Cybersecurity Challenges in Social Media Erdal Ozkaya
Yüklə 1,17 Mb. Pdf görüntüsü
|
| 2.2.6
Legal interpretations of social media risk and threat mitigations in organizations With the ever-increasing popularity of social media, there has come a number of privacy and security threats. These threats have descended down from individuals to organizations because employees have been quicker to adopt and use social media in their workplaces and on organizational computers. There has also been an increasing adoption of social media by organizations for publicity and marketing purposes. Therefore, organizations have no choice but to proactively react to the threats they may be facing due to the social media craze. Whilst social media can lead to the growth of sales and improved brand awareness, it can also lead to unwanted consequences, ranging from malware to the destruction of an organization’s reputation. In a law journal, Russell and Stutz (2014) have published a piece of literature on what employers are expected to know about social media. This thesis highly considers this literature, since it is focused on mitigation measures that organizations should deploy to protect themselves from social media privacy and security threats. Of core importance to this 40 research is how end users, organizations included, can protect themselves from the negative effects of social media. This is especially due to the increasing number of threats that are being witnessed on social media platforms. Russell and Stutz give a number of approaches that organizations can use and this thesis will borrow from these. Russell and Stutz (2014) say that an organization should pay attention to the social media accounts of their potential employees during recruitment. This is a sound security practice that this thesis acknowledges. It allows organizations to study the potential risk profile of an employee in terms of exposing sensitive information on social media platforms. However, there are certain legislations that may come in the way of this that Russell and Stutz wants organizations to know. In the US, employers need to be authorized by candidates in order to snoop around their social media accounts during background checks. It would otherwise be termed as illegal for organizations to disqualify candidates based on social media activities observed without permission from a job candidate (Russell & Stutz 2014). On the other hand, the United Kingdom requires employers to give job candidates a chance to determine the accuracy of the data available online about them (Russell & Stutz 2014). Other countries such as France have banned the use of information gathered from social media platforms for hiring purposes (Russell & Stutz 2014). However, it allows for the use of information from LinkedIn since it is a professional social network. Most other Europe countries follow the same trend. This information by Russell and Stutz is quite important. It shows the legal demarcation of how far an employer can establish the social media risk profile of a potential recruit. From this information, it can be seen that organizations’ powers are quite restricted here and a recommendation to check the social media profiles of recruits might not be so effective in today’s workspace and legal environment. Russell and Stutz then look at the issue of organizations monitoring the usage of social media at the workplace. This thesis deems social media usage in the workplace as a 41 security concern because threats that a user faces can easily flow to the organization. If a user downloads a linked malware or visits a malicious website, it is a workplace computer that will be infected. In this case, the employee will have put into jeopardy the security of many other computers in the organization. Therefore, it is good for organizations to monitor the way employees use social media. Russell and Stutz still focus on the legal viewpoint and they look at different jurisdictions. In the European Union, employees are given the right to privacy and private life while in the workplace (Russell & Stutz 2014). For an organization to monitor this type of information, it needs to announce it beforehand. Russell and Stutz (2014), however, give a hint of a leeway to this where they say that EU courts allow organizations to investigate employees that they suspect of violating company policies on social media. This is the one circumstance where the employer does not have to inform an employee that his or her social media usage will be monitored. There are other countries that the duo discuss that have even stricter rules concerning the monitoring of users. They say that Switzerland prohibits employers from monitoring their employees even if it is for preventive measures. This discussion in their work brings yet another important piece of knowledge to the argument on social media privacy. The legal system seems to be leaning too much with employees in order to protect their privacy. Therefore, most jurisdictions will find fault in organizations that try to monitor the social media activities of their users without pressing reasons to do so. Lastly, Russell and Stutz look at the issue of employee dismissal due to the inappropriate use of social media. Employees can be careless about what they post or what they access on their social media accounts and this may have some consequences for the organization. Some employees may disclose information that is regarded to be confidential according to the company. Other employees might engage in proscribed social media activities such as clicking of links and this may result in the infection of some organizational 42 computers with malware. Others may simply overuse social media, thus resulting in low productivity. Whilst the main focus of this thesis is not about dismissal of employees, these actions spark an interesting conversation around how organizations should handle the inappropriate usage of social media. Russell and Stutz (2014) explain that employers have the advantage in court in several jurisdictions when they believe that an employee has inappropriately used social media and thus deserves to be dismissed from employment. They begin with Canada where they say that the laws allow for employee dismissal if an employee breaches a company policy or does actions that cause damage to the company (Russell & Stutz 2014). A breach of policy is an action such as posting a client’s personal identifiable information. An example of an action that may lead to damage to a company is the clicking of malicious links leading to the malware infection of an organizational computer. In the Canadian legal jurisdiction, these actions may warrant a legal termination of an employment contract by an employer (Russell & Stutz 2014). In Australia, the courts tend to lean more towards employers when punishing inappropriate social media use (Russell & Stutz 2014). As such, even an excessive use of the Internet for personal social media purposes may be disregarded as misconduct that is punishable via dismissal. In France, an insulting comment to an employer on social media is taken seriously and the courts allow for dismissal of such offensive employees. However, the employees must have been forewarned that posting derogatory remarks about the employer might lead to termination. In conclusion of this work of literature, it was of importance to bring to light the issue of social media security and privacy in the workplace. Organizations need to know how to react to protect themselves when their security and privacy is brought to question. This thesis pays attention to all the people affected by social media threats and attempts to give recommendations on how they can handle them. Organizations are however peculiar in that, they are not a particular individual, they represent the interests of many and their affairs are 43 intermingled with laws. Therefore, if some recommendations are made to protect organizations from social media threats and privacy concerns, they have to fall within the law. There is a challenge in that the law is different in different jurisdictions. Somme countries are still formulating laws to handle social media related cases. This unique literature by Russell and Stutz has dived into the legal matters surrounding organizations and how they can mitigate security threats on social media and the laws that they need to be in comprehension of. To protect themselves from hiring employees that might be social media security risks, organizations might see that it is best to mitigate this risk by doing a social media background check. However, as has been discussed, it is not as simple as it sounds because some jurisdictions require job candidates to consent to this. While working in an organization, it might be regarded as safer for the organization to protect itself from harmful use of social media platform by monitoring employees’ usage. This way, they may be able to prevent some threats from happening, such as the downloading of malicious files or the posting of sensitive information about the organization. As it turns out, some jurisdictions are totally against the monitoring of employee activity on social media while others give tough conditions for this. Dismissals might be the last option in an organization’s rule book to do away with employees that present privacy and security risks due to inappropriate social media use. Fortunately, courts in several jurisdictions understand this and do lean on the side of the employers, provided that there are sensible reasons behind the dismissals. This legal literature has been great at dissecting the legal implications of some of the recommendations that may be passed down to organizations to help them combat social media security and privacy risks. |