This document discusses the risks and challenges of using social media and social networking tools in an enterprise setting. It provides 8 use case scenarios that highlight potential issues such as inaccurate user profiles, information leakage, unintended automatic updates, and challenges in deciphering relationships on social platforms. The document advocates for a balanced approach using policy, oversight, education and tools to mitigate risks and leverage benefits of social technologies.

1. Social Media & Social Networking:A Cautionary TaleMichael GottaSenior Technology Solutions ManagerEnterprise Social Software

2. The Social Side Of The Internet75% of respondents are active in some kind of voluntary group or organization68% of respondents (internet users & non-users alike) said the internet has had a major impact on the ability of groups to communicate with members 60% of respondents said the internet has had a major impact on the ability of groups to connect with other groups 59% of respondents said the internet has had a major impact on the ability of groups to impact society at large62% of respondents said that the internet has had a major impact on the ability of groups to draw attention to an issue59% of respondents said the internet has had a major impact on the ability of groups to organize activitiesSource: Pew Internet http://www.pewinternet.org/Press-Releases/2011/Social-Side-of-the-Internet.aspx

3. Social Networking & Social Media: Leverage new tools & literacies to enable new ways of working3000 friends100 fan pages50 groupsHas Own ChannelBlogsDailyFollowing 325Followers 915

4. Organizations Face Internal TensionAn Unequivocal “Yes” Or “No” Is Often Not The AnswerScale organizational expertiseLack of policy-based managementImprove business processesWeak identity assuranceBreak down silos and barriersInadequate security controlsBenefitsRisksCatalyze employee engagementQuestionable privacy protectionsAddress generational shiftsMisuse by employeesImprove talent & learning initiativesUnanticipated data disclosureSatisfy technology expectationsPotential for “social engineering”

5. Leverage Use Case Scenarios: Shift The Discussion From “OR” to “AND”Observe and listen to employees, experts, and management regarding use of social toolsConstruct use case scenarios from those representative storiesIdentify decision and enforcement points where risks can be mitigatedPlan, execute, adjust

6. Use Case #1: “Social Claims”Profiles may be viewed as a trusted information sourceEmployee profiles populated with information from trusted enterprise systemsMy “Enterprise Identity”Mike GottaEMPLOYEE #:LABOR GRADE:COST CENTER:Additional information entered by employees regarding skills, interests, expertise, experienceDEPT:GROUP:My “Claimed Identity”JOB TITLE:EXPERTISE:HOBBIES:Information viewed as “trusted” but claims are not verified which can lead to risk scenariosEDUCATION:INTERESTS: PERSONAL TAGS:COMMUNITIES:FOLLOWING:COLLEAGUES:Add fields to profile where data goes through vetting process; pre-populate profile with other credentialing information

7. Use Case #2: Profile ProliferationMultiple profiles creates maintenance and data integrity issuesMy Primary ProfileDiversityCommunity ProfileSelling Into HealthcareCommunity ProfileCustomer InnovationCommunity ProfileProfiles are becoming a common feature across many vendor productsEMPLOYEE #:EMPLOYEE #:EMPLOYEE #:EMPLOYEE #:Jane DoeJane DoeJane DoeJane DoeDEPT:DEPT:DEPT:DEPT:JOB TITLE:JOB TITLE:JOB TITLE:JOB TITLE:EXPERTISE:EXPERTISE:EXPERTISE:EXPERTISE:COLLEAGUES:COLLEAGUES:COLLEAGUES:COLLEAGUES:PERSONAL TAGSPERSONAL TAGSPERSONAL TAGSPERSONAL TAGSEmployees create/maintain multiple “persona’s” based on technology silosIncomplete, abandoned, or inaccurate profiles due to redundancy creates risk Look for ways to federate, synchronize, or otherwise reduce number of user profilesSelling Into HealthcareCommunityCustomerInnovationCommunityDiversityCommunity

8. Automating profile updates can ease maintenance efforts by employees, increasing adoptionUse Case #3: Automatic Social UpdatesLack of notice and consent can create privacy and HR issuesMy Profile #1EMPLOYEE #:John DoeDEPT:JOB TITLE:EXPERTISE:COLLEAGUES:COMMUNITIESVendor products are monitoring user activities and adding those actions to profiles without user interventionRestricted AccessUnintended consequences can occur leading to HR-related issues such as diversity biasActivity StreamActivity StreamPublic AccessJohn Doe: Joined Community: “Selling Into Healthcare Community”John Doe: Joined Updated Wiki:“Best Ways To Respond To An RFP”John Doe: Joined Community: “Diversity Outreach Community”John Doe: Joined Community Forum: “It Gets Better Awareness Campaign”Include requirements for user-defined profile controls and management of profile updates from system activities/eventsDiversityCommunitySelling Into HealthcareCommunity

9. Use Case #4: Information LeakageOpen discourse can lead to sharing of inaccurate / sensitive dataE-Mail ClientActivityStreamSender NameSubjectMy Profile #1Micro-blogging / activity feeds are becoming a popular means of sharing informationSender NameSubjectEMPLOYEE #:John DoeActivity StreamActivity StreamActivity StreamDEPT:JOB TITLE:EXPERTISE:Sender NameSubjectStatus update: xxxxxxxxStatus update: xxxxxxxxxStatus update: xxxxxxxxxMike Jones: “Heading to the airport to meet with Company ABC on cross-selling biz deal”John Doe: “Working on a acquisition deal, need to work late tonight… stay tuned!”Fred Smith: “&#%^%$* we just lost Company XYZ account…Betty Smith: @Bob Jones that patient ID number is 123456789Bob Jones: @SamJ I’ve changed the access controls so you can get into the workspaceSally Jones: I heard we might have a layoff by quarter end?David Brown: @SalesTeam I posted the new product discounting policy to the sales strategy communityMike Jones: “Does anyone know the best way to get an SOW processed in 2 days? I have an urgent need…”John Doe: “Hi, I’m a new remote employee – wondering who else is working in the marketing department!”Fred Smith: “Just figured out a workaround to a problem with our field group – ping me if interested…”Betty Smith: “We’re starting an innovation community on data quality – let me know if you’re interested”Bob Jones: “Does anyone know what IWE stands for?”Sally Jones: “Great article on social media risks http://xxxxxxx”David Brown: “@Sally, thx, we’re updating our policies now”COLLEAGUES:ACTIVITY STREAMInformation shared in a public stream may be re-posted to profiles or other entities subscribing to that streamPublic conversations or events published via other systems can create confidentiality and audit/archival concernsPolicy, role, and rule-based approaches that create common treatments across applications are warranted

