Yammer boasts that it is in use by over 90,000 companies and organisations, including over 80% of the Fortune 500. That’s an incredible achievement, but its also quite scary.
Many Yammer initiatives are opened by a few engaged people who pull their organisations into the amazing world of enterprise social networking. How many of those organisations are likely to have considered what happens if there is a data breach? Or have they considered what their clients would say if they knew sensitive client issues may be discussed on Yammer hosted forums?
To be clear, this post takes no issue with Yammer or any similar service. It’s an innovative product which has demonstrated an obvious need in the enterprise collaboration space. We’ve often written about aspects of enterprise social networking and we’ve a strong belief that they will become the collaboration hubs of the future.
What do I need to think about?
Most web hosted services boast terms and conditions that reveal a reasonable set of guidelines around content ownership and user privacy measures. Typically services will commit to taking industry standard data security measures. Importantly though, these services will not (and cannot) guarantee your data is free from potential breach – either through malicious attack or simply just disgruntled employee.
What would the cost be to your enterprise if data shared on these services was revealed? In the luckiest of cases, it will be merely embarrassing and with a bit of TLC the affected communities could forgive and forget. In most cases, it is likely to lead to a loss of trust among affected communities and consequent loss of business with some time to build trust again. In some cases, it could result in publicity or litigation which threatens the very survival of your organisation.
The consequences of a breach will be unique to your business, the data shared, the trust relationship you had with the affected communities, etc.
Wouldn’t it be easier to just not use these services?
Maybe – but progress tends to bypass those who ignore advancement for fear of what might happen. The mere presence of risk does not mean something is to be avoided. With appropriate risk mitigation activities, there’s no reason your organisation cannot reap the benefits of these technologies – and there is a growing body of evidence to indicate that the benefits are significant.
Policy is arguably the most effective risk mitigation tool available. Your organisation should have an acceptable use policy for the enterprise social network and this should include rules, codes of conduct and some practical guidelines.
A brief aside – it’s worth mentioning that enterprise social networks do not need to be web based. Some vendors, e.g. SocialText, provide self-hosted options which offer significantly less opportunity for malicious behaviour. Of course, these will tend to be pricier and the additional cost needs to be weighed up against the “cost” of the risk (where the cost of a risk is a function of cost when realised and probability of being realised).
Developing enterprise social media policy
Don’t be fooled – developing policy is hard. My experience is that traditionally policy has been written to tell everyone the things that they can’t do. That doesn’t feel very engaging and is unlikely to demonstrate the principles of social media which are all about engaging people openly. Your policy should encourage engagement but frame it in a fashion that explains its context in an organisation and is aware of the risks that brings.
Important considerations include
- Is it acceptable to mention clients, business partners or suppliers by name?
- What documents can / can’t be uploaded onto the service?
- What is the “tone” that you want to achieve with the service? We’d hope you opt for open and engaging
- What is the line you want to draw between corporate and personal information?
- Will the enterprise social network be used for official communications or only as an informal channel?
- Will the network be extended to include external parties?
The policy balance will be different in all organisations and should reflect the both existing company culture and the ambition of the leadership. Guidelines need to be driven by what your organisation’s stakeholder communities (clients, employees, suppliers) would consider reasonable.
The policy should be widely socialised and, where appropriate, include reasonable censure. That said, my preference is always to draft policy which encourages people to get engaged and get involved. Where censure may be relevant, it will typically be reflective of existing contractual relationships such as NDA’s and a code of conduct. Even before enterprise social networks, revealing company confidential information was illegal and would attract censure.
And all this needs to be achieved in more than a page or two if you’re to be realistic about whether its going to be read!
The takeaway from this is quite straightforward. Your organisation needs to
- Consider what an acceptable level of risk is …
- Determine how best to frame this risk into a policy which encourages engagement and
- Socialise the policy in a way that encourages more people to get onto the network.