What is social media? Social Media Definition
One of the difficult things about defining social media is that it means different things to different people.
Social media is also a relatively new concept and one that is constantly changing, with new platforms and features appearing all the time. The term social media is much broader than many think.
Many believe that social media only refers to social networks, such as Facebook, Twitter, LinkedIn, Pinterest and Reddit, to name just a few.
In fact, the term social media can be used to describe any digital systems where people connect with each other. The word ‘social’ in this context describes the way users on a digital platform share and interact with online content.
The content they share could be anything from short status updates to long-form blog posts. It could also include rich media such as images, videos or music.
While a simple online radio channel wouldn’t be described as a social platform on its own, it would become one if users were able to create profiles, build playlists and share them with others, due to these ‘social’ interactions.
Many retailers allow the products they sell to be reviewed and rated by customers. By doing this, it turns a simple online shopping site into a site driven by social interactions, where products can trend in popularity.
These online retail sites allow users to share their experiences, and even their own photographs of the products, through the online shopping platform.
Most people now look at travel review websites such as Tripadvisor before booking a holiday, which is another example of social media. These review sites allow users to create profiles, connect with other holidaymakers and share their experiences, photographs, and feedback as well as rate the overall holiday or hotel.
Some push the definition of ‘social media’ even further and include messaging apps like Whatsapp, and even voice over IP (VOIP) services such as Skype and Viber in the definition of social media.
In many ways, these platforms do exhibit many of the qualities associated with social media. New social networks and digital platforms with social features are emerging all the time.
The new platforms enter a highly competitive environment where the existing platforms are fighting to keep users away from their competitors.
Because of this, some of the most successful new platforms focus either on a specific niche or a unique feature, such as higher levels of security or a promise to never sell user data to third party advertisers.
Nowadays, because social media has become so popular all over the world, almost all new online platforms include some form of social features, such as a profile or the ability to rate or ‘like’ content or products and share them with a user’s own network of friends.
The power of social media
Social media is a fast-paced, constantly changing landscape. There are hundreds of thousands of conversations taking place all over the world at any given moment and it’s highly likely that social media users will be discussing your company, your people and your competitors.
This is a valuable opportunity to listen to them and gain intelligence about the opinions of the people that matter most – your customers and your employees.
There are a number of products on the market that allow you to listen to social media and analyze the resulting data.
This data will allow you to see trends in your industry or in public opinion and can even be used to predict future trends when modeled effectively. But, you must be aware of the constraints that you face when it comes to storing or analyzing social media data.
Social media has fundamentally changed the way that people communicate with companies and with each other. We’re far more connected now than we ever were. Many people appear to be totally addicted to social media and spend hours on it every day – ignore it at your peril.
Businesses that harness the power of social media gain competitive advantage and stay ahead of change. In fact, there are a whole host of benefits to using social media effectively.
Social media shouldn’t be used as simply a channel to broadcast company marketing material. Instead, social media allows organizations to connect directly with their customers, their employees and other stakeholders in a deeper, more personal manner.
Organizations that harness social media effectively can embed their vision and gain supporters and followers. They can receive real-time feedback faster and more effectively than ever before – if acted upon this can give the board insight into what people think about their company and can influence the future direction of the business.
Successful organizations are open and transparent. They build trust with their stakeholders. Social media can help you do this – it’s a fast and extremely effective tool. When someone sends a message to a company on social media, it’s there for the whole world to see, and the response will be judged by others.
Companies that respond with automated messages or use overly ‘corporate’ tones face a high risk of receiving complaints en masse from social media users who feel the company isn’t relating to them on a personal level.
The result can be increased negative sentiment about your company, which could have a snowball effect. What starts as a small issue can be amplified greatly if picked up and shared by social media users.
Creativity and innovation can come from anywhere – it’s no longer just the remit of research and development or specially created ‘innovation teams’. Social media allows companies to gather ideas from their customers and employees, which it can use to significantly strengthen its competitive advantage.
Understanding how to capture these ideas and turn them into reality is important for all forward-thinking organizations.
I often hear ‘this doesn’t apply to us because we don’t do social media…’ At this point, I usually have my head in my hands. If any company thinks that social media doesn’t apply to them they are seriously mistaken. We’re in the digital revolution. Digital technology is fundamentally changing the way that we do business.
Organizations need to know how to respond to the so-called digital disruptors – social media, mobile, data analytics and cloud. You only need to look at examples of former household names such as Blockbuster Video and Kodak to see what happens to companies that fail to keep up with change.
Change is inevitable – those companies who embrace it can turn challenges into opportunities and safeguard the future success of their businesses.
CASE STUDY Risk in action: The power of social media campaigns
There have been many successful social media campaigns that have raised awareness about particular issues or which received a large amount of support from users all over the world. Most social media campaigns center on the use of a hashtag. Three examples of successful campaigns are as follows:
#BringBackOurGirls – started in April 2014 after the abduction of more than 200 schoolgirls in Nigeria. It was started by a group of campaigners who wanted to exert pressure on the Nigerian authorities to do more to find the girls and bring them back safely.
The hashtag was used 3.3 million times. The most shared tweet was a photo of First Lady Michelle Obama holding a piece of paper with the hashtag written on it. The post was retweeted 57,000 times.
Ice Bucket Challenge – a campaign to raise money and awareness for the Amyotrophic Lateral Sclerosis (ALS) association. People all over the world made videos of themselves pouring a bucket of ice water over their head. The 2014 campaign saw people post their videos on social media and nominate their friends to do the same.
The 2014 campaign received $98.2 million (£64 million), compared with $2.7 million (£1.8 million) during the same period in the previous year. #WhyIStayed and #WhyILeft – a campaign that was started in August 2014 in response to a video of an NFL player assaulting his wife.
Millions of men and women used the hashtag to organize a conversation about why they stayed with an abusive partner.
These examples illustrate how powerful social media can be when users unite in support of a campaign. But, companies should be very cautious if they want to take part in the conversations around the campaigns. At the time that #WhyIStayed was trending, DiGiorno Pizza tweeted ‘#WhyIStayed You had a pizza’.
Unsurprisingly, the company received an immediate backlash from social media users and Time published an article with the headline ‘DiGiorno used a hashtag about domestic violence to sell pizza’. Companies must understand the context of a hashtag before using it. If a mistake like this happens, apologize profusely, as DiGiorno did.
Traditional social media vs enterprise social networks
It won’t come as a shock that the most prominent traditional social media sites are those you’re most likely already familiar with, such as Facebook, Twitter, Google+, LinkedIn, Pinterest, Wikipedia and so on.
These are the sites millions of us use on a daily basis, often multiple times a day using our mobiles when we’re out and about, sometimes even sending messages from unusual places.
The first thing that some people do in the morning is open social media before they’ve even got out of bed. The key thing to take from this is that ‘traditional social media’ means the public platforms that we’ve grown used to over the last 5–10 years and that allow us to interact virtually with our friends and family, or even those we don’t even know in person but have a virtual connection with online.
The key characteristics of traditional social media are:
a profile, usually with a photo, a short biography, and some personal information;
the ability to connect with others, by ‘friending’, ‘following’ or ‘connecting’; the ability to share information with a larger network, be that with your group of friends, or a post visible to the general public;
the ability to comment on information posted to the network by yourself or others; tagging or mentioning people, places or businesses in posts or in photos.
There are many social media sites out there that offer other features, however, the points above are common across most social media platforms.
Enterprise social networks, on the other hand, are technology platforms deployed within an organization to allow employees to work collaboratively, taking advantage of features similar to those in traditional social media.
It’s worth us touching on some of the high-level benefits of enterprise social networks so that we can understand why organizations are implementing them in the first place.
There is a rapidly growing trend in the industry for organizations, both small and large, to implement platforms that allow their employees to collaborate internally.
You may have already heard these platforms referred to as ‘Facebook for the enterprise’, or a company’s ‘internal Facebook’. While this does go a little way in explaining what it is, it falls far short of really defining the benefits of implementing such a system.
I would avoid using such terms as it can cause confusion to the end users and give them a false impression of the platform before they’ve even experienced it.
An enterprise social network allows an organization’s employees to connect with each other and to discover other people within their organization across the globe.
Have you ever considered how difficult it can be to find specific people or experts within a large, multinational company?
Imagine that you are based in the United Kingdom and you want to find a colleague with a specific skill. Perhaps you’re working on an international project involving the use of databases in a foreign country, let’s say Russia, and you’re stuck on a certain aspect.
You want to find someone who understands databases that might be able to help, but they need to have Russian language skills too.
My guess is that you would start by leveraging your own personal network, calling your connections and sending a few emails to colleagues. If you work for a large organization this could be like finding a needle in a haystack…
One of the key features of an enterprise social platform, similar to traditional social media, is a profile. Each user has a profile to which they add their skills, contact information, photos, interests and anything else relevant. This makes it much easier to find people in your organization by using the in-built search functions.
You may think that this sounds like LinkedIn or a glorified internal phone book, however, it’s far more than that. The internal profiles become much more powerful when you think about the other key feature of Enterprise Social: collaboration.
Enterprise social networks enable collaborative working across the globe. Most platforms allow you to create or join ‘groups’. These groups are virtual areas that allow users to connect and post content of interest to members of the group, similar to LinkedIn.
So, if you work as a communications professional at a multinational tire manufacturer, you might want to join a group that focuses on writing, branding or communications.
By doing this you’ll be able to see other colleagues who also work in communications around the world. Because each user has a profile with details about themselves it’s an easy way to find or meet colleagues virtually and build your network.
Some of the real power of Enterprise Social can be seen in the discussions that are taking place in groups.
Using our example from earlier of trying to track down a Russian-speaking colleague with experience working with databases, we might enter a search on the platform. By searching, we might discover some groups devoted to discussing the very same issues we’re trying to resolve.
By reading through the comments and checking out the profiles of the people making the posts we might just find exactly the person we’re looking for.
Many of the leading enterprise social networks also integrate into Microsoft Office. This allows two or more people to work on a document at the same time. The document is hosted ‘in the cloud’ (on the platform itself) and users publish their changes as they go.
This reduces effort on versioning as there’s no need to keep emailing the latest document around to your team – the latest version, plus all of the previous versions, are neatly organized and stored for reference.
This may sound like familiar functionality to some other platforms, such as modern document repositories or file sharing tools, however, what’s different is the ‘social’ element that allows users to discover new documents and content.
Controlling the uncontrollable
Social media has grown quickly and organically. Controls weren’t designed from the outset. Social media is naturally uncontrollable – people can, within reason, publish whatever they like. Because of this, organizations need to implement good governance to ensure that the risks of social media are managed without putting a stranglehold on it.
If too much control is placed around social media, many of its benefits will be lost. This idea will be explored in more detail in the next blog when we look at the social media risk continuum.
While social media was not created with control in mind, there are a number of things an organization can do to help manage risk. This book covers many of the approaches an organization can take, from designing effective policies, implementing operating procedures and monitoring for compliance.
There are also a number of tools on the market that can help you manage traditional social media. We will look at some of these tools.
Where traditional social media can be somewhat uncontrollable, meaning that you are reliant on the network itself to provide control features such as moderation and privacy settings, enterprise social networks are usually more configurable.
As previously discussed, an enterprise social network is an internal social collaboration platform an organization implements to allow its people to connect with each other and work together.
Controls must be implemented in and around the enterprise social networks in order to protect the organization. This ranges from security controls to make sure the platform is unlikely to be hacked, to governance frameworks and policies to protect the users and the data within the network.
There are many vendors in the enterprise social network market, each with their own advantages, disadvantages and configuration options. It’s important that you understand what controls you need to have in place before you choose a product. If you don’t, you could end up paying a lot of money for a product, only to find that it doesn’t meet your risk and governance requirements.
It could be very costly to implement controls afterward and, in some cases, the vendors may not offer the protection and control you need, meaning that you might need to consider starting again with another vendor.
The key takeaway here is that before making any decisions or commitments, you should carefully plan what you want from your platform, how it will align to your business objectives, and how you will manage the risks. Only then should you think about the technology that will support your goals.
Why is governance and risk management so important?
Good governance is the foundation for success in social media. A good governance strategy will help you understand how you can harness the power of social media to meet your strategic goals.
It will help you keep ahead of change and ensure that you can anticipate issues in advance and address them before they turn into a problem.
There are many stakeholders who have an interest in how social media is used in an organization. Typical stakeholders could be marketing, IT, HR, operations, security, sales, and so on. A good governance strategy will bring these different groups together and ensure that everyone is on the same page, working towards a common goal.
It will help you understand where you are, where you’re going and how you get there, while at the same time satisfying any specific requirements along the way and staying within any constraints to help your company succeed.
It’s not unusual to see eyes glaze over when the subject of governance and risk management comes up. There’s a perception that governance and risk is a dull, compliance-type topic that you visit only to tick some boxes. But in fact, governance is all about the mechanics of how you operate and it’s this that will make your project a success.