10. Use Case #5: Connected IdentitiesDisplay of public profiles can have unintended consequencesEmployee personal use of social media is becoming more commonplaceE-Mail Client“ThePublicMe”Re: Partnering OpportunityBill SmithSent: Thu 03/01/11To: John DoeWe’ve discussed the proposal and have decided to pass at this time…Sender NameSubjectSender NameSubjectAn increasing number of tools aggregate Facebook, LinkedIn & Twitter information to display in applications like e-MailSender NameSubjectMixing public and enterprise data can give a false sense of validity and context creating trust and privacy issuesMy Profile #1“TheWorkMe”EMPLOYEE #:John DoeDEPT:JOB TITLE:EXPERTISE:COLLEAGUES:COMMUNITIESExamine how the public data is aggregated; re-visit consent issues; provide users with an opt-out optionJon Doe’s social datadisplayed here

11. Use Case #6: Oversight: Approved UseSanctioned use of social media can still require controlsFINRA/SECFTCGuidelinesRegulatory and other policies can place enterprise constraints on use of social media Notices &DisclaimersName:Profile:Web Site:ListedSocialMediaFollowingGuidelines are often “gray” and leave use of many features open to interpretation regarding complianceEU PrivacyRegulationsHIPAALists ByFavoritesAlternative clients, widgets, message notifications… Message TypesPosts

12. @ Messages

13. ReTweets

14. Direct MessagesConsumer and enterprise software providers often lack end-to-end capabilities Combine a mix of policy, monitoring, audit, and tooling tactics to mitigate risks to an acceptable levelEmbedded Policy-based Management withexternal integrations (security, compliance…)

15. Use Case #7: Oversight: Personal UseWell-intentioned use may not excuse enterprise liabilityMy BlogMy LinkedInRegulatory and other policies can also place constraints on personal use of social media Employee As “Brand Ambassador”ProfileRecommendations

16. Websites

17. SummaryThePublicMeBuilding a “personal brand” as an employee may seem like a worthwhile endeavorMy YouTubeMy TwitterStatus Updates & Activity StreamThird-PartyContent &ApplicationsGroups & Discussions ForumsEnterprise policies or regulatory statutes may apply to personal use of social media, raising potential compliance concernsJobs & AnswersContact Settings (Interested In…)Opportunities, Expertise Requests, Consulting OffersRe-visit policy, code of ethics, and social media guidelines. Educate employees on risks. Leverage monitoring tools.Alternative clients, widgets, message notifications…

18. Social network analysis is used to identify relation structures between people Use Case #8: Deciphering RelationshipsSocial analytics can identify patterns that thwart policiesR&DDept.IdeationCommunityAccess to social analytics is becoming more widespread, available to all end users in some casesUnfettered analysis of social data can lead to accidental or intentional abuse as well as social engineering attacksBusinessDevelopmentTeamEnsure social analytic tools include access controls, audit trails, and policy support to limit capabilitiesNode20Node24Node19Node21Node22Node 23Node18Node14Node13Node15Node16 Node17Node 2Node 4Node5Node6Node 9Node 8Node12Node11 Node10Node 1Node 3Node 7

19. PeopleDefinea governance model that make sense; ensure enforcement is visibleBalanced privacy considerations (enterprise and employee)Create feedback loops for employee ideas and concernsProcessUpdate policies, terms of use, and code of ethics; consider specific guidelines for social media and social networkingMake sure you have end-to-end processes with defined roles, responsibilities, and metrics in place for assessing risks – prioritize employee communicationAudit data handling procedures to ensure proper management of social dataTechnologyAdopt a “platform approach” towards social media and social networkingMake embedded policy-based management services a priority capabilityFavor platforms that integrate with security, identity, and compliance systemsRecommendations

20. Social media and social networking are strategic initiatives that are here to stay – saying “no” is not the right approachIdentity and security needs should be viewed just as positively as goals for openness and transparencyA decision-making framework and governance model is an essential component of any strategy; policies and procedures need to focus on the human element and avoid technology as a panacea Adopt a platform approach – prioritize solutions with embedded policy management and strong integration capabilitiesIT teams that should be viewed as key stakeholders include:Groups responsible for CRM, collaboration, content, and community efforts Identity management and security groupsInformation (records) management and business intelligence groups Summary

21. Closing RemarkIncreasing Ethical Dilemmas: Public vs. Publicized“Just because we can rupture obscurity, should we? Just because we can publicize content, should we? Just because we can leverage PII, should we? Just because we can aggregate and redistribute data, should we?” – danahboyd, WWW 2010, 4/29/10What are the ethics? What do we do about the consequences?

22. What role is there for privacy? What “controls” should be afforded to “owners” of one’s own social data?

23. Should we record things when we don’t have to?

24. Is automating the aggregation of information and correlating it sometimes “wrong” without consent?

25. How does this apply within an enterprise context?