Social networking and reputational risk in the workplace

Over 6 months ago Deloitte released their 2009 report on ethics and the workplace this time focusing on impact social computing is having on reputation risk for organisations. The results are very interesting, and given the recent background checking and social media discussions, they also impact individuals and their online reputation.

reputation

Let’s review the result:

  • 74% of employees said it’s easy to damage a company’s reputation on social media
  • 58% of executives agree that reputational risk & social networking should be a board room issue, but only 15% say it actually is
  • 53% of employees think employers should stay out of their social networking pages
  • 40% of executives disagree with employees and 30% informally monitor sites
  • 61% of employees said even if employers did monitor they would not change their online behavior, because they know it’s not private, and have already made significant adjustments to their online profiles
  • Almost 50% of employees said they would not change their online behavior if their company had a policy
  • 27% of employees do not consider the ethical consequences

These figures worry me because to quote James Lovell; “Houston, we have a problem”. (Yes I know he did not actually say that but the real quote won’t work.)

74% of employees agree it’s easy to damage a company’s reputation on social media but only 27% actually think about it.

So let’s break this down

For me this calls for more education of people about their activities online so let’s re-look at The Mother Test:

  1. Make sure you have a consistent profile you are willing to show your mother. It is very hard if not impossible to remain completely anonymous online, even if you never use your real name. For example I know of several bloggers who blog under anonymous names, but I also know who they really are.
  2. Make sure you don’t do/say anything you would not be proud to show your mother. You might not want your mother to see what you have done, but if you had to show her and example yourself would you be proud of what you had done?
  3. Make sure you don’t post pictures/videos you would not be willing to show your mother. Like doing or saying things online, if you had to explain yourself could you and would you be proud of what you have done?
  4. Is your reputation online one your mother would be proud of? You might not specifically say or post anything that is suspect but we all have a reputation, even on sites that are password protected.
  5. Would your activities online make your mother trust you? Trust is the ultimate test of what you are doing and defines your integrity, ability, or character.

(Image: Flickr)

The Facebook Five

During my presentation yesterday on social media in the workplace at RecruitTech I spoke briefly about the “Facebook Five” and felt I would expand on my comments here.

In summary six (it was five) NSW prison officers are being threatened with being fired over comments they made on a Facebook page “Suggestion to help Big Ron save a few clams”. This was at a time when the NSW was looking to sell of prisons to save some money.

The case went before the Industrial Relations Commission (IRC) this week where the Public Service Association (PSA) filed an application asking the corrective services workers have the treats revoked. The workers are claiming that the comments were private and outside of work.

The PSA has also stated to the IRC that it intends to seek changes to the award to exclude out-of-work hours activities from being dismissible offences. The claim says:

“An employee shall not be the subject of any disciplinary action by reason of conduct that occurs outside working hours and which is intended by the employee to be private in nature”

However QUT Senior Lecturer Peter Black has commented, quite rightly, that can anything online be considered private:

There is certainly, I think an argument that it is a private conversation, however I think that probably ignores the reality of how these sorts of websites operate,

However because there is always a record kept of these sorts of conversations in an online environment, even where it is private, it is very easy for that information to get out beyond the wall.

Another interesting fact to consider is let’s define the work hours. If I answer work emails on a BlackBerry at home and then use the same device to post something on Facebook, was the post outside of work hours or not?

This case looks like it could be one begin to shape our employment laws around social media and the workplace.

Unlock the social graph of candidates

First you need to know what a social graph is, simple put by Brad Fitzpatrick the “social graph” is “the global mapping of everybody and how they’re related”, therefore your social graph is a mapping of everyone and how they are related to you.

So what does this have to do with candidates? Well I am glad you asked.

Two things:

  1. Helps you find them
  2. Helps you research them

Simple really.

Now the fun bit. Fire up your copy of Firefox, you have Firefox right? Head over and grab a copy of the new Firefox extension Identify. Head to a page that has a rel=”me” tag in the HTML, press Control i and bingo you find all sorts of useful information about the person.

Example Identify Image

This is the first tool to really open up the social graph for visual analysis. The plugin uses the Google Social Graph API to bring together all sorts of data about the person.

Now lots of discussions need to be had on privacy, data protection etc but I can see potential.

Social media sacked employees and The Mother Test

First let me say this is not new people have been losing their jobs for years based on what they publish online, it is now the services being used are changing slightly.

Last month Virgin Atlantic sacked 13 cabin crew for criticizing the airline and its passenger on Facebook.

The action follows an investigation into the remarks posted on Facebook, which concerned planes flying from London’s Gatwick airport and insulted passengers, as well as reportedly saying the planes were full of cockroaches.

“Virgin Atlantic can confirm that 13 members of its cabin crew will be leaving the company after breaking staff policies due to totally inappropriate behaviour,” the airline said in a statement.

