According to a recent study by OpenDNS (available here), Facebook is both the most widely blocked site in enterprises today and the second most widely allowed site in enterprises today. The study goes on to report that more than 14 percent of all enterprises that block websites on their networks choose to block Facebook, and MySpace and YouTube round out the top three most commonly blocked websites for business users.
The OpenDNS findings are consistent with those reported in ProofPoint's 7th Annual Survey on Outbound Messaging and Content Security (available here), which broke the blocking statistics down by company size:
And there's a good reason for companies to be blocking that access. According to the ProofPoint report, in 2010:
- 25% of US companies investigated exposure of confidential/proprietary info via blogs/message boards
- 24% disciplined employee for violation of blog policy w/in last 12 months
- 11% terminated employee for violation
- 20% of US companies investigated exposure of confidential/proprietary info via social networks
- 20% disciplined employee for violation of social network policy w/in last 12 months
- 7% terminated employee for violation
- 18% of US companies investigated exposure of confidential/proprietary info via video/audio sharing services
- 21% disciplined employee for violation of media sharing/posting policy w/in last 12 months◦
- 9% terminated employee for violation
- 18% of US companies investigated exposure of confidential/proprietary info via SMS/web-based messaging
So what should your company be doing?
First, have a social media policy. Talk to employees and solicit ideas for the corporate social media policy. You want to encourage all personnel to think and act like an official company spokesperson, but make sure they know they are not an official company spokesperson and cannot claim to be. The company should designate social media representatives and give them limitations what they are and aren't supposed to do.
Identify off-limit subjects ahead of time and share that with your company's social media representatives. Employee training and communication are key to compliance.
Second, have a monitoring policy. From a company perspective, the policy should state that all use of company-provided equipment or services can be monitored, but limit searches of communications/devices to where there is suspicion of misconduct, and limit those searches so that they are consistent with the purpose of the investigation.
Third, make disciplinary consequences clear in your policies, and be consistent in application of the policies. Turning a blind eye to executive violations of the policies, or applying different disciplinary consequences to executives who violate policies can undercut both the company's moral authority in the eyes of the employees who are subject to those policies and the company's legal ability to enforce those policies.