The article, by Times reporter Molly Hennessy-Fiske, chronicled the case of 60-year-old William Wells, who died at St. Mary Medical Center in Long Beach, California, where he was brought after suffering severe knife wounds inflicted by a fellow resident of his nursing home.

Instead of focusing on treating him, an employee said, St. Mary nurses and other hospital staff did the unthinkable: They snapped photos of the dying man and posted them on Facebook.

The article chronciles a number of incidents at other hospitals involving staff violating patient privacy (and HIPAA) on Facebook, along with the fates of the nurses who posted the information (several were fired). The article has inspired conversation in the healthcare community about the need to block employee access to Facebook.

It’s a kneejerk reaction. After all, before social media, it was just as easy to share inappropriate, confidential information via email. (And, at one point in the early 1990s, organizations everywhere resisted the use of email for exactly that reason.)

Beth Israel Deaconess Medical Center President and CEO Paul Levy has written perhaps the best analysis of the St. Mary case and the resulting flurry of blocking commentary. Levy’s excellent post concludes:

If you block Facebook on the hospital server, will it nonetheless be used in the wrong way by misguided people? Yes. They will use their iPhones or some other such handheld devices.

I know this sounds like the pro-gun argument, “Guns don’t kill people. People do.” However you might feel about that issue, this one is different. By blocking this medium on your hospital server, you will remove a highly effective communications tool, all because you are fearful that a few misguided people will misuse it. You trade the illusion of security for a loss of community.

In an earlier post dating back to October 2009, Levy also noted that blocking Facebook creates “a generational gap, in that Facebook, in particular, is often the medium of choice for people of a certain age. I often get many useful suggestions from staff in their 20′s and 30′s who tend not to use email.”

I’m currently reading a book, “The 2020 Workplace,” which delves deeply into the work habits and expectations of the Millennial Generation (born between 1977 and 1997); indeed, email is viewed (correctly) as an inefficient means of communication given more effective tools. As your Millennial kids how much they use email.

Blaming Facebook (or MySpace or Twitter or what-have-you) for human behavior that can be practiced with email, Usenet news groups, the telephone or in the elevator is not only misguided; it turns a blind eye to the more effective channels for communication that can actually improve communication in your institution. If you remember policies banning email in your organization in the early 90s, it’s easy to see today’s blocking policies as a failure to learn from mistakes made a mere 20 years ago.

The entire post is worth a careful reading, especially if your organization is on the brink of blocking staff access with the deluded expectation that it’ll solve a problem the roots of which have nothing at all to do with Facebook.

If ever an organization was security-conscious, it’s the DoD. Yet they’ve managed to address security concerns while trusting hundreds of thousands of members of the organization to represent the DoD well in social forums.

A Social Media Hub has been added to the DoD’s arsenal of social media tools — another approach from which mainstream business can learn. While the DoD hub is accessible to the general public, it would be equally easy to create something like this on a corporate intranet as a resource for employees.

The home page of the hub proclaims, “ocial media is an integral part of Department of Defense operations. This site is designed to help the DoD community use social media and other internet-based capabilities to share responsibly and effectively, both in official and unofficial capacities.”

The site offers three core categories of information:

• Learning and Resources — “I’m concerned about social media and I need…” reads the introduction to this section, which leads to education and training resources, social media guides and examples.
• Policies and Procedures — This section begins with “I manage an official DoD social media presence and I want to…” which directs visitors to policies, user agreements and a form to register a page with the DoD.
• Collaborate and Connect — “I have questions about social media,” reads the introduction to this section, “and I want to…” Visitors can access discussion forums, FAQs and an Ask the Experts section (a contact form).

The page includes many of the elements more commonly seen on inidividuals’ social media channels, like retweet and Facebook share buttons. The site walks the talk in other ways, such as the embedding of SlideShare presentations in the Examples section.

Access to resources like this can reinforce policies and training and raise the confidence of employees who know they have somewhere to go where they can not only review the rules but ask questions, view case studies and have conversations with others in the organization.

Once again, I’m left wondering: Why can a command and control-centric organization like the US military take such a rational approach to social media while the average US corporation behaves more like we’d expect the military to behave?