Furthermore, if you think of all of the social media blunders that are reported in the press almost every day you can begin to understand the importance of good governance and risk management. Many of us, myself included, find some of the social media mistakes organizations make highly entertaining.
And the way a company responds to an initial incident can be equally entertaining as they make a bad situation worse! Their mistakes should press home the need to ensure that you don’t fall victim to the same thing yourself. This is where good governance and risk management come to the forefront.
All too often I see or hear about companies who have implemented a certain social media strategy only to have it rejected at a later stage by the dreaded risk and compliance department.
The reason for this is often because the people running the project had failed to engage them and articulate how the strategy fits into the organization’s risk strategy.
In this section, I’ll outline some of the key risks of social media, help you understand how social media can go wrong and point out where you need to focus extra attention to ensure that the risks are mitigated. I’m not going to use example after example of social media fails to push the point home about where it can all go wrong.
Instead, this blog will help you understand risk and empower you to implement good governance to ensure that you harness the power of social media, manage the risks and avoid embarrassing social media blunders. I will, however, point out good and bad examples from the real world where relevant.
I’ll introduce you to some of the basic principles of risk management and explain how they relate to social media. First, a well-defined risk strategy will aid decision making, make the organization more agile and able to respond to change, and allow effective use of resources.
Organizations need a risk strategy that aligns to their social media strategy and the business’s overall objectives. Risk appetite and corporate culture play a big part in a risky strategy and are essential in achieving the goals of the business through its engagement in social media.
Risk strategy should be established by the board and sets out how an organization’s business objectives will be met through risk management. A well-defined risk strategy helps an organization with decision-making and supports the effective allocation of resource and spending by mandating how risks are to be managed.
Your approach to risk
Risk appetite is the amount of risk that an organization is willing to tolerate in order to deliver on its objectives. Having a clearly defined risk appetite will help an organization make decisions about how it will engage with social media to fulfill its goals while keeping the amount of risk that it is willing to tolerate within reasonable limits.
The organization can then design processes to avoid exposure to unacceptable levels of risk.
Risk appetite can be categorized as low, moderate or high. A low-risk appetite will require the organization to have robust social media policies and procedures in place, with effective systems and controls to help manage risk.
Likewise, an organization with a high- risk appetite may have less robust policies and less control in place because the cost of mitigating the risk may outweigh the impact of the risk occurring.
It’s worth pointing out that different stakeholders within the organization may view risk very differently. For example, the marketing department may want to gain as many followers or connections on their social media accounts as possible or to generate and push out as much content as they can.
The compliance department, on the other hand, may want assurances around what content the department is posting or who it is connecting with on social media. A good governance strategy will bring these stakeholders together and enable them to work together effectively.
Social media is fast moving and evolving. This means that the risks it poses are also changing, with new risks emerging and existing risks gaining more or less potential impact. Because of this, it’s important that risk strategy is documented and that a risk assessment is completed on a regular basis.
A risk assessment involves evaluating and documenting the potential risks involved in a project or activity. The risk assessment for a small short-term project will likely only take an hour or so to complete, but a larger project will need more consideration and the risk assessment may take much longer.
How often a risk assessment exercise is performed will depend on the organization’s risk strategy and risk appetite, but I would suggest that a full social media risk assessment be completed at least annually.
It’s important for organizations to be aware of the typical risks of social media. There are five categories of social media risk, which we will look at in turn later in this blog.
I strongly recommend completing a risk assessment in order to understand what risks exist, how they might impact the organization, the likelihood of them happening and weighting or prioritization of the risks.
Doing this will allow senior management to understand where an extra resource may be needed or where extra control, policy or process may need to be implemented in order to manage risk.
Not all risk will have an adverse effect on the company’s objectives; in fact, some risks may not be catastrophic and may represent an opportunity for the company to grow or to increase efficiency.
For example, rather than lobby against upcoming social media regulation or facing fines for non-compliance, risk management can help you focus ahead of time and implement programmes to be on the right side of it. This can also result in an improved reputation, and being recognized as a company that understands risk and has long-term ambitions.
Measuring risk is a tricky business. It’s often difficult to quantify risk but it is possible to think through scenarios to understand how a particular risk event may impact an organization.
Likelihood could be expressed using a scale of ‘high’, ‘medium’ and ‘low’, or alternatively, a numerical scale could be used such as 1–5 (1 being not likely, 5 being extremely likely).
When considering the likelihood of a risk event occurring, it’s also useful to think about frequency. Is this risk event likely to happen weekly, monthly or annually?
By deciding the impact and likelihood of risk impacting, you can plot that risk on the matrix to see what weighting or prioritization a risk might have. As you move through the risk matrix you can see that a risk that is very unlikely to occur and which, if it did occur, would be insignificant, would end up with an overall weighting of low.
Using a numerical scale to measure likelihood and impact will help ensure that risks are reported accurately. This will help management to see quickly which risks require their attention.
The risk matrix can be tailored to be in line with your risk tolerance. For example, you may decide to change categories slightly by changing a risk that is possible and severe from ‘extreme’ to ‘high’.
When we think about the impact of certain risk, it’s also useful to think about the ‘velocity’ or ‘speed to impact’. By this I mean, how long will a particular risk event take to have a direct impact on the company, and how long will it last? Will it be a one-off event, or will it be a continued event that lasts for, say, a week?
In the world of cybersecurity, a distributed denial of service (DDoS) attack aims to make a company’s website unavailable by flooding the web server with thousands of requests. This event could last for a few days, a week, or longer, depending on how the company responds.
On the other hand, a natural disaster such as an earthquake may last only a few seconds but could have a big impact on the organization for months afterward.
Risk assessments should be documented and reviewed. Any resulting actions should be tracked to ensure that the risks are managed appropriately, in line with risk strategy and risk appetite. When assessing risk, it may become clear that new controls need to be implemented, or existing controls changed in some way.
When used in conjunction with the risk matrix, a risk assessment helps to prioritize tasks or changes and inform decisions and future resourcing needs. Documentation like this is also useful to illustrate that risk management procedures are being adhered to, should a regulator ever challenge the organization over issues relating to social media.
An activity could be something like posting content to corporate Twitter from mobile devices and the risk may be that someone could accidentally mix up the corporate account with their personal account.
Controls that you may have in place to safeguard against this might be regular training or a policy dictating that corporate accounts should only be accessed from corporate devices.
You may assess the likelihood of this happening to be quite possible (3) because you have a large team, but that the impact would be severe (5) because of the reputational damage that it could bring, and because you operate in a highly regulated environment that could attract fines, for example.
The resulting risk rating would be 3 × 5 = 15, ‘extreme’. After discussion and consultation, you may decide to implement a social risk and compliance tool, which you assess as having a risk rating of ‘low’.
Unfortunately, when dealing with risk there are no absolute right or wrong answers since much depends on the future which, as we all know, is notoriously difficult to predict.
However, once serious consideration has been given to the risks it’s much easier to prioritize them in a way that senior management or other stakeholders can understand. This means that risk management can be operationalized in a more effective way.
The risk continuum
In social media, for example, some activities need to be controlled, but placing too much control may, in fact, increase risk. Social media is fast moving, and it’s important that organizations are agile and able to respond to trends or conversations quickly.
If there are too many controls in place around what can be posted, by whom, when and from where, the organization may miss opportunities or be unable to respond to crises in a timely manner.
Effective controls demand resource and sometimes even require external consultants to advise on how they can be created. Too many overcomplicated controls are therefore expensive to implement, and the cost may outweigh the benefit of having them in the first place.
The sweet spot is where an organization has a balance over its risk management activities, where the organization is aware of the risks involved with social media and has implemented a strategy that will allow it to meet its objectives in line with its defined risk appetite.
Culture has a big impact on how an organization uses social media and how much risk they are willing to be exposed to. People are a company’s biggest asset, but they are also the biggest risk.
If a culture of doing the right thing is well embedded into the organization, it will have a positive effect on how rigorously risk will need to be managed.
It is generally accepted that the tone set by those at the top has a great impact on the behaviors of the workforce, therefore it is the board that is responsible for defining, communicating and demonstrating its culture in line with its risk appetite and business strategy.
The organization’s people need to understand what risks they are allowed to take and what is unacceptable. They must also understand the consequences of taking risks beyond tolerable levels.
For all the policies, procedures and controls which an organization implements, if the culture does not naturally reinforce the right behaviors then these risk management devices will prove ineffective.
It’s all too easy to point the finger at someone who has taken an inappropriate risk, but there are a number of questions that should be considered when this occurs, including:
Why did they take the risk in the first place?
Were they driven to it by the corporate culture?
Did they receive the right training to identify which risks are appropriate, and which are not?
Enterprise social networks can help embed the risk culture because they allow leaders to demonstrate the behaviors that they expect from their people.
Having leaders of the organization active on an enterprise social network, perhaps posting regular communications and interacting with people, sets an example to others in the company and it helps set the tone of what is acceptable and what is not.
It surrounds everything that a company is and does. The culture, set by leadership, influences the business’s goals, its strategy, and its mission or purpose. It influences how people within the organization behave and sets boundaries for what is appropriate and what is inappropriate.
A company’s culture should align with its employees’ personal ethics and values, which should, in turn, set a precedent for how employees behave. Furthermore, messages about corporate culture should be visible within all company communications, whether that be top-down corporate communications or those between individuals.
Finally, policies and procedures should be aligned with the culture of the organization. If policies undermine company values or ethics, for example by enforcing behaviors or actions that go against the ethics of that company, it will have a negative impact on culture in general.
All of this is particularly important for social media because, as you’ll see throughout this blog, good ethics are important to ensure social media success.
There are many examples where organizations have used unethical tactics in order to promote their products or encourage users to engage with them but, in almost all cases, unethical behavior like this results in more significant issues that could have been avoided.
Hashtag-hijacking is the most common example of the unethical tactics that some companies have used, by adding trending hashtags to their posts out of context and for the sole purpose of increasing the reach of the post. When a hashtag supporting a social cause is hijacked it often causes the highest level of resentment from users.
Social media risk maturity model
Hopefully, it’s clear that there is not just one accepted approach to social media risk management, and that the extent to which an organization manages social media risk depends on its culture, risk appetite, and overall business strategy.
That said, the social media risk maturity model can help an organization understand where they are in terms of social media risk management, their ‘current maturity’, and help them get to where they want to be, their ‘aspired maturity’.
The social media risk maturity model shows five levels of maturity, each of which builds on the previous levels. Level 1, ‘Initial’, is the most basic level of social media risk management.
As you can see from the model, an organization at this level will have recognized the risks of social media but has not standardized processes around the management of risk. As you progress through the levels, the amount of risk management, processes, policies, and controls increases until you get to level 5, ‘Optimized’.
An organization with current maturity at level 2, ‘Repeatable’, will understand the risks that social media poses and may even have completed risk assessments in relation to it. But there will be no standardized processes or procedures and social media will be managed in an ad-hoc fashion, with little or no formal training available to employees.
At level 3, ‘Defined’, efforts have been made to implement processes, procedures, and policies to govern the use of social media, but there is little control to ensure that they are being followed or adhered to consistently.
When an organization is operating with a maturity at level 4, ‘Managed’, social media ownership, responsibility, and accountability are defined, although there may be a lack of board sponsorship.
At this stage, robust processes and policies are defined, documented and controlled, although tools to support or monitor these processes and policies may be lacking. At level 4 you might find that systems to review processes and policies are in place, but that metrics to track social media are basic, or lacking.
Finally, an organization operating at level 5, ‘Optimized’, understands the impact of social media and it is a board-level agenda. The processes and policies are defined, documented and monitored and a regular review cycle is in place.
An organization operating at this level will likely have systems in place to manage social media, such as Social Risk and Compliance tools and the tools themselves will be monitored and tested on a regular basis.
Incident and crisis management will be well embedded in the organization, including how social media incidents will be addressed or how social media might be used during some other unrelated crisis. Adequate resource and likely dedicated teams will be responsible for social media on a day-to-day basis.
It’s important to remember that not all organizations aim to be level 5, ‘Optimized’, and nor should they. It may be that the cost of achieving level 5 maturity could outweigh the benefit of a social media programme in the first place. Still, this model can be used to understand where you are and help you reach your aspired level of maturity.
There are, broadly speaking, five categories of social media risk. Some risks may have an impact on one or more categories.
For example, a hacked Twitter account would probably be classified as an information security risk, but if the account was used to post abusive messages it may cause reputational damage.
Efforts to regain control of the hacked account would place a heavy demand on the resource, which is an operational risk. Finally, the hack may lead to an investigation by a regulator, which may enforce financial penalties.
Reputational risks are most commonly attributed to traditional social media. The risk stems from people posting content online, either deliberately or by accident, which can harm the reputation of an organization.
As mentioned previously, a common mistake is when an employee who tweets on behalf of the organization mixes up his or her personal account with the organization’s official account.
