Had the pleasure of chairing a roundtable earlier today on the risk management aspects of social networking and Web 2.0 – the other panelists were Craig Carpenter, the VP & general counsel of Recommind, and Antony Corsi, a partner with Fulbright & Jaworski LLP in London. Here's the formal release that came out of the event, along with some graphics.

The release is self explanatory and confirms what many people suspected – that a lot of organisations still don't 'get' Web 2.0; are not using it properly; appear to be hoping that if they ignore it, it will go away; and – in the case of those organisations trying to curb its use – seem unaware people can access all of these technologies on home computers (and an increasing number on mobile phones, Blackberrys, iPhones etc). It's also interesting to see that 70% are delegating responsibility to IT departments – what, they are letting the techies determine their risk management policy? And, that only 17% are giving the job to legal departments – yes, we know how computer literate lawyers can be! However there is a more serious point here and that is policy should actually be determined at a senior management level, with consultation with the IT and legal departments on its implementation and enforcement. And also check out last Wednesday's Orange Rag coverage of the EIU's “technology democracy” report www.theorangerag.com/blog/_archives/2009/9/23/4329923.html


Recommind today released the results of its recent research into Web 2.0 and social networking habits in UK businesses*. Although many firms already recognise the business benefits of using applications like Twitter, LinkedIn and instant messaging (IM) in a corporate environment, research indicates that an alarming proportion (89%) have no dedicated guidelines in place to control the use of these tools and, ultimately, the spread of information through Web 2.0 channels – an oversight that could put UK companies in grave danger of uncontrollable information risk. 

Recommind’s research indicates that although more than half (51%) of UK businesses surveyed are well aware of the data leakage risks associated with Web 2.0 and social networking use, most still overlook the risks posed by an increasingly stringent regulatory climate and the knock-on impact of investigations and e-disclosure requests. Indeed, just 23% of respondents were concerned about their ability to access and preserve information found on these sites and used with these tools. Unless this lax attitude is promptly addressed, Recommind maintains that companies could face serious problems in the near future, including failure to control the flow of sensitive corporate information, an inability to comply with increasingly common regulatory investigations and exorbitant costs when faced with an e-disclosure event. With the usage of such tools by corporate employees skyrocketing, their increased relevance in near-term litigation and investigations is virtually assured.

“Businesses need to think very carefully about how best to address the increasingly mainstream usage of these tools by their staff.  In a Web 2.0 world communication is instant, but information can get divulged, co-opted or misconstrued very easily, leaving organisations wide open to information risk,” said Craig Carpenter, VP & general counsel at Recommind.  “We’ve already seen numerous cases of employees being reprimanded for discussing proprietary information on sites like Facebook, while a major US network was recently reprimanded when one of its journalists leaked off-the-record commentary from President Obama via his Twitter feed.  Firms must ensure their employees are fully aware of the possible ramifications of using these tools in such a dynamic and evolving technological landscape. And while having a company policy in place is common sense, any such policy is only as effective as its enforcement.”

The independent research, which was carried out by Vanson Bourne, questioned CIOs and IT directors in UK firms with more than 1,000 employees on the Web 2.0 and social networking habits within their organisations. Of those surveyed, many are already using social networking tools within their company – 44% are utilising these tools to communicate and share information with colleagues around the world, while a quarter of respondents use these applications for day-to-day business activities, such as marketing and sales, business development and company research.

However, research shows that employees at less than a quarter (23%) of firms surveyed are using Web 2.0 and social networking tools for external communications and networking, while just 17% use these applications to locate people and expertise within the organisation. A surprisingly low set of figures, given that more than half (59%) cited external communications as the biggest benefit Web 2.0 can bring, with almost a third stating that social networking could enable employee knowledge and expertise to be used to its full advantage.

In today’s economic climate, knowledge is the ultimate currency – but Recommind’s research illustrates that employees’ expertise, or ‘tacit knowledge’ as it is widely termed, still remains a largely untapped resource, while only one in five respondents recognised the value social networking could bring in terms of gaining insight into industry knowledge, including partners and customers. With all this in mind, it would be fair to say that the 42% of companies surveyed who do not allow staff to use these tools within the corporate environment are missing out on major internal and external business opportunities.

“It’s clear that organisations are starting to integrate Web 2.0 processes into their everyday corporate activities, but this use is still largely for limited internal purposes – businesses are just scratching the surface of  what these tools are capable of,” continued Carpenter.  “Firms need to get Web 2.0 savvy as these applications continue to grow in popularity and usefulness in the business realm. Companies risk losing a competitive edge if they restrict access outright in the workplace, so control is the key to maintaining both the corporate advantage and also ensuring that the organisation has adequate procedures in place to protect against information risk.”

“There is no doubt that Web 2.0 tools have become an interesting challenge for organisations across all sectors – communication via such tools is instant, has a wide impact and the business potential can be huge. However, without proper corporate regulations in place these tools can present a great danger to a company’s reputation and a risk to its information security,” said Mike Davis, senior analyst at Ovum. “Web 2.0 and social networking applications used in a business context contain corporate information and must be managed with both discretion and control. Today’s increasingly stringent regulatory climate means that it is more important than ever for firms to take care of their data –whether this is ensuring that all relevant material is preserved and accessible should they be faced with legal action, or preventing information leakage via careless employee use – without guidelines in place the consequences could range from embarrassment to business failure.”  

Findings also uncovered that more than two thirds (70%) of firms surveyed believe that responsibility for implementing and enforcing Web 2.0 policies lies solely with the IT department, compared to the legal department at 17% of companies. Although each department has its own set of priorities, Recommind maintains that a more collaborative approach is needed as these tools come to the forefront. Without this cooperation, there is a danger that the IT team will not recognise or fully comprehend which information should be preserved, disclosed or discarded, while the legal department needs assistance to help ensure any technology processes and systems are accurate and up to the job.

“Such responsibility on one department alone is unrealistic – there needs to be more collaboration between the IT and legal departments,” said Carpenter. “Legal departments must step up and become more involved in crafting and enforcing Web 2.0 policies, especially since they are often better placed to understand what information can and cannot be kept or shared on the corporate network. Simply put, a combination of expertise is critical to organisations’ success in today’s regulatory environment.”

* Survey of 100 CIOs & IT directors at UK enterprises with more than 1000 employees conducted by Vanson Bourne in August 2009.