(Cross-posted from a shel of my former self.)

Tuesday at Gartner’s Security and Risk Management Summit, research director Andrew Walls told attendees that although infosec pros may worry that social networking will lead to uncontrolled malware outbreaks, phishing, breaches of confidentiality and trade secrets, and even damage to the corporate reputation, trying to take control or even block its use is akin to monitoring employees’ home phone calls and rifling through their postal mail.

“All this message traffic is not in your infrastructure,” Walls said. “It all takes place out there in the cloud,” plus it can be accessed from anywhere, and users’ privacy settings can make monitoring nearly impossible. “At the root of it is staff productivity, and security isn’t responsible for monitoring and managing the productivity of the organization.”

Some believe social media represents a growing platform for malware distribution, but Walls countered that argument, noting that antimalware vendors he’s spoken with say social networks are being victimized by the same malware plaguing email and websites. “So if I’m going to block social media on the basis of malware distribution,” Walls asked hypothetically, “why not block email?”

via searchsecurity.techtarget.com

The article goes on at some length to chronicle Walls’ arguments against blocking social media in the workplace, even making a vital point that has been at the heart of my argument: Organizations will, he said, come to realize the value of hiring someone who possesses a vast social network. “The most valuable people,” he told the audience, “are going to be the ones who demand social media the most.”

The entire post is well worth your time particularly if you’re trying to make the case against blocking in your organization.

Recruiting is one of those categories. According to a June 22 article appearing on recruiting site ere.net, several organizations are already figuring out that employees’ networks can prove far richer sources of referrals than traditional recruiting channels.

Article author Todd Raphael lists several companies that have turned to employees’ social networks to identify top-shelf candidates. While my thinking on recruiting has been focused on querying employees about whom they know based on their involvement in online peer groups, Raphael points to the development of widgets employees add to their Facebook pages. The widgets contain lists of open jobs. The vacant positions are seen by employees’ friends visiting their pages. In most cases, if an employees’ Facebook friend applies for and gets the job, the employee earns a referral fee.

The idea of paying an employee for a referral is hardly new, but the analog version of the concept required an employee to tell someone, one-on-one, about the job. That process mostly limited employees to sharing the information with people they knew well and with whom they interacted regularly. A widget on an employee’s Facebook pages exposes the job to those connections with whom employees don’t have strong relationships, expanding the reach of the information to those with whom the employee has weak ties.

Among the examples…

• Staff at Virginia Mason Medical Center can add a widget to their pages that lists jobs like a director of nursing informatics and a range of IT jobs. Developed by recruiting firm Bernard Hodes, the widget has found its way onto a few employees’ pages. Once the Seattle-based organization formalizes a social media policy, it will roll the program out to all employees.
• Some Enterprise Rent-A-Car employees have already received referral payments for jobs filled based on the widgets they added to their Facebook pages.
• Employees from Hyatt will also have the opportunity to list open jobs on their Facebook pages and distribute the information to their friends.
• Using a utility from a company called Referrio, Cisco Systems listed 11 jobs that would each pay $2,500 for the employee who referred a candidate sourced through his or her social networks.

Recruiting agencies — whose business models are threatened as employee networks become better sources of candidates — are shoring up their value by developing the products and services to support employee social network referrals. There’s Hodes, noted above. And a company called Select Minds is developing a service that will notify targeted employees by email of open jobs. For example, writes Raphael:

Let’s say hypothetically we’re talking about a software job at Nationwide, and that the job is in Dayton, Ohio. An automated email about the job opening might go out to 1) Nationwide employees in any region who are in IT jobs, and 2) all Nationwide employees in Dayton. The SelectMinds email allows employees to either email selected contacts on LinkedIn, Facebook, and Twitter to tell them about the job, or update their LinkedIn and Facebook statuses (and soon Twitter, just not on the demo I saw) with info on the job. The chain of link-forwarding gets tracked as it moves around online, and the employee either gets the whole referral kitty, or can share part of it with a second person, depending on how the company sets it all up.

