It’s no secret that in today’s cancel-prone culture, social media can have a negative impact on companies – not just from corporate social media accounts, but also from those of individual employees. This includes more obvious things like posts that reflect poorly on a company’s reputation. But it also includes cybersecurity risks that can arise from social media activity, something which is too often overlooked.

In today’s blended and continuously connected world, our personal and professional lives are a digitally connected continuous stream, documented and available for public view. With this in mind it is imperative employers provide more comprehensive guidelines to secure and protect employee use of social media. Employers are reluctant to step into this space for fear of kicking a hornet's nest of individual privacy and personal freedom issues, but if done correctly, it doesn’t need to be an either/or situation; there is a way for employers to institute a corporate social media policy that balances protecting the company with protecting personal freedoms of speech.


The digital, social reality

Social networking is now an integrated aspect of work and personal life. While companies embrace social media to promote products and services, the potential for confidential data leakage or employee abuse is ever-present.

In today’s digital world, personal security is directly tied to corporate security. Therefore, it is critical for organizations to implement employee security guidelines and best practices to improve not only the employees’ digital hygiene and personal security but also the company’s security. At the same time, companies have to be careful about not infringing on personal liberties; any policy in place must balance both security and privacy.


Social media brings security and reputation risks

While social media has brought a lot of positives in terms of communications and providing a platform for different voices, it also carries risk. As we saw recently with the January 6 attack on the Capitol, many employers were quick to fire or condemn employees who had attended the attack and/or praised it on social media because it reflected poorly on brand reputation.

There are also the obvious sorts of non-disclosure agreement (NDA) issues that can arise with social media. Employees using social media to share trade secrets or disclose new deals before they should go public can clearly have a negative impact, with the potential for subjecting the company to legal troubles. But a lesser-known aspect is that employees’ social media use can open up a company to cybersecurity risk and inadvertent sensitive information disclosures. As an example, hackers can gather information from different social media sites about your employees, which they can then aggregate and use to guess the usernames and passwords of employee accounts – like their corporate email, or can aggregate relationships across employees and executives to reveal sensitive business relationships.

A corporate social media policy is a must


A solid, documented social media policy is meant to protect both employers and employees. Unfortunately, many such policies are sparse on details about what secure social media practices look like and what actions employees should take to improve their individual, and therefore, corporate risk factors. Employees need clear guidelines on what the company expects with respect to their social media use.

A corporate social media policy should make clear, at a minimum, how employees engage online on the companies behalf and  employees can and cannot post about, including:

  • Sensitive/private/confidential company information
  • Personal customer information
  • Comments about co-workers, customers or vendors that could be considered harassing, threatening, retaliatory or discriminatory

Many corporate social media policies focus only on these few and essential guidelines. But a solid policy should also contain guidelines and recommendations for good personal cyber hygiene – things like not using business email addresses to sign up for personal social accounts, the need to change passwords regularly, and how to avoid password recycling. It should include recommendations on implementing multi-factor authentication and tips for creating stronger passwords. Also recommendations for how to secure personal information from general public view, and how to check on the major social media platforms what is publicly viewable

A solid corporate social media policy also needs to lay out the implications or disciplinary actions for violating the guidelines within.


Balancing privacy, personal freedoms and protection

Under the National Labor Relations Act, employees are free to discuss working conditions and their own employment-related terms with those both inside and outside their organization. Employers aren’t permitted to take retaliatory action against an employee engaging in this protected activity.

That said, there’s been increasing support for companies’ social media policies when it can be proven that it has the potential to truly harm a company. For instance, the National Labor Relations Board recently ruled in favor of a California ambulance company that sought to restrict employees from engaging in social media postings deemed to be “inappropriate communications” about the company.

Employers need to ensure they are truly evaluating their corporate social media policy with a goal of protecting the company while also not infringing on personal rights.


Craft a secure policy

Social media provides significant opportunities for organizations to interact with customers and prospects, judge public brand sentiment, deliver corporate messaging directly to the public and more. It’s a medium that is intended for sharing and communicating, but in the corporate world, the wrong kind of communication can quickly sour your brand. And even the most innocent sharing online can be fodder for attack as bad actors aggregate seemingly harmless employee information.

Incorporating and promoting a social media use policy within an organization doesn’t ensure employee adoption or comprehension. Training will be an important aspect of a comprehensive strategy. But it’s an important part of the solution and a place to start. Use the information provided above to begin the process of crafting a policy that satisfies both security and employees’ rights.