Social Media Usage: an exercise in control

Social Media Usage: an exercise in control

Social media is part of everyday life. Yet for all the benefits such connectivity offers, employers now have to confront the hazards it introduces, both in terms of viruses which can be introduced into the organisation’s own computer systems and the reputational damage which can be caused by work-related banter in public fora. Dominic Nessi offers constructive advice to employers who may feel, or not recognise, that they are behind the curve in terms of securing themselves against the online threat.

Social media is an easy way to connect with family and friends, make new connections and share photos, videos, and personal updates. Businesses themselves have learned that a social media presence has become an integral component of its strategic marketing effort. Twitter, Facebook, Instagram, YouTube, Snapchat, Yelp are just a few of the many social media outlets that have now become an integral part of our lives.

Unfortunately, however, there is a darker side to social media that has become a serious issue in the workplace. Employees using social media to express negative opinions about employers, co-workers, and working conditions and experiences have become so common that there is seemingly a daily news article about inappropriate use. In other cases, employees use social media in a manner that, while not directly related to the business itself, still casts a negative light on that person, and, by extension their business or organisation. Even worse is when employees use social media to accidentally or intentionally reveal confidential, security sensitive or personal privacy information that can project a negative image on the business, potentially causing a loss of revenue or reputation.

There is, of course, a more sinister aspect to social media – external attackers may use the information they glean from employees’ social media accounts to build a social engineering attack with tactics such as pretexting or spearfishing. In pretexting, an attacker compiles personal information on an individual and uses it to gain access to their accounts by developing a fictitious story, often presenting themselves as the targeted individual in interactions with their bank or other institutions where they can gain a financial foothold. In spearfishing, the external attacker uses the information to concoct a believable story in an email which is used to entice the individual to ‘click’ on links which will provide access to their personal financial information.

The aviation transportation industry (ATI) is not immune to these abuses and, in fact, seems to garner more than its fair share of media attention. Everyone seems to have interest in the latest incident at their local airport or airborne conflict between airline staff and passengers.

Especially popular in social media is the interaction between flight attendants and passengers. Air travel can be an exciting experience for travellers, but it can also produce stress, tension and conflict when a flight doesn’t go as expected. While airlines cannot control the use of mobile devices and the subsequent posting of unpleasant photos and videos by passengers, airlines and airports should have an expectation that their employees will not contribute to negative postings.

Unfortunately, this is not true. For example, there have been numerous cases of flight attendants making negative posts about passengers or their working environment, obviously not reflecting well on their respective airlines.

And the more extreme the incident, the more likely it is to go ‘viral’ oftentimes getting picked up on multiple national news sites. In the world of the internet, once the story gets ‘legs’, there is no telling where it will end up and the damage it causes is impossible to contain and will likely be accessible for a long time, if not forever.

So, how does an organisation protect itself and, indirectly, protect its employees from endangering themselves?

The following steps are essential for any ATI organisation.

1. Establish a written internal social media usage policy that is provided to each employee when they enter the organisation’s work force, provide training on the policy during an on-boarding orientation, require the employee to sign and retain a copy of the policy and store a signed copy in the employee’s personnel file.

The policy should be developed by the human resource department and be reviewed by legal counsel who has expertise on the subject of social media and governmental regulations related to employee rights. The policy should contain all of the following:

  • Reflect an individual’s right to use social media in a responsible manner in their personnel life, but remind them that the public will always view them as a member of their particular company.
  • Notify the employee that the employer has the right to monitor social media usage by its employees.
  • If an employee has a complaint about their working conditions, employer, or co-workers, remind the employee that those issues should be brought to the human resources department and not aired on social media.
  • Always be polite and responsible. General statements about the appropriate use of language should be included.
  • When posting about industry topics or issues, it must be clearly stated whether or not the poster is acting in an official or personal capacity.
  • Don’t reveal personal information or photos with settings open to the public. Encourage employees to regularly review their privacy settings and ensure that they are appropriate for the material they are posting.
  • When posting about a controversial topic, use clear and repeated disclaimers to highlight that opinions are those of the individual and not the employer.
  • Remedies for violation of the policy should be clearly stated.
  • And most importantly, encourage the employee to “think before they post”.