It can be very embarrassing when a rude or inappropriate tweet is sent out from a company’s official channel, but unfortunately, there are many examples of this.
It’s surprising that there are still many executives who don’t understand how risky social media can be. For example, Ryan Air boss, Michael O’Leary, hosted a Q&A session on Twitter without regard to how Twitter users might react to some of his comments, such as ‘Nice pic. Phwoaaarr!’
A company’s reputation takes time to build and trust can be lost in the blink of an eye. Seemingly small mistakes on social media can go viral fast. If these incidents are not managed correctly it can lead to a loss of investor confidence and have a negative impact on a company’s share price.
Fake accounts pose a threat to organizations and it’s important to have plans in place to deal with this risk. There have been examples in the past where seemingly official, but nonetheless fake, accounts have been set up to act as though they were speaking on a company’s behalf. These accounts can attract a lot of followers as well as considerable media attention, which can be a real embarrassment to the company.
CASE STUDY Risk in action: BP fake Twitter account
In 2010 an oil rig exploded and subsequently sank in the Gulf of Mexico, causing a huge oil spill which is considered to be the largest accidental marine oil spill in the history of the petroleum industry.
The rig was operated by British Petroleum (BP) and shortly after the news hit the media, BP faced a barrage of complaints and condemnation from shocked and concerned people all over the world.
What happened next was that a fake and satirical Twitter account was created called @BPGlobalPR which mercilessly posted tweets with dark humor mocking BP, such as ‘The good news: Mermaids are real. The bad news: they are now extinct. #bpcares’.
In the space of a few months, the total number of users following the fake twitter account surpassed those following BP’s official Twitter account, gaining over 150,000 followers.
BP’s response to the Twitter incident was slow, which you might argue is understandable given that their attention was on fixing the spill in the first place. But this incident does show just how difficult it is for some companies to keep control over their reputation online.
In order to use social media effectively, it’s important that companies listen to other users and think before posting. There are many examples of companies using disasters to sell their products. This is clearly a sensitive issue.
For example, many would agree it inappropriate for a life insurance company to promote their services in direct connection following some type of catastrophes, such as a plane crash or explosion.
Amazingly, though, this is what one life insurance company did shortly after the Malaysian Airlines flight 17 disaster in eastern Ukraine in 2014.
When disasters occur it doesn’t take long for hashtags or related words to start trending on social media. Companies should carefully consider the impact of posting marketing material linked to disasters as it often attracts high levels of condemnation from social media users.
It’s often also picked up by the traditional media channels such as TV or the papers, and consequently has an even more damaging effect on the company’s image and reputation.
The operational risks of social media also threaten organizations. Far too often I see companies who are worried that their employees are going to be wasting time on social media when they should be working. Often this means that the company has a policy of blocking all social media sites.
But really, is there any point in doing this in this day and age? If you’re a fan of social media then the chances are that you’re going to have a smartphone to access all of your social media accounts.
If an employee can’t access Facebook or Twitter at work, they can easily circumvent the block by using an alternative personal device such as a smartphone or tablet. There are other regulatory and compliance issues to consider but we’ll cover them in the Regulatory compliance risks section of this blog.
So, let’s think about employee effectiveness and how social media impacts it. I would argue that employees can be motivated by being allowed to use social media for personal use, but what we’re ignoring is the business benefit.
If you do a quick online search for social media and business you see that there are many articles about how businesses are using social media to gain competitive advantage, recruit top people and even sell products and services. The main risk here is that if a business doesn’t embrace social media, it could lose its competitive advantage.
An additional risk relates to culture. The exact definition of ‘Generation Y’, or ‘millennials’, is contested, but generally speaking, it refers to those people who entered work between 2000 and 2010. These people are ‘digital natives’ – they have grown up with technology and expect their employers to have embraced it.
In 2011 and 2013 PwC, the global network of professional services firms, published ‘Millennials at work: Reshaping the workplace’ and ‘NextGen: A global generational survey 2013’ respectively.
The reports highlight how millennials approach work and employment. Some millennials admit to breaking policy if it is going to help them complete a task more quickly or efficiently.
For example, DropBox is a cloud-based file sharing service that many organizations block because they are – quite rightly – concerned about what data might be exchanged on the platform. The reason for the concern is because the organization will have no control over what happens to that data once it is uploaded.
Yet, many millennials admit to using such systems, even though they know that they are breaking company policy, usually because the company offers no alternative. The solution is to offer a decent alternative that the organization can control.
Millennials are used to easy-to-use, always-on, connected services and devices. If you offer them no corporate or approved services to use, they will simply use others without your knowledge.
Furthermore, many millennials expect their employers to be as comfortable with digital technologies as they are themselves. Organizations are constantly fighting a battle to find and employ the best talent, and organizations can appeal more to the younger generation by showing that they are forward-thinking digitally-aware companies.
Another operational risk of social media is the risk that social media is not sufficiently governed.
An example of this could be around moderation. In social media, moderation is the act of removing or censoring posts that appear on your various pages. With a lack of governance and oversight, moderation may be sporadic or could even have serious legal implications for a business.
For example, if you run a social media account and users post abusive or threatening messages on it, what should you do?
Most would agree that you should remove these posts, but by doing so you are setting a precedent that the post will be moderated.
It then becomes your responsibility to continually monitor the posts and determine what is appropriate and what is not. This poses a few risks because, first, it may require a considerable resource to monitor and moderate the pages.
Second, unless very clear guidance exists about what should be moderated, and in what way, the removal of posts may anger social media users who feel that their voice is being censored.
If you run an enterprise social network that is used to share knowledge, reports and other work-related documents, your organization will be responsible for the content within that network.
The risk of not monitoring or moderating the network is high because your users may use it to distribute documents to which they do not have copyright licenses, or worse, to distribute illegal materials.
One of the benefits of social media is its ability to foster innovation. Social media, both traditional and enterprise, allow people to connect with each other and work together virtually. Companies can engage with their customers and get real-time reviews and suggestions about their products or services.
This can be vital information for the company as it ponders new services or product lines and allows it to use the ideas of a wider range of people and, in turn, gain a competitive advantage.
Enterprise social networks provide companies with the full power of their people in a way that was previously extremely difficult. No longer is innovation solely the realm of the research and development teams. Many of the tools allow ‘ideation’, which is the concept of allowing people to submit ideas online and vote other ideas up and down.
This ‘crowdsourcing’ of ideas with natural peer review (through votes and comments) can be harnessed to drive efficiencies and further encourage innovation.
The main operational risk is that if these tools are ignored, or if their implementation is ineffective, there is a chance that a company will lose out on the benefits that could, in turn, lead to loss of competitiveness, especially if their competitors adopt these technologies.
Another point to consider is how easy it might be for someone to cheat the system in some way in order to make their ideas gain more votes, thereby eroding value and making strong ideas less prominent.
Regulatory compliance risks
There are a number of regulatory and compliance risks that affect social media. The risks differ depending on where you are in the world; for example, there are a large number of regulatory bodies in the United States that have issued specific requirements and guidelines around social media.
In March 2015 the UK’s financial regulator, the Financial Conduct Authority (FCA), published guidance on how to maintain compliance when using social media.
Apart from that, however, at time of writing other UK regulators had very little in the way of requirements or guidance around social media specifically. Instead, UK advertising codes cover social media use in advertising.
A particular challenge that companies have experienced when implementing global enterprise social networks is data privacy and protection. Organizations need to be able to prove that they have appropriate controls in place to safeguard data. Much of the data privacy and protection legislation around the world conflicts.
For example, in the EU much of the legislation seeks to protect data and stop it being shared without the explicit permission of the owner. In the United States, on the other hand, eDiscovery laws dictate that all information is discoverable when needed for legal proceedings, meaning it can be accessed and held to support a legal case.
This often puts the laws head-to-head – on one side, EU data can’t leave the EU without permission; on the other side, US data needs to be discoverable.
Significant challenges arise when we think about a global system, hosted in, let’s say the United Kingdom, but accessed by employees in the United Kingdom, the United States, and Germany. What happens to the data? Which laws take precedence?
The plot thickens on our data privacy journey when we start thinking about data retention and archiving laws. Companies are required to retain certain documents and files for set periods of time.
An example of this is the number of years that a company is required to keep its tax returns or accounts before they can, or should, be deleted.
If a company breaks these laws it risks heavy fines. Companies also need to keep archives of emails and other communications sent and received so that they can use them if required in a legal case.
Now, what about data held on enterprise social platforms or messages posted on external social networks? If email communications need to be retained then it’s a safe bet that social networking communications also need to be retained.
Many countries have laws about advertising standards that aim to protect the consumer. It’s important to remember that these standards apply to all forms of marketing, and therefore include social media.
The regulations may state that advertisements and endorsements need to be clearly marked as such so that social media users understand that that’s what they are.
Because of this, many companies use the hashtag ‘#ad’ or ‘#endorsed’ to denote posts that are advertisements or endorsements. Another strategy for ensuring regulatory compliance is attaching an image containing terms and conditions to the original post. Y
Probably one of the most serious financial risks for larger companies is the negative effect social media can have on its share price. Yet, amazingly, many business executives just don’t understand this.
They understand that reputational issues or a bad article in the press or print media can impact their share price so I’m surprised that a disconnect to social media still exists.
After all, there’s a giveaway in the word ‘media’. There are lots of examples of companies who have suffered declines in their share price following an error.
In April 2009 Domino’s Pizza suffered a 10 percent drop in the value of their share price when a video showing two rogue employees committing public health law violations went viral on YouTube and disgusted viewers.
The lack of appropriate processes to identify a social media incident and then to respond in a timely manner can lead to investor confidence being lost due to the incident spreading across the globe virally through social media.
Social media can also impact the stock markets more broadly. In April 2013 a hacking group called the Syrian Electronic Army (SEA) hacked the Associated Press Twitter account and posted a tweet with the text ‘Breaking:
Two Explosions in the White House and Barack Obama is injured’. This caused panic on Wall Street and led to an almost instant drop in the Dow Jones Industrial Average, wiping out $136 billion in value before recovering shortly afterward.
Remediation efforts are another big financial risk. In 2012 a UK-based bank suffered an IT outage that affected many of its customers. The remediation efforts to fix the problem and provide assurance that it wouldn’t happen again were likely sizeable. These risks exist in social media also.
If you suffer a social media incident – for example, if your main company account is hacked – you must act quickly to resolve the issue. You’ll likely have to pull a resource from other projects to provide focus on resolving the issues with your account.
This may, in turn, attract the attention of the regulator, who can impose fines or financial penalties on your organization.
Information security risks
Social media developed organically, meaning that certain security controls that you would expect in corporate systems nowadays weren’t implemented very effectively in the early days of social media. Social media has also changed the way that we communicate, which has led to changes in what we share about ourselves online.
One of the problems with social networks is the challenge around account management. Twitter, for example, does not allow multiple people to log in to one account. So if you have an account for @MyCompany, you only have one username and password to access that account.
This means that if you have a team of people who are tweeting on your company’s behalf, they will either be sharing the username and password or using some kind of third-party management system.
The problem of sharing usernames and passwords is that it increases the risk of the credentials being intercepted by a hacker. For example, if the password for the account is changed you will need to communicate it to the group of people who need access to the account. Although not ideal, most people will send the details by email.
This increases the risk that a recipient may be included in error, or that one of the recipients could forward on the message (either intentionally or by mistake). When login credentials are shared via email there is a risk that the email could be intercepted by applications installed on computer networks by hackers which eavesdrop on email traffic.
Or, if the login credentials are communicated over the phone, the person receiving the credentials may decide to write them down on a piece of paper and pin it to their screen.
The sharing of login credentials also means that it’s not possible to see who posted what to the twitter page as everyone is sharing the same username. Whichever way you look at it, sharing login credentials is risky.
The best way to solve this predicament is to implement a system to manage social media interactions. These systems are referred to as social risk and compliance tools. There are many vendors out there and each offer different features such as analytics, sentiment analysis, post scheduling etc.
Something that most have in common is that you connect your account to the management system, and each of the users who need access to that account gets their own login credentials to the management system.
This means that they log in to the management system and post updates through it rather than logging indirectly to the social media account.
This helps reduce the risk of login credentials being stolen. It also means that there is a central management system that is used to create or disable users, for example when someone leaves the company.
While this sounds like the ideal solution for managing this risk, it means that you are putting your trust in the vendor to ensure that your account details and other information are secure. If the vendor does not follow good security practices it may be hacked, exposing all of your data or information.
Unfortunately, people are often the weakest link in the chain when it comes to security. Because of this, company culture and appropriate training are vital. Employees can be duped into sharing information with an attacker.
The most common attack of this kind is ‘phishing’, which is where a user receives an official-looking email asking them to log in to their social media account.
Unfortunately for the unsuspecting user, in a phishing attack, they will be logging in to a malicious website that simply looks like the real deal. When they log in, their user credentials can be stolen easily by the attacker.
