Preventing Data Loss

Social media information is hard to detect, monitor, and prevent from leaving the corporate environment. Data loss prevention is focused on intellectual property (IP). Where is IP used in social media? Whether employees send out IP consciously or inadvertently, the channels for distribution are readily available. A web-based social media application can allow employees to access Facebook via a browser and easily post confidential information and photos. Without URL filtering technology in place, an employee can easily bypass other monitoring solutions and post your information via web browsers and desktop applications. To prevent data loss, IT must implement technologies such as McAfee to monitor, block (although blocking may encourage rebellion and misuse anyway), and report on social media activity that can compromise intellectual property requirements. To manage IP data loss, you must conduct the following:

image Monitoring Technologies have to be in place to monitor how employees and even customers are using your IP.

image Training Make explicit to employees the policy concerning the authorized and unauthorized use of company IP.

image Blocking If employees have no rights to utilize IP, then they should be prevented from accessing and publishing that IP.

image Reporting If you cannot report on activity in a measurable way, you have no idea what is going on in your environment.

As we discussed in policy development in Chapter 6, you don’t have the power to execute corrective actions without the ability to actually enforce the policies you have developed. In a typical IT security policy, enforcement is based on technology controls. With social media, unless you have monitoring systems in place to see who is using which social media site, knowing how the site is being used or what is being said about your company is impossible.

Enforcement has to be a key component of social media security. It’s a very diverse medium. Employees can create hidden profiles or fake profiles and say anything they want about your company. The only thing you can really accomplish is to enforce your corporate policy on employees who break your social media policy and work with Human Resources to implement some form of corrective action. However, you’re fighting a losing battle unless you engage employees directly to participate in the monitoring process. Reinforcing positive usage and positive employee role models when it comes to social media usage is far more effective than banning sites or trying to catch misuse. Encouraging employees to monitor each other greatly reduces the need for corrective measures.

Determining if a policy is better enforced with processes or technology can be challenging. For example, you can employ keylogging software to capture all activity on a computer, but that would be impractical for just tracking social media activity. Or you can use Web URL filtering to inventory which social media sites employees are visiting and map this back to which employees are authorized to use those platforms. Then you can get more granular and determine what, if any, intellectual property is being disseminated over those platforms. By understanding which employees are using social media platforms, you can understand their access to IP and then implement more specific restrictions and training regarding IP leaving the environment.

Tracking data loss is much harder when it comes to copyright versus intellectual property. The nature of copyright infringement is really about abusing the rights of others in printed material. It’s next to impossible to monitor, block, and report on employee abuse of copyrighted material. If your employee steals someone else’s copyrighted material to use in a blog post for corporate marketing, the IT department would be hard pressed to know if the employee is actually infringing on someone else’s material, particularly when the material is copied and pasted or downloaded and then hosted on the company’s servers. Yet the corporation is still liable for copyright violation. Sites are available that will allow you to check for plagiarism (i.e., http://www.dustball.com/cs/plagiarism.checker/), but the IT department cannot and should not check every post Marketing puts out for copyright infringement. Neither is it feasible to check every post out there to see if your material has been stolen. At a minimum, make sure your employees are not stealing other site’s material by randomly checking employee posts. See Figure 8-2 for the output of a paragraph already posted on Alex’s blog. This task could fall to the Legal or Marketing department managers.

image

Figure 8-2 Finding a plagiarized article

Licensing options, including Creative Commons (www.creativecommons.org), exist to allow for publishing, using, remixing, and reusing text, photos, video, audio, music, graphics, illustrations, and other artwork without infringing on copyrights. But again, IT cannot know what is and is not licensed under Creative Commons. The responsibility lies with the person or team publishing the material.

Neither the IT nor the Marketing department can be expected to be experts in copyright law. Earlier restrictions on the use of copyrighted material do not really affect today’s copyright problems in the social media sphere. The basic copyright terms are listed here:

image

How many of these really apply to a blog post you saw that might be useful to your company, so you copy it to post on your intranet? As far as we know, web blogs did not exist before 1977! But you may copy a reference from a newspaper article going back many years for a blog post, so knowing what is and isn’t public domain is helpful.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset