PHOTO - James Walton, Southeast Asia Clients & Markets Director, Deloitte.
Malaysian national ICT industry association PIKOM and analyst firm Deloitte have advised enterprises and employees to revisit their best practice guidelines following PIKOM's recent statement that all local businesses and individuals need to be more vigilant online, especially with the Section 114A amendments to Malaysia's Evidence Act 1950, which puts the responsibility to prove innocence for all materials, including third party comments, on the owners of online sites.
PIKOM president Shaifubahrim Saleh said the national industry association urged all organisations in Malaysia to review their practices and guidelines. "IT heads as well as employees should consider disabling anonymous users from posting any comments, and revise the terms and conditions for use of their websites, which should include an indemnity clause to compel the user to indemnify the website owner in the event of any damages. They may also choose to include a clause prohibiting users from posting comments relating to religion, politics, and other sensitive areas."
"In addition, companies who operate Facebook pages should remove the comments function as page owners do not have live control over the contents being posted," said Shaifubahrim, adding that only registered users who have provided all the required personal details should be permitted to post comments. Organisations who operate Websites and social media pages with high traffic should consider appointing someone to monitor all postings. Alternatively, they can have a user rating system where users can rate whether a posting is offensive and if so, it gets suppressed/ removed, such as that operated by YouTube.".
He reminded IT heads to ensure that their Internet connections and devices using company networks should be properly secured. "Frequently update any anti-virus software, use strong passwords and refrain from re-tweeting or republishing anything dubious or unverified. Users can surf the internet for references and free advice online, and organisation or corporations should refer to friendly sources for advice or engage consultant or experts when needed. [Regarding employees] logically, best practices should be embedded as part of an organisation's Internet Staff Guidelines so that all employees are aware of the law and the implications on them. Some corporations may even take the extra step of sponsoring their employees with company mobile phones to avoid any controversial apps or contents".
Deloitte Southeast Asia clients & markets director, James Walton, said, "Firstly, organisations need to ensure that anybody who is representing them - either in an official or an unofficial capacity - understands the implications of that role or acts accordingly. Of all the potential threats, that is perhaps the easiest one to manage."
"In most companies, there is a statement in employment contracts that you must follow all relevant policies of your firm (as well as other local laws and regulations) and in some cases there is even a specific mention of the IT policies," said Walton. "Generally, the best practice is to then cover social media as part of the terms of IT/internet usage included in the relevant IT policy. Given that social media is a highly dynamic environment, including it in individual employment contracts can be burdensome."
Dealing with the 'anarchy of social media'
"More difficult is ensuring that seditious postings are not made on their pages and forums by the general public," Walton said. "In theory, there is nothing to stop a rogue individual from just going onto an organisation's Facebook page and posting a comment - which the organisation could then potentially be held accountable for, according to the opponents of the law, as 'facilitators' of the comments being published."
"This presents three options for organisations: firstly, there is the almost unthinkable option of withdrawing from social media; secondly, they could restrict access to their various social media channels, which might help but offers no guarantees as you cannot do a background check on every individual, and even then someone may post something in the heat of the moment; finally, the organisation can task their social media administrators with monitoring their various channels and quickly identifying any potential issues and responding to them accordingly (which probably means deleting the comment as quickly as possible)," he said.
"Companies must also focus on the security of their IT systems and their social media channels: in recent months there have been a number of security breaches on company websites and even Twitter accounts, which may make some companies nervous that a hacker could misrepresent them on their corporate pages," said Walton.
"It is often a challenge for a corporate to get comfortable with the potential anarchy of social media," he said. "To be able to balance permission to speak out and reach out to each other and to clients in a rich online channel, with all the associated risks, isn't easy. In Deloitte, we have taken an approach of 'empower and trust'. The counsel given to employees is to understand the difference between the personal and the professional, to be open, honest and respectful, and as professionals, to be responsible for both their own and the organisation's reputation."
"Deloitte has also developed guidance materials for staff and online education programmes," added Walton. "In the guidance materials we set a framework of what is and is not acceptable behaviour - and individuals need to understand that social media is a very open channel and that things have a way of making it into the open. As an organisation, we also have a plan for how to respond to reputational risk matters on social media, similar to how we have a plan for how to handle such matters in the traditional media channels."
Sign up for MIS Asia eNewsletters.