Careless employees can also be the reason for confidential or sensitive information being shared on social networks when it should not be. Without the appropriate training and awareness, a user may inadvertently announce to the world that your company is about to be acquired, or may share negative views about one of your company’s own products.
Many of the social media fails are down to users simply making mistakes, for example by accidentally posting something from the company’s official account instead of their own personal account.
Keeping your confidential information confidential is of the utmost importance to any organization and although often not deliberate, a careless employee can easily make a mistake.
Knowing where your data is and how it is protected is vital to the longevity of a business. In an enterprise social network, your data may be hosted on data servers that are owned and controlled by the platform vendor.
This means that you are reliant on the vendor to ensure that the appropriate information security controls are in place and that the platform itself is resilient, meaning that it won’t be unavailable or offline. This risk can be a real headache for many businesses and requires a lot of thought.
The process of acquiring an enterprise social network can be long and drawn out. It can involve a long contracting period, security, risk and privacy assessments, external assurance on the vendor’s platform and sometimes even security testing, or ‘penetration testing’, to ensure that the platform sufficiently protects its users’ data.
This point is also valid for traditional social media as well as cloud-based services in general. By storing your data in the cloud or on a vendor’s servers you are relying on that vendor to keep your data secure.
If you use a social risk and compliance tool you are entering a trust relationship with the vendor as they have access to your accounts and some of your data. You should seek assurances that security issues are addressed and that data is being handled appropriately.
In the eyes of a regulator, this is the company’s responsibility, not the vendor’s, and it is the company that is ultimately responsible should a data breach occur.
Regulatory compliance risk rears its head here too. You risk litigation if you do not have the appropriate controls in place to stop information being shared incorrectly cross-territory.
For example, you may need to adhere to laws in the EU which dictate where HR data can be accessed from, or in the United States you may be required to provide data to adhere to a data request from a court, but you need to be careful not to break the EU laws at the same time.
The strategy is an important element to consider when it comes to thinking about governance and risk management.
Governance and risk management are redundant if they have no strategy to support. Likewise, a strategy without supporting governance and an understanding of any potential risks are likely to fail.
‘Social media’ is far broader than just how a company uses Twitter, Facebook or YouTube. In this blog, we look at some of the other ways that you might want to use social media as part of your overall social media programme.
Throughout the blog, the examples and ideas will be presented with governance in mind so that the concepts can be implemented and their benefits realized.
Whether you’re looking at social media inside or outside of your organization, you will need strategies to engage a wide range of stakeholders. These could include company employees, customers and other departments such as HR, IT, Risk and Compliance and so on.
This blog will give you the tools you need to design a strategy with the appropriate governance to support it. It will also give you the confidence to engage other departments effectively in order to foster their support.
Designing a strategy Purpose
It’s important to understand what exactly you want to achieve from social media. Once you know this, you can think about the steps you need to take in order to achieve your objectives and consider what governance you might need to support it.
The purpose of your social media programme should align with your organization’s objectives as a whole as well as the ethos of the organization.
For example, if your organization prides itself on transparency and doing the right thing, then your social media programme should reflect this. Your social media programme should not be a ‘bolt-on’ that operates independently from the organization.
There are a wide number of reasons that you might want to use social media, often described as ‘use-cases’, such as:
Increasing brand visibility. Social media is an excellent way to increase brand visibility due to the viral effect of a lot of social media content. If your content touches someone in a positive way, they may be tempted to share that content among their own network. This amplification effect is extremely powerful.
Improving customer services. Many customers now turn to social media as their preferred method of contacting a company because of the speed and openness of the communication.
Many organizations are now moving away from the traditional call center customer service operations and are focusing their support online or through social media support teams.
It’s important to remember that some customers will find this frustrating, and prefer to speak to a human being. Therefore, it is best to consider your customer base and establish an appropriate balance accordingly.
Promoting products or services. Clearly, this is a big one that won’t need much explanation. I’m sure that we’ve all seen social media, as well as other marketing channels, used to promote specific products or services.
If this is one of your objectives for your social media programme you should ensure that any ethical standards you have for promotion in other channels are replicated within social media. This may seem obvious, but it’s astounding how many people see social media as a ‘wild west’, where anything goes!
Driving engagement with your customers, employees or suppliers. You may want to better connect with your customers so that you can listen to their needs and provide them with the products and services that they want when they want them.
This is also an excellent way of gaining valuable feedback from your customers as to what they like and dislike about your products or services.
Connecting your employees. Enterprise social networks, in particular, are great for helping your employees connect with each other. Especially if you are a large organization with disparate or siloed teams operating in different physical locations, helping your employees connect will allow you to increase employee engagement, satisfaction, and efficiency.
Knowledge sharing. Social media can break down silos and enable information and knowledge to be shared throughout your organization more effectively. This allows your people to find the information that they need quickly, and in turn, to work more efficiently.
Recruitment. Social media can be a very effective tool for recruitment. Anyone who’s active on LinkedIn will know that it is used actively by recruitment agencies and headhunters to advertise new positions and find potential candidates.
Jobs are posted and shared through social media and some networks, such as LinkedIn, offer premium services to help recruitment professionals find and target prospective candidates.
Other innovative uses of social media for recruitment that I’ve seen are where an organization uses social media to tell a story about what it’s like to work at that organization.
They publish blogs about ‘a day in the life of person X’ where someone at the company shares information about what it’s like to work there on a day-to-day basis. This puts a face to a brand and makes it easier for people to relate to your organization.
As you can see, there are many reasons you might want to embark on a social media programme and the list above is by no means exhaustive. However, it’s worth pointing out that you don’t need to do everything all at once, and nor should you.
How much you can attempt or achieve in social media will depend on the culture of your organization, the maturity of social media use within it, and – of course – your budget!
Whatever you decide, the first step to creating a solid strategy is to define and document the purpose of your social media programme.
Before kicking off any social media programme or campaign it’s important to listen and monitor what is happening on social media. If you don’t, you are unlikely to achieve your objectives, and may even end up doing more harm than good. Social media is a place for conversations.
It’s where real people connect with each other, sharing things with their networks and engaging with others on a human level.
Your organization can be part of those conversations, but as with face-to-face communication, you wouldn’t butt into an existing conversation between a group of people and push your own points while totally disregarding what the others are saying. Well, some might do this, but good etiquette is outside the scope of this book!
It’s likely that conversations will be taking place about your company, its products, your competitors or your competitors’ products. You have the opportunity to hear what people think about these, and you should take it.
Many of your customers and employees will already be active in social media so once you’ve established the purpose of your social media programme you should complete an exercise to understand what relevant conversations are already taking place, where they’re happening and who the influencers are.
Once you’ve completed an exercise to analyze the conversations in social media, don’t stop there – you should continue this monitoring constantly. Conversations are fluid and are taking place all the time.
Opinions, influencers, and topics of discussion will change over time, therefore you need to ensure you have a mechanism to continue listening. Even if your current campaign comes to an end, listening should continue as it is one of the ways that you can be alerted to, or even predict, a crisis.
There are many tools that can help you with social media listening and monitoring, and the market appears to be quite saturated in this respect. Whichever platform or tool you choose, ensure that it fits your needs and allows you to identify the social media conversations you want to be part of.
The openness and transparency of social media mean that you can even listen to conversations between your competitors and their customers, something that can give you a significant competitive advantage if you’re able to act on that information.
But don’t forget that your competitors will also be able to listen to the conversations between you and your customers, so you will need to ensure that you continue to listen, engage appropriately and bring new products and services to market in order to stay competitive.
It’s often said that in social media or online, ‘content is king’. If you work in marketing, you may have grown to dislike this phrase. It’s a term that was splashed around quite a lot in the past.
However, I do feel that it’s useful for those who haven’t worked in marketing. I quite like it because it emphasizes the point that to engage in social media effectively you need to have good content that will engage others.
Many times I’ve been approached by clients or colleagues who tell me that they want to get on social media and promote their products or services. Their next question is usually ‘so, how do I monitor and measure the impact of my posts?’
When I ask what content they’re planning to use in their campaign I usually receive a confused look or a ‘we’ll cross that bridge later…’ This is not the right way to plan a social media programme.
You need to create exciting and engaging content, use social media to post that content, and allow your followers or supporters to share that content across their networks.
The content you post also needs to be fit for purpose and suitable for sharing on social media. The vast majority of users access social media through their smartphones and, therefore, you need to ensure that your content is suitable for that medium.
If you’ve ever tried reading a 100-page PDF report on a smartphone, you’ll know what I mean. Constantly zooming in and out, scrolling in all directions… it’s very frustrating for the user and will mean that much of your content is ignored.
Keep in mind also that attention spans are low online and on social media. People want information or the answer to their question quickly.
It’s, therefore, your responsibility as the content provider to give them what they want, in the format that they want. If you don’t, you’ll probably find that your content has very low engagement metrics.
Don’t overcomplicate it either, as Einstein said, ‘Any intelligent fool can make things bigger and more complex… It takes a touch of genius – and a lot of courage – to move in the opposite direction.’
Also, remember the constraints of the social media networks themselves. Posting on Twitter is totally different from posting on Pinterest or YouTube, for example. You need to choose the right content for the network.
Content that works well for social media includes:
Blogs. Blogs are extremely popular on the internet and they give the ability to publish to the masses. Blogs are short-form text, usually around 350 words in length. Blogs can be about anything, literally!
If you plan to use blogs in your content strategy, you should consider who is going to be writing, what they’re going to be writing about and what the call to action is for the reader.
A blog, or any piece of writing, needs a punchy and engaging title or heading that entices people to read the blog. The use of short sentences is advisable in blogs as they make it easier for a reader to quickly scan through the content.
Infographics. These are images that convey statistics, facts or other information in a visually appealing format. Infographics are usually long (vertically) and allow the viewer to scroll down through a story, reading break-out text, quotes and viewing images as they scroll.
Infographics are popular online with many being shared on social media networks, but particularly on Pinterest.
Pictures/photos. As the saying goes, ‘a picture is worth a thousand words’, and as social media users want to consume information quickly and easily, pictures can be an effective way of conveying your messages.
Most social networks allow pictures to be embedded directly into posts and have become a staple of most engaging posts. Video. If you want to know how to do something, such as install some shelves or cook a new dish for dinner, in the past you may have searched for an article with instructions.
Nowadays, however, many users look first for a short video that explains how they can solve their problem. While it may take a little more time and effort to create engaging video content, video content is growing in popularity and many popular social media networks allow video to be embedded directly into posts and shared.
Regardless of the format that you choose to publish your content, you must ensure that you are communicating your messages clearly and effectively, and in most cases, you should include a call to action.
How do you want your viewers and readers to feel when they read or view your content, and what do you want them to do? Clear calls to action will help make your content more effective, your communication more effective, and in turn drive your engagement metrics.
Don’t forget that social media is not a one-way channel for you to broadcast your products, services or content. You will want users to engage with your content in some way.
Consideration should also be given to who is authoring and publishing your content. Many organizations choose to produce content in advance that can be posted and shared by specific individuals within your organization through their own networks.
If your employees are being encouraged to write blogs, you will need to give them the appropriate tools and training to do this effectively, while ensuring that they understand the boundaries, policies, and safeguards you have in place. These controls and safeguards are discussed in more detail in the remaining blogs of this book.
Not all content will or should be pushed out repeatedly forever. For example, if you have a social media campaign running during a specific time period, you’ll want to ensure that you have plans in place to ensure that the content is indeed posted during that period and not afterward.
Content calendars can be an effective tool for planning what content is going to be posted, by whom, how often, and when.
Many companies choose to post content relevant to certain events that are happening in the world and that are trending on social media. If there is a genuine link between something that’s happening in the world and your brand, then this can be an effective way of gaining extra exposure but should be done with caution and tact.
There are many examples where companies have posted content related to a specific event only to find that social media users have taken a disliking to it, or it has caused offense in some way.
For example, in September 2014 US business tycoon Donald Trump was duped into retweeting a post from a Twitter user that said ‘My parents who passed away always said you were a big inspiration. Can you pls RT for their memory?’ and included a photo of a man and woman.
The photo that had been attached was actually a photo of notorious murders Fred and Rose West. After Twitter users pointed out the mistake, Trump deleted the retweet but this just goes to show that you need to be absolutely sure you understand the event that you’re posting about.
As a rule of thumb, it’s probably worth staying clear of references to natural disasters when promoting products or services, as some fashion retailers in the United States found.
American Apparel, a fashion brand, was one such brand guilty of this at the time of Hurricane Sandy, which was a deadly and destructive hurricane that hit the North East of the United States in 2012.
American Apparel tweeted ‘In case you’re bored during the storm. 20% off everything for the next 36 hours’. Customers were eligible for the discounts by using the promotional code ‘SANDYSALE’. This promotion caused outrage on social media as it was seen to be exploiting a very serious natural disaster in which 285 people died.
