This is a short summary document which provides an introduction for organisations with a general awareness of the associated risks of blogging and social networking that may potentially affect the effectiveness of local services.
Terms used: Blogging is using a public website to write an on-line diary (known as a biog) sharing thoughts and opinions on various subjects. The word blog is derived from the phrase weB LOG. Examples of blogging websites include Twitter.com and Blogging.com. Social networking is the use of interactive web based sites that mimic some of the interactions that occur between people in life. Examples include Facebook and Linkedin.
Why are Blogging and Social networking an Information Governance issue? The use of blogging and social networking websites by an NHS organisation’s employees can expose that organisation to information risks, even where these sites are not accessed directly from work. Whilst there is nothing new about the information risks, what has changed is the availability of high capacity broadband, the popularity of Web2.0 sites and the rapid growth of internet enabled devices such as mobile phones, blackberries etc.
This has resulted in significant awareness and uptake of these websites from home, from work and when mobile. What are the potential dangers to the organisation of using blogging and social networking? A range of potential threats exist that organisations should be aware of: Unauthorised disclosure of business information and potential confidentiality breach. Additionally users can access unauthorised websites which may have little risk but can hugely effect productivity. For example accessing sites like BBC iPlayer using the company VPN from Ireland like this may not have any risks but it can’t waste time and effect the company network. Blogging and social networking sites provide an easy means for information to leak from an organisation, either maliciously or otherwise.
Once loaded to a site, organisational information enters the public domain and may be processed and stored anywhere globally. In short, organisational control is lost and reputational damage can occur. Malicious attack associated with identity theft. People often place a large amount of personal information on social networking sites, including details about their nationality, ethnic origin, religion, addresses, date of birth, telephone contact numbers and interests. This information may be of use to criminals who are seeking to steal identities or who may use the information for social engineering purposes.
Another important risk from allowing employees to use social media and public forms is from the possibility of defamatory postings by their employees. Take for example a public forum, most of these enforce a user to accept some terms and conditions before they are allowed to post. These can often be quite substantial and are intended to both protect the web/forum and enforce any rights such as copyright. This is important in any site which allows people to express their views even large corporations like the BBC use them. The problem is that any infringement by a company employee using company hardware and on their time could be considered as a liability against the company not the individual.
There are numerous risks online, and one of the problems is that many organisations have little experience in dealing with these issue. Most companies have probably only allowed large scale internet access for a decade or so and may still only be developing internal policies and procedures in order to mitigate these risks.