Mitigating Employee Social Media Risks

Darren Millar


October 1, 2021

A person's hands holding a phone in front of an open laptop. The person is scrolling a social media site on their phone, and there are small chat bubbles popping off the screen.

When evaluating corporate risks today, employers cannot afford to overlook their employees’ social media activities. Social media can not only introduce reputation risks but cybersecurity concerns as well. To address these threats, organizations should develop methods to screen for potential problems and effective social media policies that establish appropriate expectations for employees’ social media conduct.   

Risks of Social Media

Reputation risk is probably the most obvious and prevalent concern in terms of the ramifications of social media posts. Whether posted on the company’s official account or an employee’s individual account, missteps can attract negative public and media attention. If this happens, your company is likely to suffer brand damage—potentially even to the point of lost revenue—and rehabilitating the company’s image can be challenging.

Social media risk also stems from ­employees divulging corporate information before an official announcement. For example, a worker noting that they are worried about impending layoffs can send stock prices into a dive or cause prospective clients to back away.

Another risk of employee social media activity is cybersecurity. The increase in remote work and the blurring between corporate and home networks have exacerbated this problem. Now, many employees routinely access corporate assets via personal networks or devices, which creates an opportunity for malicious actors to conduct social engineering or phishing attacks, for example, via malicious links posted on social platforms.

Conducting social media screening and creating a strong corporate social media policy are two important ways to protect your company and your employees from these risks.

Screening Out Social Media Risk

Most employers want to avoid obvious warning signs in a potential new employee, including troubling statements or activities on social media. Businesses should not be too hasty to disqualify someone solely based on their social media activity, however. What people post on Twitter, Instagram and Facebook may not be comparable to what they put on a more professionally focused platform like LinkedIn. Each has its own format and audience, so the content on each must be viewed in the appropriate context.

In addition to looking for inappropriate posts, you should also look for people who just generally overshare. These social media super-users may provide a running update on everything they are doing, everywhere they are going and every personal problem they are having. This kind of oversharing can expose the individual and the entire organization to cyberattacks and social engineering, such as spearphishing. The more information an attacker can piece together about your employees, the more likely they will be able to create a realistic-seeming email or to purport to be them when interacting with other staff.

Given the significant impact spearphishing and business email compromise have on organizations, a strong corporate social media policy is not only a reputation issue but a cybersecurity imperative. Ensure all employees are trained on the policy and held accountable for following it.

Developing an Effective Social Media Policy

When creating or revising a social media policy, an organization’s leaders must consider and carefully weigh issues of privacy and make sure the policy does not overstep. For a social media policy to be successful, employees must understand that their actions can have consequences and that personal security can make or break corporate security. For instance, if an employee adds more privacy settings to their social media profiles, that can ultimately benefit both them and their company by reducing their digital footprint and lowering the chance of compromise or exploitation. Demonstrating the connection between corporate and personal security is a critical step to successfully implement a social media policy without making employees uncomfortable.

Many social media policies are thin on details about what secure social media practices look like. As a baseline, employees need to know how to engage socially on the company’s behalf and the information they should not post:

  • Private, confidential or sensitive information about the company
  • Personal information about a customer
  • Comments about customers, vendors or co-workers that could be considered threatening, harassing, discriminatory or retaliatory

A strong social media policy should also contain guidelines for personal cyber hygiene. This includes tips like not using business email addresses to sign up for personal social media accounts, creating stronger passwords, changing passwords regularly, not recycling passwords and implementing multi-factor authentication. It should also contain recommendations for how to secure personal information from public view and how to check what is publicly viewable on the major social media platforms. Consequences for violating the social media policy need to be clear as well.  

Finally, social media risk assessments need to be a part of the policy. The company should only conduct risk assessments to achieve the objective, and employers must always be transparent, showing employees (if requested) what vulnerabilities it is examining and what logs and records it is keeping. This builds trust with employees so that you can continue to get their buy-in and cooperation.

Darren Millar is senior vice president, operations at PiiQ Media.