In 2014 Catherine, Duchess of Cambridge gave birth to Prince George of Cambridge. The birth of the Royal baby was met with much celebration in the United Kingdom and many companies decided to launch promotions at the same time to celebrate the birth.
However, not all got it right. Starbucks Coffee released a photo of three of its coffee cups, each wearing crowns, depicting the royal family, with a small coffee cup at the front. Unfortunately for Starbucks, the post was blasted by social media users who pointed out that babies should not be drinking coffee.
Designing for mobile vs desktop
As previously discussed, people access social media from a variety of different devices, such as smartphones, tablets, desktop/laptop computers, and even smartwatches. It’s important to bear this in mind when designing the content that you plan to push out on social media.
While standard text, images, and videos will probably be universally compatible with the main devices, there may be times when you want to encourage people to visit a specific website or application that you have created.
If you plan to launch a specific website or microsite to support a campaign and you plan to publicize it through social media, you had better make sure that the website is compatible with a broad range of devices.
You should also consider what software is running on those devices, for example, if it’s a smartphone or tablet, is it running iOS, Android, Windows or BlackBerry OS? For desktops/laptops you’ll need to consider whether it’s running Windows, Mac OS or another operating system such as Linux.
To further complicate matters, users have a choice of which internet browser they use. The most popular internet browsers are Internet Explorer, Safari, Firefox, Chrome, and Opera. We can take this to another degree of complexity by considering which versions of a browser your website will support.
For example, if you wanted to use features of HTML5, a scripting language used for web design, you will need to consider that earlier version of some browsers may not support the functionality.
Clearly, device and browser compatibility is a complex and specialist area, but one that you should be aware of. From experience, I know that if you are not explicit in your conversations with developers regarding compatibility requirements, you may find your new website will only work properly with a small subset of your target audience.
If social media users follow your links to your new website and find that it doesn’t work, you’re likely to feel a backlash.
That said, it’s important to know your audience and find a balance. Trying to develop content that will display seamlessly on all devices, all operating systems and all previous versions of web browsers is near impossible.
But it is important to consider your requirements in advance. Just because your company is using one of the latest versions of a web browser doesn’t mean everyone else is.
Many large corporates, for example, have policies in place that stop them from upgrading to the latest version of software until a later date. This is because new software often contains bugs and security holes. Larger organizations wait until these issues have been fixed and the software is more stable before they upgrade.
I was once part of a ‘social vote’ designed to allow users to vote for the people that they wanted to hear speak at a conference.
The votes were captured through Facebook ‘likes’. Working at a large organization, our default web browser at the time was Internet Explorer 9 but the latest version available was Internet Explorer 11.
To my horror I found that the ‘social voting’ functionality which had been implemented was not compatible with Internet Explorer 9, meaning that none of my work colleagues were able to vote for me using their work browser.
I hoped that perhaps some of my colleagues would be able to vote using their mobile devices, but then discovered that because they were viewing a webpage on their phone when clicking the ‘Like’ button, they were prompted to log in to
Facebook. This confused many people as they were never normally asked to authenticate themselves when they opened the Facebook app on their phone. It also caused some of my colleagues to become suspicious of the login page and simply close the webpage, thinking that it may be a hoax designed to steal their information.
Many developers I speak with are surprised by the fact that many large businesses use an older version of internet browsers, so it’s worth bearing this in mind when developing new content which you plan to share through social media.
If you don’t, it could cause a lot of frustration and anger in your social media followers, especially if employees of large organizations are the part of your target audience for your products, services or social media campaign.
‘Responsive web design’ is the concept whereby websites are developed to provide optimal viewing experiences across multiple devices, as it can be difficult to view websites that have been designed for desktop screens on mobile devices.
Which networks should you target?
There are certainly a lot of social media networks out there, which can make it difficult to decide where you should focus your efforts.
Due to the ‘always on’ nature of social media conversations, it’s not advisable to try to target and maintain a presence on every social network you can think of. By doing this you will be spreading yourself too thinly, and consequently diluting your message.
In turn, this increases the likelihood that you will miss something on one of the networks unless you have a considerable resource at your disposal. Therefore, as part of your social media listening activities, you should spend time identifying the networks most popular with your target audience.
The functionality and purpose of each social network differ, so it’s important to know and gain experience using the networks on which you plan to develop a presence.
If your organization operates in countries where English is not the native language you may wish to consider targeting popular networks in those territories. This will, of course, pose challenges related to language as well as a time-zone.
The multinational organizations which most effectively target non-English social networks have dedicated social media teams located in the country where most of their audience is based.
This will allow the local teams to post content that is relevant to the culture of that country, as they will be ‘on the ground’ and more aware of local issues.
A popular way of demonstrating some of the main differences between the different social networks is by using a doughnut analogy.
Rome wasn’t built in a day
The age-old saying ‘Rome wasn’t built in a day’ is as true in social media as it is elsewhere. While social media is a fast-changing medium where certain posts can go viral, attracting huge numbers of views or shares in the space of minutes or hours, don’t expect that you will be able to reach your goals instantly.
Building a brand and attracting followers or supporters takes time, perseverance and persistence. It’s hard work. Don’t be tempted to try to take shortcuts – these more often than not backfire.
One of the typical ways that some people and brands have tried to outsmart the system is by purchasing followers. Many people and brands measure their success by the number of followers/connections they have.
In many ways, this is an effective measure; however, it can be manipulated. There are a number of companies that offer social media followers for cash. Unfortunately, though, it’s not actually real people who will be following you or your company.
Instead, the companies that offer these services have thousands of fake accounts which they use to follow you. Paying for services like this, aside from being unethical, is usually a breach of the social network’s terms and conditions, and therefore increases the risk that your account may be blocked by the network.
Social media users will also view your activity as unethical and deceptive, which will cause a breakdown of trust in your faithful followers, who may turn against you. Furthermore, paying for fake followers, likes or retweets will make it much more difficult for you to extract meaningful metrics about your social media engagement.
Often, social media programmes or social media marketing campaigns will run for an extended period of time and will consist of multiple tasks. Some of these tasks may run in tandem, but with different start and end dates.
Certain content may need to be created while another part of your project is running, and certain key dates may need to be met in order for other parts of your project to run smoothly.
A common way of illustrating project timelines and tasks is to use a Gantt chart. Time is displayed horizontally and tasks are listed vertically. This makes it easy to see what tasks or activities should be running at any given time, and should help you predict any pinch points where extra resource or support might be required.
Getting everyone on the same page
A challenge that many faces when starting a social media programme is stakeholder engagement. The chief information officer (CIO) of any given organization will typically be responsible for IT, and the HR department will be responsible for people and people-related issues and policies. When it comes to social media, however, it’s often less clear as to who owns it, or who should own it.
Typically, there is some justification for a number of different stakeholders owning social media:
Marketing. In many organizations, social media is used as a marketing tool. They may pay for advertising on social media and track who the influencers are so that they can engage them directly. Marketing, therefore, have a valid argument to why they should own it.
Communications. Some organizations use social media primarily, either externally or internally, as a communication tool. They use it to connect with their employees or to communicate press releases externally.
Customer services. The use of social media as a means of providing customer service is quite mature in the United States and is growing in the United Kingdom.
Where teams of customer service representatives are using social media regularly to engage with customers there’s a valid argument that customer services should be the owners. IT.
Some organizations believe that because social media is accessed through IT equipment, IT should be responsible for and take ownership of social media.
Those in IT may also identify social media as a risk, as viruses and other malware could be downloaded to the company’s IT equipment and introduced to the corporate network through social media.
HR. As social media is about people connecting with each other, and because social media is seen by some as a ‘time-wasting activity which employees are engaging in when they should be working’, some argue that HR should own social media and its associated policies.
The HR department will already have policies and procedures in place to deter bullying or inappropriate behavior at work and therefore may want to extend this authority to social media too.
So, what’s the answer here? Who should be the rightful owner and take responsibility for social media? One answer doesn’t fit all, unfortunately, and in many cases, there will be a mix of people and departments who have a stake in social media and a role to play.
Governance can be used as a way of making the process of identifying an owner and linking up the different stakeholders easier. By engaging each of the groups or communities who have an interest in social media within an organization you can begin to formalize the roles which each will play.
I can’t stress more firmly the need to ensure that the different stakeholders are brought together to support social media within an organization. Forming working groups and committees that meet regularly to discuss strategy, planned activities, and issues is vital to ensuring that the benefits of social media are realized and risks are managed.
How regularly the working group or committee meetings take place will depend on the size and complexity of your organization.
As with any working group, an agenda should be circulated beforehand and any actions should be captured, documented and reviewed at the next meeting. This topic is covered in more detail in blog 5, Governance.
Engagement in social media will require a budget. Even if you do not plan to pay for sponsored posts or other forms of advertising, do not overlook the time commitment.
Who holds the budget for social media is often something that many struggles with. As all organizations are structured differently, there isn’t a quick answer to finding the budget that you need.
You may find that the key stakeholders who have an interest in social media each contribute to the overall social media budget. For example, Marketing may budget an amount for advertising on social media and IT may budget for the necessary tools to monitor and control social media.
Advocates and reverse-mentors
Advocates and reverse-mentors can be instrumental in helping you achieve your goals in social media. An advocate, sometimes called a ‘champion’, is someone in your organization whose official role is not necessarily related to social media, but who has the energy and enthusiasm to champion your initiative and encourage their colleagues and peers to use social media.
Reverse-mentoring is where someone who is more junior in an organization mentors or coaches a more senior colleague. If you want to engage the people within your organization and encourage them to use social media well, then advocates should be one of your secret weapons.
When it comes to engaging some of the more senior members, reverse-mentors can be effective in getting them on social media, which in turn should encourage its use further down the organization.
The tone from the top
If you have ambitions to engage the people in your organization and encourage them to use social media to promote the company or to amplify the organization’s marketing messages, then you’ll need to think about how to engage the leaders at the top of the organization.
Without buy-in, sponsorship and engagement from the leaders at the top, getting people lower down to engage with social media is likely to be an uphill challenge, to say the least.
Before going to your senior leaders for the support you will need to have a clear vision in place for what you want to achieve. You should then try to identify a sponsor, preferably at board level, who will support you. It’s likely that you’ll need to spend time presenting your plan and vision to the sponsor to gain their support, but once you have it, you’ll need to use it.
It is important to stress just how important buy-in from senior leaders is to the successful rollout of social media through an organization.
The figure illustrates how a top-down approach, where your senior leaders lead by example, is more effective than a bottom-up approach, where you encourage people to lower down in the organization to adopt social media without support from the top.
Once you have successfully engaged someone to sponsor your initiative you can get to work preparing material to present to the wider leadership team. Everyone fights for time with the senior leadership and everyone believes that whatever it is that they’re working on is the most important thing.
So, persistence and self-belief will go a long way in helping you achieve your goals. Getting a slot on the agenda may prove difficult, but it’s necessary to increase your impact and buy-in across the leadership.
I often find that many senior leaders are supportive of social media initiatives, but are simultaneously cautious because they often haven’t had as much exposure to social media as, say, the digital-native generation.
I find that a formal programme of reverse-mentoring can be the best way to gain further support and help those senior leaders become active on social media. This is hugely rewarding, both for the mentor and the mentee.
Reverse-mentors will need support too, so it’s worthwhile creating a short training course for them so that they know what specifically they should be providing coaching on.
Courses that include some soft-skills around engaging and dealing with senior leaders may also be necessary, as some people may find it intimidating going to a senior leader and coaching them in something that they see as easy or obvious.
I believe the mentor-mentee relationship should be owned by the two individuals engaged in the coaching, but that the mentor should be offered guidance and supporting material to assist them.
A one-off meeting may be effective in the short term, but for the senior leaders to benefit most they should understand the time commitment, engage in the sessions and ensure they happen regularly, for example monthly.
Engaging the rest of the organization
Once the senior leaders in the organization are behind your initiative and are fully bought-in to what you’re trying to achieve it will be easier to engage everyone else. Engaging the rest of the people in your organization will not be an easy task, but the use of advocates will greatly increase your chances of success.
Advocates are crucial because they can encourage their colleagues and peers to adopt social media by explaining the benefits to them in a way that is relevant to their part of the business. They’re also far more accessible to those who need a bit of support and would rather approach a friendly colleague than a central team.
An effective advocate programme will rely on the successful engagement of advocates throughout the organization at all levels. The advocates are giving up some of their time to support your initiative so it’s important to give them the support and materials that they needed to make their job easier.
Some material you may wish to make accessible to the advocacy group is:
Use-cases for social media that explain the benefits of the new way of working.
Examples of social media success stories.
Presentation templates and a master deck of ready-made slides that they can pick from and adapt to their needs.
Ready-made email communications or announcements that they can tailor and send out to their teams.
To engage the advocate community you could run meet-ups or virtual meetings to let them know about important changes or developments before the wider community.
If you are rolling out or already use an enterprise social network, creating a specific group on the platform that can act as a repository for all the resources and materials that an advocate might need is a good idea.
