Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //

WFH: A Smart Time to Revisit Employee Use of Social Media

Employers have their hands full when it comes to monitoring online activities that could hurt the brand or violate the organization's core values.

It's a complicated time to be an employer. From ensuring compliance with state-by-state employment law regulations, to providing an OSHA- and EEOC-compliant workplace in the new "work-from-home/now-come-back-to-work" normal, human resources departments have their hands full.

Related Content:

4 Predictions for the Future of Privacy

Special Report: Building the SOC of the Future

New From The Edge: rMTD: A Deception Method That Throws Attackers Off Their Game

Layer on the due diligence that employers are undertaking to ensure that their workers are not plotting nefarious activities or propagating extremist disinformation online that could negatively affect the brand, core values, codes of conduct, and safety of individuals both inside and beyond the workplace and that complexity becomes even more cumbersome.

Financial institutions uncovering and exiting employees for administration of extremist websites sound like prime-time dramas. However, they are real-world examples of where having a strategy for exiting dangerous employees from the workplace is a best practice now that home and work boundaries are increasingly blurred. And with most employers monitoring their workforces, it's becoming increasingly important to understand why more workers are under review.

The Cost of Free Speech
While the First Amendment grants all Americans the right to free speech, few corporate, legal, or HR teams have the appetite to proactively monitor their employees' non-work-related social media presence. This so-called Online Disinhibition Effect (ODE), coupled with the perceived anonymity of the Internet, can empower people to freely express their opinions about almost anything, from restaurants and political candidates, to foreign policy and ethnic groups, forcing employers to rethink traditional HR modalities that keep work and private domains separate.

Organizations must consider their public reputation — the brand, the company's board, and executives — who all have a stake in ensuring that extremism and other hate-based sentiments stay far from the workplace. When does it make sense to investigate reported behavior and when does it make sense to turn a blind eye? While extremely fact-specific, the ability for investigations to be actionable depends on whether extremist online content violates the company's policies embedded in its employee handbook, code of conduct, onboarding materials, or state-based privacy laws.

Once these policies are in place, a transparent culture of "see something, say something" can often be fruitful, allowing others within the organization to point to behavior that requires a deeper review. 

Building a Compliance Framework
Legal and human resources are aware of the need to update employee handbooks to advise employees that all company-owned equipment will be subject to reclamation, monitoring, and examination, in line with a legitimate business purpose, which is necessary given federal laws that restrict workplace monitoring. However, not all in-house counsel and operation teams include proper language in handbooks to ensure that remedial action can be taken for social media postings by employees when not on company equipment or time.

Legal and HR practitioners must notify their employees of the company's ability and intentions to monitor, investigate, and take action for behavior that crosses the line, whether it takes place on corporate devices or online. If the notification language gets embedded in the code of conduct or BYOD policy, make sure there is a nexus between such policies and the employee handbook so that consent can be demonstrated.

Effective Monitoring in the Workplace
In reality, few companies have an appetite for devoting resources to monitoring employees' non-work-related social media proactively for threats, and such an approach would be ill-advised.

However, an agile security team that quickly responds to reporting on threats can benefit from focusing on:

  • Disinformation
  • Outlets that can be prioritized
  • Account(s) or handle(s) being used
  • Technical signatures cloaking true identities

While these elements may appear more manageable, corporate devices are the most efficient means to determine if an employee violated code of conduct or use of corporate systems by engaging in illicit or suspicious activity. Internal investigations and security teams must have visibility into appropriate endpoint, network, chat, email, and application log traffic to engage these types of investigations. Finally, they have to maintain a robust "outside the firewall" external threat-hunting capability, including open source and Dark Web intelligence attribution research, technical signature analysis, and direct threat actor engagement.

When to Take Action and When to Stand Down
After policies are established, tested, and the security team implements a monitoring strategy, they will be operationalized. Threats of violence using corporate or personal devices can justify termination of the offending employee. However, if an investigation finds allegations of membership in a known extremist group, even with robust policies in place, termination can still be controversial, therefore needing a stronger security, legal, and HR coordination. Depending on how robust corporate policies are and subject to state privacy laws, termination can typically occur when a corporate asset is used to participate in or solicit violent extremist activity during work or in off-work hours, including use of company email.

However, participating in or soliciting online extremist activities without the incitement of violence after work hours on personal devices may present an edge case that may not be actionable. In this situation, additional monitoring may prove necessary, to a point. The question of when to stop monitoring an employee is another issue that employers will have to address on a case-by-case basis. 

Within any investigation, fact patterns are rarely black and white. It's important to get ahead of these issues before a significant event or violence occurs and an employee shows up on the front page of the news, forcing the company to do damage control. Close coordination between human resources, legal, and security functions within an organization, in conjunction with an open culture that empowers the reporting of abusive or threatening behavior, can stop violence and negative brand impact before it happens.

Jennifer DeTrani is General Counsel/EVP, Corporate Secretary and Head of Culture of Nisos, a Managed Intelligence™ company that focuses on helping clients develop an effective response to advanced cyber threats.  Jennifer is a visiting ... View Full Bio
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file