor employees’ use of social media at work. The failure to apply outbound monitoring practices and technology to at least company-sanctioned social media accounts, a practice that is reasonably common for outbound email communications, leaves an organization vulnerable to employees posting offensive comments, divulging sensitive information, posting information that is in violation of corporate policies or statutory obligations, or is simply ill advised.
Organizations must focus on information governance for social media in three ways:
- They must scan incoming social media content for malware. Because Facebook posts, tweets and related tools are more trusted sources of content than email because of the opt-in nature of the information that is received, cybercriminals can easily penetrate corporate defenses through them using a variety of social engineering techniques.
- Organizations must retain social media content just like they retain email, files, SharePoint content and other business-critical information. This is the norm in the financial services industry, for example, because of the FINRA requirement to retain business records generated in social media, but it should be the norm for all organizations.
- Finally, organizations must monitor employees’ social media posts to scan for content that is potentially injurious to corporate interests. While this ideally would be performed for all employees’ personal social media posts that have been made public, at a minimum this should be the norm for organizations’ official social media content.