Security in a business is about technology by all means, but it’s also about management. Lots of companies risk non-compliance in spite of having all their IT up to date, firewalled and ring-fenced, because they have failed to communicate a few concepts to their personnel.

Take the High Street retailer whose technical compliance and social insecurity was beyond compare but whose staff set up on Facebook group to discuss work. This sounds reasonable enough until someone began a chat about which celebrities and their families has been seen in a particular store, and – fatally – what they’d been buying from the pharmacy. Intended innocently, it trampled all over the privacy of one celebrities mother just as certainly as if CCTV footage had been put onto YouTube.

To its credit, the company in question realised immediately that there was no harmful intent so it issued some new guidelines. Likewise the other retailer whose staff began a social media page about snappy responses they’d given to dim (in their view) customers. This didn’t affect anybody’s privacy but the reputational risk to the company was severe.

There are other instances in which a business can find itself damaged because it hasn’t put a social media policy in place. Your organisation needs one, ideally enforceable through contracts.

It should cover

  • Breaches of confidentiality, both through the company’s own social media channels and through those of the individual employees.
  • Reputational risk.
  • Who’s authorised to speak on behalf of the business, formally and informally, when there’s a crisis.

Of course there also needs to be something in there about abuse, downloading inappropriate materials and when it’s OK to use social media for personal use (do not assume you’ll be able to stop people sending out the odd Tweet or Facebook update any more than they stopped making the odd personal call on the work phone before we all had our own mobiles).

Companies can do all they want to ensure they are compliant as far as technology is concerned, and there is a lot of help available to make this happen properly. It is, however, essential to be vigilant about the managerial side as well. Social media has placed technology to become a publisher into the hands of everybody, but not the information they may need to protect themselves and their organisation – and it’s your business that could end up exposed to risk.

Guy Clapperton is a senior journalist who has written several books and offers media training among his services. Currentlyhe┬ácan be seen frequently on the Guardian’s small business hub and he edits the New Statesman’s Gibraltar hub; he is also editor of Professional Outsourcing Magazine.