This week, we are taking another look at our recently commissioned research into security within the public sector. Our survey of compliance officers, IT managers and C-level executives has shown that the sector has made great leaps forward in cyber security. It is certainly a higher priority than it was just a few years ago. However, the research also uncovered a couple of areas that require more attention in order to avoid a data breach or similar security breach. Last week, we looked at how third parties’ security measures were a potential weakness that could be exploited. This week, we look at how social media use could open the door to security breaches and brand damage.
What is clear from the survey results is that there is now a heightened awareness amongst public sector organisations (PSOs) about security risks. Numerous data loss stories, coupled with tales of organisations having their reputations damaged by the activities of errant staff, have acted as a warning to the UK’s public sector. Indeed, in the event of a data leak, the top two concerns for PSOs were listed as reputational damage and financial consequences (such as fines).
Social media is changing the way in which public sector organisations communicate with the people using their services, as well as other public sector affiliates. It is an incredibly useful tool to engage with target audiences, posting information about everything from new building projects to central government updates. But social media is also a consumer tool and this blurring of the lines between personal and professional can cause confusion amongst social media users within PSOs.
As many as 38 per cent of PSOs do not have a social media policy in place which determines the do’s and don’ts of outbound communication. This is setting many organisations up for a fall. For example, many organisations encourage staff to use their own social media accounts to spread their messages further. However, if their Facebook or Twitter feed was initially set up as a personal account, there may be what is deemed as inappropriate messages also on these feeds. It is not necessarily the place of the employer to dictate the contents of a personal social media account, but they may wish to encourage staff to create work-only accounts or not to spread the message at all – if a policy is in place, then people are aware of boundaries and unlikely to make costly mistakes.
The other issue with social media is the immediacy of the phenomena. Traditionally, any external communications with the public would be crafted with a specific message in mind. The announcement would be edited and signed-off by numerous people in a process that could take days or even weeks. Finally, the announcement would be made and the full consequences would have been thought through. Nowadays, a tweet can be written and sent in seconds with little thought to how this affects the organisation’s communications strategy or its brand reputation.
Our research showed that 71 per cent of respondents enable the use of Twitter (with only a fifth actively banning it). Of those that allow the use of Twitter specifically, two-thirds believe it should be used solely as corporate communications tool, the other third feeling that it should be allowed for personal use as well. Surprisingly, other social media channels – blogs, LinkedIn, bulletin boards – are less popular in comparison, despite being more obvious business platforms.
Ultimately, PSOs need to consider their usage policies for social media. Implementing an outright ban is no longer an option. Safe and clear guidelines need to be put in place for all employees and they must be enforced. If a technological enforcement is not used, then the communications channels should be monitored. If not all the time, then at least enough to ensure that the policies are being followed. Social media can be an invaluable communication tool for the public sector, but only if it is managed effectively and used as part of a broader strategy. By ignoring the risks, organisations increase the likelihood of problems further down the line – and these are the ones that can go viral. When it comes to social media, ignorance may not be bliss.
*Clearswift commissioned research into the attitudes of individuals who work in UK public sector organisations towards information security. In total, 277 people across 247 unique UK public sector organisations were surveyed, ranging from compliance officers and IT managers to C-level executives. The organisations that took part include the NHS, city/local councils, universities, trusts, central government and the police. The survey was conducted on behalf of Clearswift by Surveys in Public Sector (SPS), a division of Ingenium IDS. Ingenium is the UK’s foremost public sector demand creation & research organisation.