This week Australia forklift driver, Matthew Garry Ward, was convicted of breaching safety laws by conducting burn outs and two-wheeled stunts on his company provided forklift. How did he get caught? A video on YouTube, which unfortunately is not longer available, was found by a fellow employee and reported to management. Matthew had filmed the stunts using his mobile phone and posted it on YouTube. Before being convicted he had previously been sacked by his employer, Australasian Pipeline & Pre-Cast Pty Ltd.  The WorkSafe media release indicated that forklifts were one of the most dangerous pieces of equipment in use at workplaces.

WorkSafe’s Executive Director (Health and Safety) John Merritt, said forklifts were among the most dangerous pieces of equipment in Victorian workplaces accounting for 56 lives since 1985.  Of these 19 were forklift drivers. 

Once again while companies need to be careful of what is published on social media sites so do employees. It is going to be a long time before anyone using search engines to background check Matthew Garry Ward before his activities do not appear, not to mention any basic police check will reveal the conviction.

This comes as US President elect Barack Obama requires all applicants for senior positions in his government to disclose online activity and complete a seven page, 63 question job application process which includes:

“If you have ever sent an electronic communication, including but not limited to an e-mail, text message or instant message, that could suggest a conflict of interest or be a possible source of embarrassment to you, your family, or the President-elect if it were made public, please describe.”

And

“Please list and, if readily available, provide a copy of each book, article, column or publication (including but not limited to any post or comments on blogs or other websites) you have authored, individually or with others. Please list all aliases or “handles” you have used to communicate on the Internet.”

My 5 tips for managing your brand online is called The Mother Test:

  1. Make sure you have a consistent profile you are willing to show your mother. It is very hard if not impossible to remain completely anonymous online, even if you never use your real name. For example I know of several bloggers who blog under anonymous names, but I also know who they really are. 
  2. Make sure you don’t do/say anything you would not be proud to show your mother. You might not want your mother to see what you have done, but if you had to show her and example yourself would you be proud of what you had done?
  3. Make sure you don’t post pictures/videos you would not be willing to show your mother. Like doing or saying things online, if you had to explain yourself could you and would you be proud of what you have done?
  4. Is your reputation online one your mother would be proud of? You might not specifically say or post anything that is suspect but we all have a reputation, even on sites that are password protected. 
  5. Would your activities online make your mother trust you? Trust is the ultimate test of what you are doing and defines your integrity, ability, or character. 

If you don’t have that sort of relationship with your mother, substitute with your father, children or grandparents.

Generation V podcast

Yesterday while I was in the middle of my PRINCE2 course I ducked outside (literally outside in the freezing Melbourne wind) for 30 minutes to participate in The Scoop podcast for MIS Australia hosted by Mark Jones. The topic Generation V, or generation virtual. I was a little uncertain what to expect as the fellow guests are in my mind fairly “heavy hitters”: Gartner VP Stephen Prentice; The Project Factory head of virtual worlds Gary Hayes; and Talent2 CIO recruitment specialist Paul Rush, oh yeah and me.

The podcast starts off with a discussion on virtual worlds but then moves into identity, reputation and trust, we then discuss some fo the impacts for enterprises and recruitment. The podcast ends with all four of us providing tips for CIOs listening to the podcast.

Yet even more data stolen!

Once again more HR data has been stolen, and guess what again it was not encrypted!

This time Colt Express Outsourcing Services, an HR outsourcing vendor, had data for many of it’s clients stolen in a burglary on May 26. The clients affected include Google and CBS’ CNET Networks. The data stolen in the burglary included just names, addresses, social security numbers and other data of employees and dependent, as with the Stanford case enough to open credit cards under the person’s name. More details in the letter Colt sent to the Marylands Attorney General.

What is interesting in this case is that Colt Express is in financial difficulty and is unable to help the affected customers. Further to this Google had ceased using them as a service provider a few years ago.

This scenario brings up some questions for organisations.

  • Firstly encrypt personal data, even data in file servers, laptops and corporate databases. Now I know this is not a simple activity but please look into it.
  • When you enter into an outsourcing arrangement do you really check to see that the vendor is complying with the contract to store data encrypted?
  • When an outsourcing contract finishes and the organisation either has to keep your data for legal purposes or does keep the data, what review processes do you have in place to ensure the data is kept secure.
  • Further following the contract end do are these old arrangements reviewed in light of changing privacy legislation? Does anyone remember that you had the arrangements?
  • How do you ensure that data stored in old systems is correctly destroyed? Now I know what the process should be, certificates of destruction are required, but do you ever ask to view them and do you even know when hard disks containing your data are destroyed by an outsourced service provider?

This area is becoming more and more complex.