The employee who’s doing the referring can tell their company, via a short form, how well they know their friend, and what they think of them. The referring employee also gets emails notifying them if their contact has expressed interest in the job.

Meanwhile, recruiters view a dashboard listing how many times a job was referred, and how many applications came in for it. A recruiter can drill down and see who’s referring who.

Needless to say, the notion that companies will turn to their employees to help fill important jobs — but expect them to do it only from home — is absurd. In order for employees to help the company recruit needed talent, companies will increasingly turn to their employees’ social networks, which had better be wide open from work if companies are going to derive the greatest possible value from the effort.

According to the Newton North Library’s Learning Commons website:

This is being debated at SFA (Student Faculty Administration). Your input will help SFA decide. The next meeting is April 13th @ 7:00am in the library. It is open for all students and staff to attend. (Note: Facebook is currently blocked at all Newton Public Schools.)

A poll included with the item currently stands at 370 votes against blocking and 87 in favor. The cynic in me suspects it was mostly students casting the opposing votes and parents voting yes.

The comments left to the item on the Wicked Local blog that directed me to the Learning Commons site, however, got me thinking more about the issue. The impetus behind the ban is at least partly based on the worry that kids use Facebook to bully others. One comment, for example, reads…

I am a private tutor in Newton. Just this year, I have had 3 Newton students (2 from North, 1 from South) who have been involved with the Newton police due to cyberbullying via Facebook. I am not sure what the outcome was, but I know for a fact that there were threats and there was police involvement.

Bullying is a problem, to be sure. It was a problem when I was in school, and when my parents were in school. The recent case in South Hadley, Massachusetts — in which nine teens were indicted for their roles in relentlessly bullying a 15-year-old girl who was driven to kill herself — is another tragedy that points to a serious need for action.

But blaming the Internet or Facebook is a mistake. In fact, I don’t care for the term “cyberbullying.” Is bullying that takes place over the phone called “phonebullying?” The venue is irrelevant. The channel isn’t the problem. The problem is the attitude that some kids have that bullying is okay wherever they can engage in it.

The situation reminds me of hospital CEO Paul Levy’s reaction when he learned that another hospital in the area was blocking Facebook because some staff members had violated HIPAA — the regulation that protects patient privacy — on Facebook. Levy, of Beth Israel Deaconess Medical Center (also in Boston), wrote on his “Running a Hospital” blog:

Any form of communication (even conversations in the elevator!) can violate important privacy rules, but limiting people’s access to social media in the workplace will mainly inhibit the growth of community and discourage useful information sharing. It also creates a generational gap, in that Facebook, in particular, is often the medium of choice for people of a certain age. I often get many useful suggestions from staff in their 20′s and 30′s who tend not to use email. Finally, consider the cost of building and using tools that attempt to “track utilization and monitor content.” Not worth the effort, I say.

Interestingly, the use of Facebook under consideration at Newton North involves a portal for parents, where they could view information relevant to their childrens’ education, including homework and projects.

I see multiple problems, though, with blocking kids’ access. First, many of them — like their counterparts in the business world — don’t need the school’s computers to access Facebook; they can do that just fine on their mobile phones. Lack of access from school won’t stop cyberbullying, either; they’ll just do it when they get home to their own computers.

But what’s really at issue is starting to teach using the channels that kids are already using in a manner that reflects the way peopale will be working and learning with increasing frequency. Collaborating on team projects makes more sense on Facebook than a proprietary school system because Facebook is (for now) the network they’ll continue to use in college and then in the work world. (A recent study (PDF file) from the Society for New Communication Research (SNCR) determined that decision-makers in the business world are making faster and better decisions by tapping their Social Media Peer Groups (SMPGs) via Facebook and LinkedIn. Failing to guide students in the use of the resources they’ll be required to use just to get their jobs done by the time they graduate is a failure of the education system.

I’m not talking about unrestricted Facebook use while students should be focused on schoolwork. But teachers need to begin figuring out how to incorporate social networking into their teaching plans in order for the coursework to be truly relevant. The idea that people work in isolation is fast becoming outdated, as the SNCR study reveals; teaching kids to do schoolwork in a vacuum is not preparing them for the processes they’ll need to understand when they go to college (where online collaboration is just the extension of the age-old study group) and then when they enter the world of work.