Doing this will also give the advocates a platform to allow them to connect with other advocates and bounce ideas around, discuss any challenges and plan the development of new materials.
What makes a good advocate or mentor?
I believe that the most important attribute of an advocate or mentor is passion and energy. They will be playing a challenging role and will probably receive push-back from people at all levels of the organization. People generally don’t like change, so it’s natural that some will challenge the need to adopt social media or an enterprise social network.
Patience is a virtue, and it’s an important attribute for both advocates and mentors to have. Coaching can be tough and the advocates and mentors may find themselves explaining the same, seemingly simple, steps again and again.
Some organizations have a selection process for their advocates. They stipulate a set number of advocates that they are going to be able to accept onto the programme.
Other organizations make it completely open and allow anyone to become an advocate if it’s of interest to them. What you choose here will depend on the culture within your organization and your operating model.
If your organization is large it may work in your favor to allow anyone to become an advocate as it’s not always possible to predict who is going to have the required passion, enthusiasm, and persistence to really make an impact in the organization.
Motivating advocates and mentors
As previously stated, advocate and mentor roles are usually in addition to an official role. Because of this, it’s important to carefully consider how best to engage and motivate your advocate community.
Some ways that you might decide to motivate or reward your advocates are:
An advocate of the month award. A good way of motivating and recognizing their efforts is to run an advocate of the month competition.
The prize does not necessarily need to be monetary and instead could simply be having their name in lights as the advocate who made the most impact in that month. Perhaps it could also be something that could lead to their end-of-year performance review.
Presenting at advocate meetings. Some of the advocate community will often be junior members of your organization. Giving them the opportunity to get in the limelight and present some of their success stories, or particular challenges that they have faced and overcome could be exactly the type of recognition that the advocates will respond to.
Badges. Help your advocates to stand out within your organization by giving them badges that they can wear to help others identify them as advocates of your social media programme.
T-shirts. During any big internal communications campaigns, you could provide T-shirts for your advocate team to help others identify them easily.
To coordinate the advocate programme and engage the advocates and mentors is a challenge in itself. It is worth considering whether or not to create a full-time role for an ‘Advocate Programme Manager’.
Clearly, this will depend on the size of your organization and the ambition of your social media programme. Regardless of whether or not you have a budget for this, bear in mind that managing a group of advocates will take considerable time and effort.
Almost all organizations run an annual performance review whereby employees are reviewed against a set of competencies and objectives. It’s likely that you could link your social media programme directly to one of the competencies that employees are required to demonstrate.
By doing this it gives the advocates and mentors an extra incentive so that, come end-of-year review, they have evidence to show how they have demonstrated one of the competencies through involvement with the social media programme.
Many organizations that I have worked with understand the value of communication and knowledge sharing, and therefore include it as one of the competencies that are reviewed at the end of the year.
A social media programme, either internal or external, should be able to fit neatly into this category and give the advocates and mentors a big differentiator against their peers as having supported the programme and demonstrated knowledge sharing and communication.
Crowdsourcing is a concept whereby something, such as an idea, is ‘sourced’ from a larger group of people, ‘the crowd’. Crowdsourcing has grown in popularity as people and companies have come to realize that they can use social networks to harness the power, innovation, and ideas of large groups of people easily.
The important thing to remember is that ‘the crowd’ is a wide network of people. You can ‘source’ anything that you want. Crowdfunding is an offshoot of crowdsourcing and refers to the sourcing of funds or money.
There are a number of crowdfunding websites that enable artists, entrepreneurs, film-makers, scientists or pretty much anyone to harness the power of a wide network to source funding.
Typically, someone who has an idea for a project, but needs some funding to get it off the ground, will use a crowdfunding website to raise the funds.
Users of the crowdfunding site can ‘pledge’ money to the project in return for some kind of token gift related to the project. For example, a musician may offer people who pledge money to their project a free song or album in return.
The key here is that social media is usually the enabler because crowdsourcing would not work without a wide network of people who can connect virtually.
What’s more, because crowdsourcing relies on social networks, other benefits come to the fore. Users can discuss and appraise projects or ideas within their own networks. Not only does this help drive awareness of a particular project across an even wider network, but it also acts as a form of peer review.
Projects or ideas are reviewed in public and the idea or project owner receives real-time feedback from a diverse group of users. This information can prove extremely valuable to the project owner as it gives them a chance to test their concepts with a large group of people and make any amendments or changes that might improve their original project.
Ideation is the crowdsourcing of ideas. Ideation is enabling organizations to really harness the collective knowledge of their people and foster innovation. Many enterprise social networks have ideation functionality built in, but there are also a number of standalone ideation platforms available.
The huge advantage and opportunity for organizations looking to use ideation are that it gives them the ability to reach out to all of their employees, regardless of their role, location or seniority, and capture ideas about a specific topic or question.
For example, an organization might post the question ‘How do we grow revenues faster?’ or ‘How can we improve the way that we share knowledge or communicate?’
The employees in the organization can answer the question by submitting ideas. Just imagine the possibilities – ideation can unlock the potential of all of your people to help you innovate and stay competitive.
What’s more, ideation functionality or platforms allow ideas that have been submitted to be voted up or down. This acts as a peer review, where the best ideas, as viewed by the users, will rise to the top of the list and the less popular ideas will sink to the bottom.
Commenting allows users to critique the ideas and offer guidance or support about how to develop the idea further. Not only is ideation a great way to capture ideas and innovations, but it is also a very effective engagement tool.
If supported by a good communication campaign and clear leadership support it can quickly become ‘the thing everyone’s talking about’.
Any ideation project will need appropriate governance to support it. Depending on the solution or platform you choose, you’ll need to make a number of decisions about what governance you want to implement. Some things that you can consider are:
Moderation. The good thing about ideation is that ideas are essentially ‘peer-moderated’. Ideas are voted up and down by users of the network. However, you may wish to implement an approval step to have ideas reviewed before they are published on the platform to ensure that they don’t include any offensive or abusive comments.
Review team. It’s important to remember that, as with most things, an oversight or management group will be required to manage the campaign or programme. Particularly if you force all submissions to be reviewed, you will need to define the process for approval or rejection.
Ideation stages. Do you plan to have a number of ‘rounds’ where the top ideas go through to the next round and the top ideas in that round progress to a third round and so on? If this is the case, you’ll need to define the parameters for each round. Some parameters that you might use to dictate which ideas will progress are:
minimum number of views;
minimum number of positive votes;
minimum number of comments; and
minimum team size.
Management override. It might be possible for some users to manipulate the platform in some way, for example asking all of their connections to vote for their idea.
As a rule, it’s best to limit your management intervention so that it doesn’t look like everything is being censored and so that it doesn’t undermine the whole concept of ideation.
However, there may be some particularly strong ideas that are submitted which get missed, perhaps because the idea owner forgot to encourage their network to vote for them.
In these cases, it may be beneficial to reserve the right to push through particularly good ideas to the next stage if they were not able to reach the required metrics.
You should also note that the functionality available from vendors will differ and some platforms may offer more control over how you govern the platform than others. It’s important to complete a review of your requirements and potential vendors before purchasing a platform as getting it wrong could be a costly mistake.
Gamification is a term used to describe features and functionality within an online platform that reward users in some way for performing a variety of typical tasks.
The simplest example to illustrate this is a points-based system, where users of a platform receive a number of points if they submit or answer questions, upload documents, vote on polls and so on.
The purpose of using gamification techniques is to drive user engagement in a platform. If you are implementing an enterprise social network, for example, and you want to encourage people to post their ideas or share knowledge on the platform, you may find that gamification is one of the mechanisms you could use to encourage these behaviors.
It may seem banal at first as you may ask yourself ‘why would anyone care that they have more virtual points that another person?’, but in fact, gamification can result in a large increase in user engagement when effectively implemented.
Caution is needed when considering your gamification strategy as you must ensure you keep a balance between where users are using the platform to add value and when they are simply wasting time.
Whether you are trying to drive user engagement inside or outside of your organization, gamification can be very effective as some users get consumed with the ‘gaming’ nature and can spend long periods of time on the network.
Clearly, too much time spent on a social network can have a negative impact on other areas of the users’ work or life, so consider functionality carefully.
Personally, I would stay clear of immersive games that hook users in for long periods of time. Instead, I’d focus on simple rewards for actions, such as a reward for uploading a document or sharing a post with colleagues.
As previously stated, virtual points are a typical first step into the world of gamification. Users are awarded a variety of points based on a set number of actions, and the number of points that they are awarded will depend on your strategy.
For example, if your main objective on a platform is to encourage users to share documents, you might give a user five points for each document uploaded.
Comments on a discussion thread may also attract points, but perhaps you would award only one point for every comment that is added to a discussion. It’s common to have various ‘status levels’ based on the total number of points a user has achieved. For example, a user with 0–50 points may have a status level of ‘new’, 50–100 points may grant the user ‘intermediate’ status and so on.
Virtual ‘badges’ are another way of rewarding users for displaying certain behaviors. For example, a user may get awarded points for correctly answering a question.
If that user correctly answers a certain number of questions on a certain topic, say 50, they could be awarded a badge, such as ‘Subject Matter Expert’. Badges would normally be displayed on the user’s profile so that others can see them.
Many companies already offer similar schemes as a way of encouraging brand advocacy and loyalty. On a small scale, many restaurant chains offer loyalty schemes whereby they offer points or free products to loyal customers; for example, a coffee shop may offer its customers the ‘10th coffee free’.
On a larger scale, most hotel chains offer loyalty schemes that reward their customers with ‘points’ which can be redeemed for things such as a free night’s stay or a room upgrade.
Most also include different status levels, meaning that those customers who have stayed a predetermined number of times at one of the chain’s hotels will get a higher status which will offer them even more benefits.
These enticements are similar to the gamification incentives that can be implemented in social media and, from experience, I can confidently say that playing the ‘hotel point game’ with colleagues can be quite competitive as work colleagues compete to see who can amass the most points.
Hopefully, the benefits of implementing some form of gamification as part of a social media programme are clear. Gamification can significantly increase engagement and adoption of a new way of working.
However, it’s important to consider the governance and controls that might be needed, both to ensure the success of your project and also to ensure that the related risks are managed effectively.
In some parts of the world, enabling gamification functionality can cause a number of legal challenges. Local employment law may disallow certain gamification features if they are seen to feed into an individual’s performance review unless the features were agreed by an authorized group or council.
In Germany, for example, ‘workers’ councils’ protect employees and hold power over what an employee is allowed to do in relation to performance appraisals or working conditions. Likewise, trade unions may also have a view on how gamification can be used as a way of measuring an employee’s performance.
Large organizations will need to ensure that they adhere to the local employment laws of the countries in which they operate. The impact of this may result in a need to implement controls within your enterprise social network or other applications that are specific to certain countries.
These specific requirements are important to address, therefore, it’s important to seek appropriate legal advice to ensure that you do not face heightened risks in this respect.
Engaging external communities
Many organizations have successfully implemented ‘customer advocacy schemes’ as a way of engaging with their customers. Customer advocacy is designed to engage a small group of customers of a business in a way that encourages them to support the company or its other customers.
Generally, the customers are not paid; instead, they are given incentives, such as free access to events, access to the company’s professionals or free access to its services. A good example of a strong customer advocacy scheme is Microsoft’s ‘Most Valuable Professional’ programme.
The power of a brand can be truly awesome. You just need to look at the fans of Apple to see it in action. Fans of Apple products sometimes queue for hours outside Apple stores at the release of a new product so that they can be some of the first customers to own one.
Many computer games also have fans who support a particular game to such an extent that they will openly defend the game, or the company behind the game if it faces criticism.
Building a customer advocacy scheme usually means giving customers a platform where they can engage with both the company and its other customers. You’ll need to consider:
How do you want customers to engage?
What is the outcome you’re looking for?
How will you reward or encourage engagement?
Do you have the resource capacity to support such a scheme?
A customer advocacy scheme isn’t necessarily right for all organizations. One of the best examples of customer advocacy in action is in technical help forums. Sometimes, certain customers may be more knowledgeable about a particular software or technical applications than the developers who created it.
This may be because those customers have tested the application on a wide range of devices and have identified problems and fixes to problems that they have experienced.
Many technical support sites allow customers to post questions about a particular product. These questions are often answered by other customers who have experienced the same issue. This community of users offering each other advice is an excellent example of customer advocacy.
Users of these platforms are often motivated through gamification techniques. Those that answer questions that have been posted by other customers can gain points or badges as a reward. These points and rewards sometimes equate to discounts for other products or services.
An active community like this is a valuable resource for companies. New products or services can be tested by the community, who will then feedback on what they like and dislike and will flag issues or bugs that they identify.
This obviously means that when the product or service is released more widely, the company will have had the opportunity to address any issues or problems with it.
The small print
When considering strategies to engage employees or external communities it can be easy to overlook the importance of terms and conditions.