For example the Skilled Group looks after about 60,000 employees across Australia and have recently entered into an agreement to deploy Wide Area Data Services which basically means that personal data could be stored in many of their offices. Skilled admits that their IT infrastructure is very decentralised, so what happens when a disk dies in one of the smaller offices and is replaced? Will correct data destruction procedures take place?

Governance around the handling of personal data should be a priority for every HR Director during IT projects. Assuming they know that personal data is being impacted, such as in the deployment of a Wide Area Data Service which on the surface looks just like an IT project.

More stolen data

Standford University is the latest large organisation to be involved in unintentional leaking of personal data. A laptop was stolen that contained the personal details of 62,000 former and current employees. The data included:-

  • Name, gender, date of birth
  • Social Security number
  • Salary, business title, office location, office phone number, and e-mail address while employed by Stanford
  • Home address and phone number while employed by Stanford
  • Stanford ID card number and Stanford employee number

Oh dear!!! With all of that data identity theft is very, very easy.

Stanford seems to be reacting in a very professional and open manner, which is good. The reason for my post is about data encryption. Over the years while working for corporations I have been involved in many discussions around handling of sensitive data and the issue of using encryption boils down to a couple of major topics.

Firstly encryption tools can difficult for the average computer user to use. Second once encrypted movement of the data is made difficult (I know that’s that point) which makes ongoing use of the data by people who need access problematic.

The first reason is solvable via training but still if you don’t use the encryption tools regularly issues still pop up, and they will late on a Sunday night before an important presentation the next day. That’s Murphy for you.

The second issue is more difficult. Person A needs to send data to Person B so it is encrypted using regular public key technology, nice and simple if only Person B needs to use the data. But what happens when more people need to access the data? Well Person A needs to re-encrypt with all of the require public keys. It is this step where things get nasty. If Person A is in another organisation on the other side of the world, in outsourcing not uncommon, it could take time. So Person B decrypts the file and shares it unencrypted, so that business can be done. Yes they could re-encrypt it but in most organisations this does not happen. Not to mention what happens when either person leaves their respective organisations.

As we move into a world of mashups, open APIs and other Enterprise 2.0 goodness security is going to be even more important and complex!

More on censorship

A follow up post, I found a few more articles on this whole censorship issue in Australia from numerous sources and some more thoughts.

There has been a huge discussion on Twitter between social media and web folks who I personally consider experts in the online world but many of them seem confused. Not good. Some of the questions/issues raised, of course many may be overreactions.

  • Based on the current interpretations Second Life really should be banned in Australia.
  • Seesmic a micro video blogging tool would be banned if it had a dedicated porn feed.
  • If YouTube (of related service) had 1 offending video would the whole service be blocked until the 1 video was removed.
  • Why is pornography (opt out) more offending than crime or terrorism which has an opt in list?
  • What about VOIP tools (ie Skype) will they be banned because they could be used for pornography and cannot be blocked due to the traffic encryption.

Some links first up from The 463 “While You Were Out: Australia Makes Plans to Censor the Internet“:

However, as The Australian notes, “in Britain, only between 200 and 1000 child pornography sites have been included on a blacklist.”

And, Conroy is talking about potentially millions of general pornography sites (however defined) and other sites that depict violence (ditto). Plus, Australian sensibilities are hardly “European” when it comes to community standards.

An Op Ed piece by Dr Peter John Chen in The Age “Who’s afraid of the net?“:

The policy is reminiscent of Douglas Adams’ anti-panic glasses, which turned black when confronted with something that might scare you.

Second Op Ed from the Australian “Net-nanny state worth watching

The plan risks giving parents a false sense of security because it will not be possible to block all offensive material. Equally, educational and other non-offensive sites will almost certainly be blocked in error. And research shows blanket restrictions can have a dramatic impact on the speed at which broadband services operate.

Finally a link from Peter Black’s Freedom to Differ “More on Australian online censorship“.

Mandatory censorship of the internet

The new Labour Government had announced there intend as part of the election campaign to introduce filtering of the internet and on Dec 31st they provided further details on what would be happening with mandatory filtering of the Internet by ISPs.

Senator Conroy says it will be mandatory for all internet service providers to provide clean feeds, or ISP filtering, to houses and schools that are free of pornography and inappropriate material.

Personally I am against any form of censorship. Its that simple. But with this I am also confused, you can opt-out and have an unfiltered huh?

Senator Conroy says anyone wanting uncensored access to the internet will have to opt out of the service.

Now just because someone has a foot fetish and wants uncensored access means they could be put on a list of “bad people”, and who gets to store that information? An opt in list such as the one for crime and terrorism makes far more sense.

Further to this some of the content that is being banned on the Internet (X18+) is available for purchase on DVD in Canberra the nations capital!

Highly confused like lots of people.

There has been lots of discussion over the last day, I don’t know all the facts more research is required, here are some links if you want to read more.