That is, teachers should be teaching the ways social neteworks can benefit their learning while actively discouraging bullying of any kind. The issues are, in fact, mutually exclusive.

Doug Haslam himself gets the final word, from a comment he left to the Wicked Local blog:

The thing is, people will form their own groups where they want regardless of what is “blocked.” It makes sense for schools to have some presence on Facebook — not to supervise or watch, but to participate as part of a community.

A proprietary network makes sense as far as assignments, but experimenting — as class groups, in the right circumstances — with Facebook and other social tools is a way to tap into how people are now working together in the real world.

That doesn’t mean students should be using Facebook during school hours to play Farmville, just as it shouldn’t in the workplace (where, for the most part, Facebook should not be blocked either. But, there are some applications. As someone astutely said (in an earlier comment), high school kids are on Facebook anyway. Maybe we should teach them how to use it to be better community citizens (online and off) rather than ignore it at our peril.

Visit Justin’s original blog post here.

Ochman’s five reasons for keeping access open:

• Resistance is futile thanks to the proliferation of smart phones
• Employees who don’t want to get their work done don’t need social networks to waste time
• Social networks actually can make workers more productive
• You’ll miss great ideas that emerge from conversation and collaboration
• Employees are more trustworthy than they’re given credit for

“If you can’t trust your employees, you have one of two problems,” Ochman writes. “You are hiring the wrong people or you are not properly training the people you hire.”

Read the entire post for more details and some interesting reader comments.

In a comment left recently to a post I wrote for Stop Blocking back in October 2007 about malware on Facebook, David Jones with CommerceMicro wrote:

Stupid, out dated information.

We have users that repeatedly get infected with viruses and spyware no matter what level or type of antivirus and antispyware software we install. It’s rather odd that ONLY THOSE particular users get re-infected day after day and that they all have MySpace accounts, FaceBook accounts, or whatever. Their employers have to continually pay us to come and clean these infections.

My reply was a bit terse. I asked Jones if he believed all the companies that don’t block access were lying about not encountering the problems he cited. (And no, I wasn’t snarky enough to point out that “outdated” is one word.)

The security issue does, however, appear to be supplanting productivity concerns as the main reason companies block access to Facebook and other social media sites. Among the dominant social networks, Facebook presents the biggest risk to company security, according to 60% of the respondents to a survey of 500 companies conducted by Sophos, an IT security organization. No other network comes close. MySpace ranks second, with 18% of companies identifying it as a concern, followed by Twitter (17%) and LinkedIn (4%).

The concerns are not illegitimate. The incidents of reported malware and spam attacks through social networks has jumped 70% since April of last year. Social networks have become common launching pads fore a couple of particularly nasty worms. The risk of infection, though, is not the only security issue that keeps IT staff up at night. Employees’ individual behavior represents a risk, particularly as web-unsavvy employees fall prey to phishing and other devious ploys. And then there’s the fear that employees will share information they shouldn’t.

Sarah Perez goes into considerable detail on the Sophos report in her post on ReadWriteWeb. Perez also notes that even Sophos isn’t advocating an outright block, despite the study’s findings:

Unfortunately for those in charge of enforcing corporate security, simply blocking Facebook and other social networks via URL is not a realistic solution anymore. The networks are often a large part of a company’s marketing and sales strategies, notes Sophos, meaning they cannot be blocked outright. Instead, companies are encouraged to use a unified approach for mitigating threats that combines data monitoring, malware protection and granular access for their employees.

A Financial Times article (free registration required) has the same advice, noting that organizations have too much to gain from employee interactions on social networks. The article, penned by the head of an information risk management and e-discovery firm, rightly notes that leetting employees access social networks from work gives them “the ability to locate the right people, information and expertise quickly, but they also greatly aid external networking, sales and marketing activities.”

The article (which I discovered on the Idea Peepshow blog, notes thyat 89% of businesses in the UK have no policies governing employee use of social networks and calls for companies to establish and enforce such policies.

