Facebook now claims 300 million active users. And Twitter, has 6 million monthly unique visitors. As more employees use mobile devices and their desktops to access social media sites, it poses an increasing security risk both for user and organizations.

And according to a survey recently conducted by IANS, a Boston-based research company that focuses on information security issues, more companies are starting to address concerns by creating a social media policy.

Because social media will not likely disappear (In fact, more are more likely to develop.), an organization needs to create guidelines to help protect their confidential data. Here are a few things to consider when crafting your own policy:

1. Communicate with employees and emphasize current policy. If it’s not acceptable to discuss new business at a live networking event, then it’s not acceptable to post it on Twitter or Facebook. The social media platform may change, but the principle remains the same. “Loose lips sink ships” isn’t just a quote for the military. You may already have a policy in place regarding sharing information. Include it in a social media policy.
2. Use social media policies as an additional tool for your employee awareness program. When you develop a policy, and emphasize it with training classes, email reminders, or media – employees remember how important it is to protect the company’s intellectual property. As you explain to employees that social media just gave them a megaphone to broadcast; and with that comes responsibility, more of them will think twice before sharing something that they’ll know is inappropriate.
3. Work with both the human resource and marketing department. To put a positive spin on usage, it’s good for employees to realize what they can post on their accounts. In fact, your employees can become an in-house public relations firm as they share with their followers the great things about their workplace. Allowing employees to have influence in an organization’s message will give them a sense of ownership in its success.
4. Have a password vault available for each employee. One of the most common ways a hacker gains access to accounts is by discovering a password and then reusing that password to gain access to a person’s other social media accounts. KeePass is a great, open- source version to help secure passwords. Encourage employees to change passwords often.

Keep policies current to match new developments within the social media industry. Be as specific as possible and have ongoing awareness sessions to ensure everyone is on board. By planning ahead and communicating expectations clearly, a company can significantly decrease their level of vulnerability by an employee’s misuse of social media.

You have employees who are addicted to social media, updating their status, sharing everything from discovering a helpful business link to where they went for lunch. However, they also may be broadcasting information not intended for public consumption.

One of the most difficult tasks for an organization is conveying the importance of discretion for employees who use social media. Not only are organizations at risk from having their networks attacked, but they must protect their reputation and proprietary ideas. What makes these two areas difficult to protect is their mobile nature. Ideas are invisible and have a habit of popping into conversations – and not always with the people who should be hearing them. They can get lost or stolen without anyone knowing they’re even gone. Suddenly, you find your competitor releasing a great product to your market that you thought was yours alone.

If you want to decrease such liabilities, you have a few options. Initiate some guidelines for employees. Send friendly reminders from newsworthy “social-media-gone-bad” stories. The more employees know where an organization stands in regard to safe social media use, the more they can be smart about using it. Here are three basic rules to help them interact safely:

1. Don’t announce interviews, raises, new jobs, or new projects.
Talking about any of these sensitive topics on social networking sites can be damaging. If an employee suddenly announces to the world that they’re working on a new project with XYZ Company, there’s a good chance the news will be seen by a competitor. You may see them in the waiting room of your client on your next visit. One caveat: If you’re hiring, it’s a good thing. Your organization will be seen as successful and growing. However, those types of updates are usually best left to the HR department.

2. Don’t badmouth current or previous employers.
It’s good to remember what mom used to say, “If you don’t have anything positive to say, then say nothing at all.” The Internet never forgets. When an employee rants about either their past employer, or worse – their current one, it can poison a customer’s view of the organization. Nothing can kill the possibility of a new sale than hearing an employee broadcast sour grapes. If this is a common occurrence, it can give the image of a badly managed company. This isn’t the message to send to either customers or future employees.

3. Stay professional. Represent the organization’s values well.
Employees are often tempted to mix their personal and work information together when using social media. Although many times, such information can be benign, you don’t want to hear about an employee’s wild night at the local strip club. There are mixed opinions among experts whether an employee should establish a personal account, separate from their work life.

Emphasize your organization’s values and mission. Ask employees to TBP (Think Before Posting). Social media can be a good experience as long as its done responsibly.

I know that the IE infection is hard to kick. The most common argument I hear, many sites just don’t work with anything but Internet Explorer.

Is this a true issue, or merely an excuse for inaction? I know a few organizations that have installed alternative browsers (OK, Firefox, in all cases), and blocked all external access to IE users. They then take the help desk calls, check the sites that the users say won’t work with anything but IE, make sure they meet a business need, and then one by one add them into the proxy to be allowed out with IE.

Sure, this is a lot of work on the front end. Here’s the rub, though. 30 days out, the work drops like a hot stone in the hands of a yeti. Basically, the ongoing need to add sites become so infrequent as to be non-existant and handled with a one-off approval process. In terms of risk, the few who have taken this approach claim such a huge reduction in spyware cleanup, infections and basic break/fix calls that they say the longer term savings paid for the work of the 30 day period in less than 3 months. Thats a 90 day, 100% ROI for a 120 day project!!!! In business terms, this is a NO BRAINER.

Given the oddity of Aurora, the history of IE vulnerabilities and the ease at which new users of Firefox, Opera, Chrome, Safari, et all become proficient, the deck begins to stack in favor of replacing IE for Internet-bound traffic in all but a limited set of cases. Sure, use IE for that odd website, for those internal legacy apps where code-rewrite is not feasible. Heck, in this case, maybe even allow IE 6 to live on for internal use only (pray for no internal malware or xss attacks). We all know the real attack surface for IE is overwhelmingly the Internet.

Maybe this approach will work for you. Consider it. It works even better when combined with proper egress filtering, enclaving and role-based access controls.

Let me know what you think!