When developing the policy, the organisation must be careful not to impinge on an individual’s right to expression or prohibit an employee from engaging in protected concerted activities. For example, employees in the United States have the right to discuss workplace matters, such as the terms and conditions of employment. This right be present in other countries as well.

2. Outline internal topics that are off-limits for employees to discuss on social media. These will include sensitive company information, customer profiles or privacy information, intellectual property and trade secrets. It will include proprietary information, business activity and the names of internal managers. An especially important off-limit topic in the ATI is any discussion of security measures at an airport or for an airline. Even the most innocuous mention of security measures could provide an attacker with information that they should not have.

It is important that business be very specific on what may or may not be discussed. For all practical purposes, it is best just to state the business shouldn’t be mentioned at all. While it is always nice for employees to post positive comments, it is not really the responsibility of employees to deliver that type of message.

3. Implement the policy on an organisation-wide basis. There should be no exceptions for any individual or department when applying the social media policy. And violations must be addressed on a consistent and predictable manner for all employees.

4. Regularly monitor social media through a third-party service which will identify any mention of the business name, or key management personnel. In smaller organisations, it may be possible to list all employees. Only approximately six percent of the internet is visible to common browsers such as Google or Microsoft Explorer. The remainder is the Deep Web, which includes the nefarious Dark Web. Special analytical tools are needed to see if the business name or related information is being mentioned for nefarious purposes.

“…six percent of the internet is visible to common browsers such as Google or Microsoft Explorer. The remainder is the Deep Web, which includes the nefarious Dark Web…”

5. Don’t assume that the initial training on the policy is sufficient. Annual reminders are necessary to remind employees of the importance of maintaining an appropriate social media presence and the dangers that they may encounter when revealing too much of their own personal information. When possible, face-to-face training is always more effective.

6. Review the organisation’s social media policy and related training topics on at least an annual basis. New social media outlets seem to surface every year, each presenting a different manner in which an employee can express themselves. Ensure that the policy in effect is adequate to cover new products. Also review the policy as it may relate to privacy and public records laws. An employee who releases privacy information may be placing the organisation in a difficult liability position, even if the employee was not authorised to release the information.

7. Establish a ‘culture of security’ where employees are reminded not to reveal company or personal information on phone calls or in emails where they are not 100 percent sure who is on the other end. Some organisations employ mock spearfishing exercises to see how many employees ‘bite’ on a fake email. Those that do are usually rewarded with extra social media training.

8. Establish a policy which clearly outlines whether or not an employee may access their social media accounts using the organisation’s technology resources and during the business day. In most cases, this should be prohibited. The likelihood that use of social media could introduce malware into the environment is always present, not to mention the loss of productivity. Network administrators may automatically block access to social media sites.

9. Managers and supervisory employees should be reminded that engaging in social media relationships with subordinates could be problematic should there be an employment issue that needs to be addressed at some point. The general rule is that you shouldn’t have a relationship on-line that you wouldn’t have in real life.

10. The organisation should establish a strict policy on how or if it reviews the social media postings of prospective employees. Typically, social media postings should not be used in screening potential candidates. And, information discovered on social media postings should be used for background checks, but not revealed to the selecting official in order to avoid the appearance of improper influences. This particular topic is fraught with potential landmines and policies should be developed by knowledgeable human resource practitioners and strictly followed by anyone engaged in the hiring process.

“…employ mock spearfishing exercises to see how many employees ‘bite’ on a fake email…”

Unfortunately, once an employee becomes a ‘former’ employee, the organisation is limited on what can be done to protect itself from negative information. While non-disclosure agreements may provide some limited protection against release of sensitive or proprietary information, reputational attacks are not as easy to defend. When an organisation identifies social media posts that are detrimental to the business, they should immediately be referred to the legal department for review and to determine if there is an appropriate response.

It is fairly safe to assume that the use of social media will only grow in the future. It can be managed in a positive and professional manner if an organisation establishes a clear, consistent and appropriate framework in which its employees can take advantage of the positive features that social media offers.


Dominic Nessi

Dominic Nessi is the VP for Strategic Engagement, Airports for the Aviation-ISAC, which provides cybersecurity intelligence and analysis to the air transport industry. He is also a senior advisor with Burns Engineering.