As I’ve noted before, protecting the company is a matter of ensuring the proper network safeguards are in place (such as anti-malware/spyware software and the latest virus definitions) and that employees understand their responsibilities.

It works in a lot of companies that don’t block access. It can work in yours.

Nobody claims visiting Facebook or Twitter, in and of itself, will result in infection. The worry is that employees will load a seemingly innocent but actually malicious third-party app or click a shortened URL that leads them to page crafted to infecvt computers or relieve employees of confidential information.

I have no intention of minimizing the risks ever-present on the web. There’s no shortage of scumbags who want nothing more than to exploit you.

But let’s be clear: Simply blocking access is the lazy, easy way out. By taking steps to protect the company’s networks — steps that take a bit of work — your systems can remain pristine while your company can reap the benefits of employees who network with prospective customers and recruits while building higher levels of engagement with existing customers.

There are plenty of resources online that outline how to protect a network. One of the best I’ve seen appeared on ReadWriteWeb, authored just a couple months ago by Sarah Perez. She lists eight ways to keep your networks safe:

• Don’t assume a link is “safe” because it’s from a friend.

• Don’t assume Twitter links are safe because Twitter is now scanning for malware.
• Don’t Assume Bit.ly Links are safe.
• Use an up-to-date web browser.
• Keep Windows up-to-date.
• Keep Adobe Reader and Adobe Flash up-to-date.
• Don’t assume you’re safe because you use a Mac.
• Be wary of email messages from social networks (because email addresses can be “spoofed” by hackers).

Perez provides a lot of detail on each of these points — the post is well worth reading — but it all comes down to two workplace realities for companies that want to do business in the networked world:

• Employees need to be educated and held accountable.

• IT departments need to keep systems updated.

I’m routinely surprised by the number of companies I visit where every employee desktop is running Internet Explorer 6, where employees can’t update Flash or the Adobe Reader, where updates to software aren’t pushed out on a regular basis. I know IT departments are stretched thin and devote an inordinate amount of time to maintaining legacy systems because their budgets have been slashed. But failsing to keep employee computers updated is like the manager of a corporate auto fleet failing to change the oil or the air filter and letting employees drive around on bald tires.

As for employees, both IT and internal communications need to undertake an effort to educate employees about their own obligations when using the web — for work or no-nwork purposes. It’s incumbent upon companies to make their employees security-literate so they don’t follow unsafe shortened URLs (show them how to find out where the URL actually goes first) or respond to questionable emails.

As this blog has pointed out repeatedly, there are tremendous benefits that can accrue to organizations that encourage their employees to interact on social networks. The solution to the risks involved is not to simply shut off access, but rather to minimize the risk through good, old-fashioned hard work.

This time around, the bad news comes out of the UK, where 90% of councils restrict access to social media. The results come from a study conducted by SOCITM, the professional association for public sector ICT management. Ironically, this group had earlier encouraged organizations to lift such restrictions, recognizing that “social media is…an economical way for public sector organisations to deliver services, communicate with staff and engage with the community.”

According to the study, 67% of councils have implemented scorched-earth policies, blocking all use of social media. Among the remaining 33%, some confine use to lunchtime and before and after work. The SOCITM report interprets these finds as proof that councils don’t see any business value to employee participation in social media.

There’s an almost equal split between councils that view security as the main reason for limiting or blocking access and those who see productivity as the problem. Still, SOCITM believes that stopping employees from tapping into these sites is impossible, given the fact that most workers have their own devices — like smartphones — that give them access to services like Facebook and Twitter. But the fact that employee access increases engagement with the communities the councils serve is the dimension of the report that jumped out at me. According to Christopher Head, who co-authored the report:

CIOs and heads of ICT need to take the lead and educate colleagues on the organisation’s management team about the benefits of social media, as well as finding ways to accommodate them appropriately and safely through the corporate infrastructure.

This advice is coming from more and more quarters, including reserach firm Gartner, which has urged businesses to take advantage of employees’ connection to sites like Facebook to facilitate their business-to-consumer strategies.

It just seems managers would rather succumb to baseless fears and take the easy way out than listen to the advice of experts who know what they’re talking about.