Recently a colleague of mine who’s a social media marketer posted a question on Facebook. She said she was sitting down to update her company’s social media guidelines and asked her network for suggestions.
There then helpfully followed a number of good suggestions to which I added my own: “Don’t forget to include security/privacy guidelines,” I wrote.
She wrote me back thanking me and asking me what exactly that would mean.
The exchange we had got me thinking about the importance of guidelines. We in security and privacy regularly speak to the importance of guidelines, policies and procedures. We talk about how they’re a critical foundation for any good security practice because they set the principles. But the most common question non-experts ask us about guidelines, policies and procedures is “what should they contain? Can you give me an example”?
And this is where we usually provide the classic engineer’s answer that is technically accurate and honest but completely not-helpful: “No, I can’t tell you what your business’ policies should be: they have to be developed by you to reflect your company’s goals and requirements”.
These exchanges generally leave the non-expert frustrated, lost, and directionless. They’ve been told to build something but when they ask for help, they’re told only they can build it.
This is one reason why some organizations never actually develop guidelines: the project gets stuck right in this place between the business side and the technical side.
It IS the most accurate answer to say that an organization should develop their own guidelines, policies and procedures. This is because every organization is unique and that has to be reflected accurately in these foundational documents.
But I am also a pragmatist and believe that a basic, cookie-cutter set of guidelines is better than nothing at all.
With that in mind, this month I am providing a short list of security and privacy guidelines that you should feel free to adopt and adapt as part of your social media guidelines. This isn’t a comprehensive or detailed listing: it’s only meant to cover some critical basics. Ideally, this should be something you take and start working with to make truly yours (like we recommend). It’s really intended to give you something to help jumpstart your own process for developing guidelines.
- All computers and devices that access social media channels should be fully updated for:
- The operating system (Windows, Mac OS, Android, iOS).
- Applications (Twitter, Facebook, Hootsuite, Microsoft Office, Adobe Acrobat).
- Helper programs (Java, Adobe Flash).
- Security software (latest version and signatures)
- These computers and devices should be running a full security suite that protects against malware (viruses), spam, phishing and other threats. (Often its best to pick a package for a company and mandate it be used. Also free security packages only offer very basic layers of protection and shouldn’t be considered adequate).
- These computers and devices should be password protected to prevent unauthorized access.
- Devices that can be lost or stolen (phones, tablets, laptops) should have remote tracking and wiping software installed where possible. Also, encryption should be considered for sensitive information.
- A full scan by the security software must be done at least once a week.
- A weekly backup of any critical computers or devices should be made and stored in a secured location to prevent theft.
- Computers and devices used to access social media channels should not be used for personal accounts or use. Only approved software and apps should be installed. (Mandating a specific package for managing social media accounts is a good idea here).
- All email accounts associated with social media channels for reset must either be corporate email accounts controlled by the information technology (IT) group or if they are webmail accounts (e.g. Gmail) they must use two factor authentication.
- All social media accounts should use two factor authentication when possible.
- A password manager must be used and unique, complex passwords generated for each social media account (and webmail if necessary). Passwords should never be written down, only managed using the password manager.
- Social media channels should never be accessed using “kiosks” or other untrustred, shared devices. A VPN should be used whenever possible. Social media channels should never be used over an unencrypted Wifi network without a VPN.
- All computers, devices, corporate social media accounts and corporate email are considered the property of the company and must be surrendered or access provided immediately on demand.
These guidelines cover essentials that can help protect your social media channels from various threats as well as provide clarity and direction for employees.
If you’ve not worked with guidelines before, one thing you may be surprised to find is that many people welcome the clarity that prescriptive guidelines like this give. Not everyone wants to figure out what social media package to use, or what security software to use. And in IT we’ve known for a long time that it’s cheaper to support a standard configuration. So while there’s a lot of buzz about “BYOD” (bring your device to work) don’t feel that means you can’t establish some standards. You may find people welcome that.
One critical thing when talking about guidelines: if they’re going to work, they have to apply to EVERYBODY. Nothing kills the effectiveness of guidelines more than a CEO or execs who think they don’t apply to them. If you’re the head of an organization or division and you want people to follow guidelines, set the example and lead from the front.
These guidelines are a baseline and won’t protect against everything that could go wrong. But they do represent a good starting point that gives protections against common threats. Most of all, I think you’ll find that they make people think about things they hadn’t thought about before. And that can help improve your overall security posture. In time, as you and your folks get used to following guidelines like these, you may feel comfortable taking these and making them more you own and maybe even introducing even better practices. If nothing else, this is a great first step on the path of thinking about security and privacy like a professional.