For example, if you run an ideation platform for your employees or even any form of external community, it’s important to remember to design terms and conditions that set out the purpose of the platform as well as the ownership of the information within it.
I recommend getting independent legal advice to ensure that the terms and conditions provide enough protection for your organization.
Some points to consider are:
The ownership of any ideas or content submitted on the platform.
Marketing – will you contact them? Will you give their data to third parties/affiliates?
It’s important to ensure that the rules of the platform are clearly outlined to the users in your policies and training material. This is both to ensure not only that the platform is used effectively, but also to safeguard the owner of the platform.
For example, users may unknowingly break copyright by uploading photos or imagery they do not own. That copyrighted material would then reside on the platform, which may mean that the company providing the platform is breaking copyright.
The key takeaways are:
seek legal advice regarding the terms and conditions of the platform;
ensure that users of the platform agree to the terms and conditions before they are able to use the platform; and
store the user’s acceptance of your terms and conditions with the date and time that
the terms and conditions were accepted.
Aligning your governance to your strategy
Your strategy should not be held back by governance. Instead, governance is there to help your project succeed. It’s designed to help you gain maximum benefit and ensure that any associated risks have been addressed and are managed.
Many people I have worked with get anxious at the thought of approaching the people in risk and compliance. They assume that they might stop the project from going ahead, or might dictate extra requirements, such as the implementation of safeguards before they can give it their blessing.
While this may be true to some extent, it’s important to engage all stakeholders early to ensure that you don’t find that your project gets shut down at a later stage due to some issues that were not addressed.
Trying to implement a social media programme without wider input may mean that you commit to purchasing some tools, only to find that at a later date you need to cancel the contract because of security concerns you had not considered. These mistakes can, of course, be very costly.
Although it may feel like a lot of effort in the short term, designing good governance and solid controls from the outset will help your project succeed in the long term. There will, undoubtedly, be many stakeholders who have an interest in your social media programme.
The ideas, concepts, and frameworks in this blog will help you to engage with those stakeholders more effectively and allow you to address the concerns of each group. You will be able to demonstrate that you have thought about the potential issues and have a plan in place to address them.
The key steps you need to take are:
1. Work out what you want to achieve from your social media programme.
2. Analyze the risks your project may face.
3. Design appropriate governance around it to ensure that the risks are managed according to your risk tolerance.
4. Decide what technology will support your social media programme, and how it will need to be configured to support your governance framework.
This blog helps you consider what you want to achieve from your social media programme and makes you aware of the risks that may impact it. The other blogs in this blog, and the ideas, frameworks, and concepts throughout will help you decide what governance and control you might want to put in place in order to manage risk.
As demonstrated too much governance and control can be expensive to implement and can hamper your project’s success by over-protecting it. Therefore, governance and risk management is about achieving a balance, engaging with key stakeholders and working towards a successful outcome for all involved.
Some of the frameworks may need to be tweaked for your specific industry, organizational culture or strategy; however, they should prove to be a solid base for building the governance around your programme.
Documenting your strategy, policies and operational procedures will also go a long way to helping you control risk and achieve success. Should you ever be in a situation where a regulatory is investigating how social media is managed at your organization, one of the first things they will ask for is your documented policies and procedures.
Something that I find many people get mixed up with is when they start thinking of technology first, rather than what they want to achieve. It’s often tempting to dive into research about the technologies that might support your goals;
however, by taking a step back and documenting what you want to achieve and your requirements, you’re more likely to pick the right technology to support your project.
Doing this the other way around is likely to impact what you think you are trying to achieve because the various features available can cloud your vision and lead you to try to do too much.
Likewise, if you think about how you are going to govern and operate your programme early on, it will allow you to choose the technology provider which meets your needs and discount the ones that offer lots of features, but don’t actually meet your needs.
In this blog, we covered strategy in the context of governance and risk management. We covered how to define the purpose of your social media programme and tactics that you can use to achieve your goals.
We also looked at ways of engaging people inside and outside your organization, as well as how to motivate them and encourage them to help you meet your own goals.
You learned that governance is about how your strategy operates and how being risk-aware while designing a strategy allows you to focus on what you want to achieve and, in turn, what governance you might need to implement in order to support.
In the subsequent blogs, we will delve deeper into the risks which you may face while running your social media programme and we’ll look at what controls and governance can be implemented to manage those risks.
Any social media programme will involve handling personal data. The next blog will give an overview of the risks of handling personal data and outline some of the controls you can implement to ensure that it is safeguarded.
Data privacy and control
Data protection is a complex and evolving hot topic that could warrant an entire blog on its own. In this blog, I’m going to draw your attention to some of the common issues that arise in this area and highlight their relevance to social media. I often find that companies are unaware of the importance of data protection and the risk of not getting it right.
But, ignorance is not a valid justification for non-compliance. Many countries around the world have their own laws and guidelines related to data protection and this represents a particular challenge for multinational organizations.
But even those companies that operate in only one country need to be aware of their local laws and be able to demonstrate compliance with the data regulators.
Data privacy and protection
The law surrounding data protection in the EU is currently being reviewed. The current EU Data Protection Directive 95/46/EC is going to be superseded by the proposed General Data Protection Regulation.
At the time of writing, the General Data Protection Regulation is expected to be adopted in 2015 and come into force in 2017. It foresees fines of up to 5 percent of a company’s worldwide revenue for non-compliance.
Furthermore, many jurisdictions outside of the EU are implementing similar laws. Enterprise social networks process personal data and are therefore subject to adherence with the law.
But, traditional social networks also process personal information so organizations need to understand what data they are capturing, why they’re capturing it, what they’re going to do with it, and how long they’re going to keep it for.
EU legislation prohibits the transfer of data outside of the EU unless certain measures and controls have been put in place.
The reason for this is that it is assumed that while the data is in Europe, the rights of its citizens will be protected by EU law, but as soon as the data leaves the EU that may no longer be the case as it is outside of its jurisdiction.
For multinational organizations who operate an enterprise social network it is likely that the data within the network will be transferred cross-border.
Most enterprise social networks include profiles where employees include information about themselves, often including their skills and experience. I’ve also seen examples of networks that are configured to capture data such as date of birth or other personal details such as kids’ names.
Personal data needs extra protection as most data laws or regulations specifically cite how personal data should be handled. In many cases, an organization will engage a third party vendor to operate an enterprise social network.
The third party is effectively a data processor and even if they are located outside of the EU, it is the organization that engages them that is ultimately responsible for the protection of the data.
Therefore, even if a data breach is the fault of the third party vendor (the data processor) it is the company (the data controller) that bears the responsibility, and it’s the data controller that gets their name in the news and faces the heavy fines.
Third-party software vendors are not always aware of the legal requirements in each country and often offer their services on a take-it-or-leave-it basis.
Any organization purchasing an IT system, such as an enterprise social network, must be clear on how the vendor manages data because in the eyes of the EU and other regulators, claiming that services were offered on a take-it-or-leave-it basis is not an adequate argument.
Before implementing an enterprise social network or embarking on a new social media strategy, a company should complete a data privacy impact assessment. The impact assessment covers things such as:
What data is going to be collected?
How long is it going to be stored for?
Are employee communications going to be monitored?
A privacy impact assessment may take a few days or more to complete, depending on how complex your project or your IT environment is, and may require data protection or legal specialists to complete it properly. As such, it’s important that you are aware of the need to perform a privacy impact assessment.
How you go about this is beyond the scope of this blog; however, if you want to find out more about privacy impact assessments, the UK’s Information Commissioner’s Office has released useful guidance that you may wish to read. Further details can be found at: https://ico.org.uk/for-organizations/guide-to-data-protection/privacy-by-design/
The key point is that if there isn’t a good reason for collecting certain information, it will increase the risk of incurring a fine or enforcement notice from the data regulator.
CASE STUDY Risk in action: Raytheon develops a predictive analytics platform
In February 2013, many media outlets reported stories that multinational defense contractor, Raytheon, had developed a big data analytics platform capable of mining huge amounts of social media data.
What’s more, the platform, named Rapid Information Overlay Technology (RIOT), was capable of showing trends in user behaviors and predicting where a person might be in the future and at what time.
The Guardian newspaper got hold of a video demonstration of the software and published it online.
The platform took feeds from the major social networks and used geo-location data embedded in posts and images to plot a user’s movements on a map. This data, plus the timings of the posts, could be plotted on a graph to show the locations that a person spends the most time and at what time they are there.
Clearly, this sort of clever predictive analytics would be of real interest to intelligence and security agencies around the world.
While Raytheon maintained that the platform was a proof-of-concept only and that it had not been sold to anyone, it’s not surprising that this controversial mining and analysis of social media was met with criticism from human rights groups and privacy activist groups. Some even described it as ‘the greatest challenge to civil liberties and digital freedom of our age’.
While most news articles pointed out that the analysis of public information posted online was not illegal and was not a breach of the Data Protection Act, it goes to show that even if your data management strategies aren’t breaking the law, any dubious practices may be met with hostility from activist groups.
Data protection principles
While the laws governing data protection around the world differ, most of the underlying principles are similar and the laws generally seek to protect data about individuals.
To understand how data protection rules apply to your organization it’s useful to gain an understanding of some important definitions:
Data subject. The person who is the subject of the data.
Data controller. The person who determines the purposes or manner in which any personal data is processed.
Data processor. In relation to personal data, the data processor is any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
So, a practical example of this in action would be where an organization (the data controller) intends to store data about their customers (the data subjects) on cloud-based systems that are managed by a third party. In this case, the cloud provider will be the data processor.
Schedule 1 of the UK Data Protection Act (1998) lists a set of eight principles that data controllers must abide by. While this legislation is specific to the United Kingdom, many of the principles are considered best practice for managing and protecting personal data so even if you don’t operate in the United Kingdom, it’s worth considering them anyway.
The eight principles are:
1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –at least one of the conditions in Schedule 2 is met, and in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
These principles are interesting as they pose a number of challenges to organizations. For example, considering the second principle, if you capture data from your customers for a specific purpose but then decide that you could do something else with that data, you may put yourself in a position whereby you might break the principle.
Another example that causes organizations a challenge is principle 8 because most large corporate networks rely on data being transferred across international territories, for example through the use of a global enterprise social network. In such cases, you may need to implement extra safeguards to ensure that you don’t break the laws of the territories in which you operate.
What is personal data?
When thinking about the data that you plan to capture or analyze, it’s worth considering what personal data you might end up handling. Accessing, analyzing, storing or generally processing personal data in some way will probably mean that you need to implement extra safeguards to ensure that the personal data is handled appropriately and that you have permission to use it.
The exact legal definitions of personal data differ from country to country, but the best way to think about personal data is data that identifies an individual. This can include information such as individuals’ names, their titles, their addresses, their phone numbers, and other information.
Sensitive personal data usually includes information about an individual such as their:
race or ethnic origin;
physical or mental health;
Sensitive data needs tighter controls and safeguards around it because the consequences of its exposure will attract the attention of data enforcement bodies, and may also result in direct repercussions to the individuals themselves (for example, racism, abuse etc).
If you plan to process personal data you should perform a privacy impact assessment and may need to seek specialist legal advice to ensure that you adhere to the laws governing data privacy within the territories in which you operate.
The role of the data protection officer
Many organizations appointor are required to appoint, a data protection officer (DPO). While the appointment of a data protection officer is not mandatory in all jurisdictions, appointing a data protection officer or assigning their responsibilities to a specific individual is considered best practice.
The data protection officer’s role is to ensure that the organization for which they work complies with all applicable data protection laws and regulations.
Usually, a data protection officer will perform the following roles:
They must document the type of data being collected and processed.
They will inform or advise both the data controller and data processors of their responsibilities.
They are responsible for documentation related to data protection and must record any responses regarding any particular issues or challenges. They will also provide time limits for the deletion of personal data.
They monitor any data breaches and respond to requests from the enforcing authorities.
They monitor the implementation and application of data management training and policies.
Data protection officers are independent and report directly to management. Their roles should not be conflicted and they are usually appointed for a minimum term, during which they cannot be dismissed unless there are good grounds to do so.
Clearly, data protection officers must be well versed in the principles of data protection and should have a thorough understanding of the relevant regulations and laws and how to apply them.
They will need to understand this at a broad level so as to ensure they can apply the laws and regulations applicable in all of the countries in which their organization operates.
There are qualifications that data protection officers can obtain; one of the most common is the Certified Information Protection Professional (CIPP) from The International Association of Privacy Professionals. There are four types of CIPP certificate:
CIPP/US – US private sector.
CIPP/C – Canada.
CIPP/E – Europe.
CIPP/G – US government.
Due to the large amounts of personal data associated with social media, and the fact that social media is an evolving field, it’s worth building a relationship with the data protection officer/s at your organization.
This will help you to obtain foresight into any potential data protection issues that might affect your social media programme or strategy and ensure that you can address any concerns early, rather than struggle with them retrospectively.
