By Rich McRae
January 11, 2019
Is a social media account, such as LinkedIn, a personal account? Does your financial institution’s Acceptable Use policy address the use of social media for work-related business? What about other external accounts that require a basic profile and email address, such as Facebook, Twitter, travel reservation/membership rewards accounts, etc.? In completing IT reviews, we have advised financial institutions to establish policy and procedures to address any employee-created accounts set up with external service providers. Some have taken the recommendation so far as to prohibit access to such accounts from bank workstations and networks.
For the purpose of this discussion, externally created accounts (Facebook, LinkedIn, Twitter, etc.) are considered personal accounts. Here’s why:
We advise financial institutions to consider the risk of intermingling personal accounts with bank-administered systems. Any external system accounts should also be identified on the user access authorization form. Management can reduce risk to the bank by encouraging employees to keep personal accounts separate from their work-related digital profiles. Best practice is to prohibit combining personal account use with work email addresses, and to also disable use of personal email accounts through email filtering.