When the media relations department at Global Crossing first started planning a company-sponsored external blog last year, Michael Miller, vice president of security at the telecommunications services provider, made sure he was involved in the conversation.
"The normal reaction for most people in a security organization is, 'How do we restrict this activity?'" he says. "But we wanted to clearly articulate some guidance around blogging in terms of what the employee's responsibility is, what's permissible, what isn't. If you spend all your time blocking it, people will find ways around it."
Miller's response strikes at the heart of the corporate debate over how to minimize the security risks opened up by blogging, social networking, video sharing and other interactions that fall under the Web 2.0 umbrella. Companies are wrestling with a multitude of issues, such as whether to restrict employees from blogging on employer-owned equipment, whether to monitor what blogs say, whether to steer blogging activity toward a company- sponsored blog and how to set up parameters around these activities. There's also the question of whether to open the corporate network to the wild and woolly worlds of MySpace.com, iTunes, Flickr and YouTube.
"Sites like MySpace and YouTube are new ways for companies to get infected by malicious code -- viruses or spyware -- and other scams," says Arabella Hallawell, an analyst at Gartner. Examples include the Yamanner worm, which hit Yahoo Mail users, and the Samy and Spaceflash worms, which spread among MySpace users.
For many, the blogging dilemma comes down to weighing the risks and benefits of spotlighting the company's intellectual capital -- the opinions of its employees -- and opening new channels of communication with its customers without inadvertently leaking valuable information into the public sphere.
And loss of trade secrets is only one type of threat, according to Diana McKenzie, chairwoman of the information technology group at law firm Neal, Gerber & Eisenberg in Chicago. Other common problems include co-worker harassment and defamation, securities law violations and intellectual property abuses, such as misuse of copyrights or trademarks.
"It's not uncommon for employees to not know better and say, 'We're going to have great earnings this month,' during a company's quiet period," McKenzie says. She even knows of a blogger who discussed where his employer planned to set up hidden security cameras.
Why not institute a policy?
Companies can avoid legal troubles by creating policies for blogging, but not everyone makes that effort. In an exclusive Computerworld survey of 113 IT managers, just over half of the respondents reported that their companies have policies regarding employee participation in social and networking sites.
When setting up a blogging policy, Hallawell says, IT should work with the legal and human resources departments to identify rules that might limit how restrictive the policy can be. For example, she says, some state laws -- and some trade union agreements -- don't let companies prevent discussion of political activities or certain workplace safety issues. "Blogging raises many complex and gray issues for companies," she says.
For Miller, pulling together a blogging policy wasn't difficult. He used Global Crossing's existing guidelines regarding ethics and acceptable use of technology as a foundation and augmented them to allow for the special considerations of blogging. Particularly relevant were the company's policies for use of e-mail, "which had a direct parallel to blogging, in terms of confidential information and intellectual property," Miller says.
Basically, the policy allows all employees to participate in the Web 2.0 community, including posting to blogs and setting up a blog, as long as they follow the guidelines. For instance, bloggers need to identify themselves as representatives of Global Crossing and include disclaimers saying that the views expressed don't necessarily represent the views of the company.
The policy also includes a section on "doing no harm" that warns against inflammatory posts. "We provide guidance on taking your time and making sure that what you're posting represents you and what you're trying to get across," Miller says. "Don't post when you're feeling hot-tempered -- stop and cool off."
The policy is aimed at anyone who chooses to post to a blog or set up his own personal blog, but it also pertains to Global Crossing's corporate blog, which spotlights six employees, each dealing with a specific issue. "We think there's value to the corporation in expanding the communication boundaries, but in a way that we're controlling what's going on and putting the right measures in place," Miller says.