Data storage and transfer
Data privacy is important not just because of regulatory compliance requirements but because people and organizations expect that their data will be handled appropriately.
An organization faces two challenges when it comes to data privacy. First, it must safeguard the confidentiality, integrity, and availability of the data it holds on its customers, employees or other stakeholders.
Second, it must be able to demonstrate to regulators that it is complying with the rules governing the protection of personal information.
Data protection is not a new concept, but over the past decade, it has become a hot topic in the press and the need to demonstrate compliance with the relevant data protection regulations has had an increased focus around the world.
One of the main issues that have come about in recent years is in relation to the rise in cloud computing. Historically, when an organization implemented any type of IT system, they would purchase the hardware on which their applications would run and install it somewhere within their premises.
Increasingly, however, as we have all become more connected to the internet, organizations have started to adopt cloud-based models for their infrastructure and software.
In the cloud model, instead of an organization buying the required infrastructure and installing it in their premises, they rent the infrastructure or storage from a cloud provider.
The infrastructure or applications are then accessed over the internet. This is great for organizations as it means their IT hardware is far more scalable, meaning that if an organization needs more space, they simply pay the cloud provider more to get access to more space.
In theory, it also means that they spend less time and money maintaining these services, although, in practice, most CIOs have said that the expected cost savings are low or non-existent.
The problem with cloud services is that applications and data are ‘hosted’ (or stored) on a server, or collection of servers, in a specific physical location. This is a simplistic explanation of cloud computing, but it should suffice in the context of data protection.
If your cloud provider hosts your data in a specific jurisdiction, you will probably need to comply with the data protection legislation within that specific country.
But, because the data will be accessed by people in your organization who are physically sitting in other parts of the world, other data protection legislation comes into play as well.
Essentially, by accessing data from one jurisdiction that is hosted on a server in another jurisdiction, the data being accessed is being transferred cross-territory.
These sorts of international data transfers often cause some of the biggest challenges for organizations who are implementing cloud-based global IT systems. It’s therefore very important to carefully consider where the data will be physically stored and from which jurisdictions the data will be accessed.
There are specific actions you can take to enable inter-territory data transfers, such as through the use of so-called ‘Binding Corporate Rules (BCRs)’ or through compliance with US–EU Safe Harbor, however these are outside the scope of this blog and become technical topics in their own right which usually require specialist legal advice.
The ongoing public debate around data privacy has also led some countries to consider implementing laws that aim to protect their citizens’ data by requiring that it be physically stored on servers situated within that particular country.
In today’s world, where most of us rely on the technology giants who provide access to their services, such as the social networks, the countries that are considering implementing such legislation are trying to stop their citizens’ data from being transferred out or being intercepted by foreign governments.
Russia is one such example of a country that in 2014 announced that it would require personal data about its citizens to be stored within Russia. This is another example of the fast-changing data privacy environment that poses a challenge to organizations and data protection officers.
It is good practice to have a data classification framework implemented at your organization. Data classification is important when thinking about social media governance because you need to understand what data you are storing and sharing across your network.
You need to do this to ensure that you don’t break the law (such as through copyright infringement) or share information that should be handled in a different way.
Data classification aims to define and classify any particular data in order to help guide a user on how they can use or transfer that particular piece of data. Typically, most organizations adopt four or five classifications of data.
The pyramid in Figure demonstrates that the more confidential the data, the less of it there is. As you go down the pyramid from top to bottom the amount of control around the data decreases, but the number of data increases. So, as data becomes more sensitive, control must increase but the amount of data in that classification will decrease.
The data classifications are defined as follows:
Public. Public data is anything in the public domain and can, therefore, be treated as such. It’s important to note, however, that a lot of data that is publicly available may be subject to copyright and you may not be able to copy or store that data on your own systems.
Take, for example, a report from a research organization. You may have a license that permits you to use the report but the copyright may prohibit you from making a copy available on your own system.
Internal. Internal data is surprise surprise, data that is internal to the company and is not therefore in the public domain.
It should be shared internally only. Typical guidance for internal data is that it should not be shared outside of the company unless an authorized person has approved its use.
An example of an internal document could be one that includes examples of client work, with client names explicitly cited. It would likely be in the company’s interest to keep this out of the public domain as they wouldn’t want their competitors to get hold of such information.
It could also cause offense to the clients themselves if the data was leaked publicly, particularly if a non-disclosure agreement had been signed.
Confidential. Data in this category are usually a company or client data that is not freely available to all employees of the organization and is protected by the organization itself. This could be intellectual property, information about company deals, data from some internal company systems.
Confidential data should never be transmitted or stored on traditional social networks, but an organization may allow the data to be shared on their enterprise social network, provided adequate controls around the data are implemented.
The controls are important to ensure that the confidential data can be shared in the company only among those who are authorized to view it. The next section of this blog, ‘Implementing controls’, delves into the types of controls that can be implemented on an enterprise social network to ensure the security of the data. Highly confidential.
For data classified at this level, it is essential that it is highly protected. Probably only a small amount of data will fit into this category and it will usually relate to data that could move markets or government data where there is a specific requirement or obligation to maintain its confidentiality.
An organization should have specific requirements regarding how highly confidential data should be handled, such as requirements around minimum levels of encryption, how long the data can be held and how it can be transmitted.
I recommend that highly confidential data should never be stored on or transmitted over a traditional social media network, and serious consideration needs to be given as to whether this data will be permitted on an enterprise social network.
Most organizations I have come across do not allow highly confidential data to be stored on enterprise social networks and there is often a specific requirement from the client or organization, whose data it is, which stipulates where the data can and cannot be stored.
Other data that may be classed as highly confidential could be HR data that includes sensitive personal data or the intellectual property or other sensitive data held on behalf of an organization’s client or customers.
Exceptional. Some organizations may not even have an exceptional category as they may not handle data of this type. Data of this type tend to be government protectively marked data (such as Top Secret) or where a client has specifically stipulated exceptional security requirements.
It’s important to think about data classification, in line with your risk appetite, when considering what you want your employees to share on either traditional social media or your enterprise social network.
By setting clear criteria for defining data you can provide guidance to your employees and help them understand what they can and cannot share. On enterprise social networks you may want to think carefully about what types of data you allow your users to share.
If you decide to allow highly confidential information to be shared, are you confident enough in the security and control over your chosen platform?
Are you confident that you have implemented the right controls within the application to stop unauthorized persons within your own company from accessing that highly confidential information? These are all decisions that will be easier to make when you have set out your criteria for data classification.
While the issue of data archiving is mainly a regulatory and compliance one, it’s important to recognize that it also applies to data on social networks – especially enterprise social networks.
You are probably aware that organizations are required to retain certain pieces of data for some time depending on the type of data and the country in which the company operates.
Many companies choose to retain and archive some of their data even if they are not required to do so by a regulator as it means that the data can be referred to at a later date if needed, for example in a court case.
However, companies should be cautious about archiving all data because there can be separate regulatory requirements around it with regard to personal data and the requirements about how long that personal data can store.
Data on traditional social networks can be a little tricky to archive, but there are tools available that will archive your social media posts for a fee.
For enterprise social media, most of the vendors will be able to advise on their own options to support your archiving requirements and it’s well worth investigating the options available early in order to get the right one for your organization.
In most countries, data subjects and law enforcement authorities have the right to request data about themselves or about a particular individual or entity, respectively. Because of this, you’ll also need to consider how quickly you can get access to your archived data, should you need it, and build this into your strategy.
An online system can be accessed and used in real time and, usually on a periodic basis, data from the online (also known as ‘live’) system will be copied or moved to an offline data store. Accessing the data on the online systems is quick and easy, however, accessing data on offline data stores is usually considerably more time consuming and expensive.
In some ways, social networks sit in between these because they are third-party networks that have their own data archiving procedures.
For example, some networks hold social media posts for only short periods of time before they are deleted, which means that your organization needs to implement an archiving solution to ensure that you can retrieve any conversations from social media should you be required to do so.
There are two main types of control: policy controls and technical controls. In social media, policy controls are the rules that users or employees must follow.
This also includes the procedures that users should follow, such as the approval process for the creation of a new group within an enterprise social network or the creation of a new account on a traditional social network.
Technical controls are those controls that physically limit an employee from doing something. For example, a policy may say that passwords should be changed every 30 days.
Without a technical control, it is hard to ensure that this policy is adhered to, so a technical control such as a social risk and compliance tool may be implemented and configured to force the user to regularly change their password, in line with the policy.
An accompanying procedure will also dictate how a user should go about allowing others to use a specific account, for example. This section focuses on some of the technical controls that you can implement to control access to your social media accounts or to protect data within an enterprise social network.
Social risk and compliance tools
There is a significant information security risk related to the sharing of login credentials for traditional social media networks. If you’re creating an account on Twitter, for example, you may have 10 people in your communications and marketing teams who all need access to the account in order to make posts on your company’s behalf.
Unfortunately, without a tool to manage the accounts, it means that the users will need to share the login credentials between each other. This represents a number of issues:
It increases the risk that the credentials could be intercepted by a malicious attacker if they are sent over email. For example, a user may receive a phishing email containing a bogus link.
The user clicks the link and enters their login details. At this point, the attacker would have captured the password and could then change the password for the social media account, meaning that nobody can log in until they have regained access to the account (which could take some time).
If an employee who has access to the account leaves the company, you will need to have a process in place to change the login credentials. Again, the credentials will need to be communicated to the whole team.
If the account credentials are changed too regularly users are more likely to start writing the credentials down, such as on a note attached to their computer screen. This obviously increases the risk that someone may spot the credentials and use them for malicious intent.
In the example above, one method of allowing multiple people to use the same account would be to implement a social risk and compliance tool, or a social media management system.
These tools allow users to log into them with their own username and password and, once authenticated, can post content to the company social media account through the tool itself.
This means that only the administrator of the tool would need the login credentials for the corporate social media account. The password would be configured in the tool, so there would be no need for users to log into the corporate social media account directly.
There are other advantages too – many of these tools can be configured with rules around what can be posted. For example, you may decide to include a dictionary of certain words within the tool and set rules around them as to what the tool should allow and what it should stop.
It’s possible to configure these tools to allow certain words, to block others, or to push certain posts through an approval process before being posted. This is clearly an attractive approach for those worried about the risks of social media.
However, if all posts were forced through an approval process it can have a detrimental impact on the effectiveness of the posts since social media is inherently a fast-moving environment.
Figure shows the difference between how employees access a social media account directly and how they would access a social media account when a social risk and compliance tools have been implemented. It illustrates that a social risk and compliance tool is an extra level of protection between your users and your social media account.
Another feature commonly included in social risk and compliance tools is archiving. Earlier in this blog, we covered the importance of archiving. Because all social media interactions take place through a social risk and compliance tool it means that it can easily capture and archive what was posted, to whom and when. By using such a tool you may be able to satisfy your data archiving requirements more easily.
CASE STUDY Risk in action: UBS
In 2010 Swiss investment bank UBS implemented Jive, an Enterprise Social Network. In 2012, however, the bank was hit with a rogue trader scandal after one of its employees ran up a $2 billion loss on the bank’s derivatives desk.
The bank’s legal department was worried that they did not have enough control over what their employees could and could not comment on, thus the Jive platform was closed and their global head of online media and IT was quoted as having had to implement ‘millions of controls’ to satisfy legal.
This example shows how important it is to understand the risk management impact that the implementation of an internal social system can have. Engaging stakeholders in risk, compliance and legal early is more likely to yield long-term results than trying to push digital changes through an organization without their support.
Access control within an enterprise social network
Once you have completed a data classification exercise, as detailed earlier in this blog, you can decide what types of data you want to allow in your enterprise social network.
You may want a mix of data, which means that you’ll need different controls and procedures to handle each type of data. Let’s say that you want to allow internal data (presentations, marketing material etc) to be shared openly on your platform.
Let’s say that you also want to allow your employees to gain the maximum benefit of an enterprise social and that you are going to encourage them to collaborate in teams on projects that might involve confidential data.
It’s at this point that you need to implement appropriate controls to ensure that only those within the project team are able to view the confidential content. Almost all enterprise social networks allow ‘Groups’ or ‘Spaces’ to be created within them.
These are virtual areas that can be segregated from the wider network. You should define a policy and accompanying procedures for setting up such a project group, including appropriate approval procedures.
Once a group has been created, you should make someone a group owner – it will be their responsibility to manage the users within the group and monitor the content being posted within the group.
By doing this you can get comfort that the group owner will manage the group effectively and that confidential or sensitive data being shared within the group is only visible by those who are valid members of the project.
Of course, the group owner needs to be aware of their responsibilities and should, therefore, be trained on how to manage the group, its members and its content appropriately.
When implementing an enterprise social network it’s also important to note that you can’t rely solely on the controls within the network itself.
It’s important to ensure that outsiders aren’t able to gain access to the platform and that internal users cannot impersonate another user in some way to gain access to their data or the groups which they have access to.