Social Media Policy Overview
The policy is often thought of like the silver bullet when it comes to social media risk management. While this is a simplistic view, the policy is still a very important control that can help you manage social media risk, encourage appropriate behaviors and enable you to achieve your social media and business goals.
The purpose of a social media policy
A social media policy is not a complex legal document that you hope your employees will read and abide by as part of their ongoing employment at your organization. A social media policy should be an easy-to-read document that sets out what you expect of your employees when they use social media. A good social media policy will be read and understood by your employees and will empower them to engage in social media in the manner that you expect.
Hopefully the fact that you need a social media policy doesn’t come as a surprise; however, if your organization is not as forward-thinking as you would like and perhaps doesn’t see the benefits of engaging with social media you may hit resistance from others when you try to write and launch your social media policy.
A defense to this is that most regulators will request copies of your documented policies and procedures if you ever suffer a significant incident related to social media. Therefore, it’s vital that you have documented evidence that shows that you have assessed social media risk appropriately and that you have implemented a suitable policy to manage social media risk.
The first thing I want to cover is the name of your policy. Is calling the document a ‘policy’ going to have your desired effect? Many people think of policies as boring documents they are required to adhere to in order to do something. All over the web, we are required to agree to policies, terms, and conditions when signing up to websites or services.
This has led many to ignore the policies altogether. So, you may wish to title the document ‘Social media guidelines’ or even a ‘Social media playbook’ to avoid having your employees think it’s just another one of those boring documents which they need to accept and which they don’t bother reading.
There’s nothing that requires you to name the document a policy; likewise, there aren’t any requirements that dictate what your policy should contain. For consistency, I’m going to refer to the document as a policy throughout the rest of this blog, and indeed this blog!
I’m often asked if I can provide a generic, or template social media policy, which an organization can simply adopt without change. Unfortunately, it’s not quite that simple and this misses the point of the document. The policy should be aligned to your own business goals and the goals of your social media programme, taking into account any applicable laws or regulations in force in your country or industry.
The policy should describe your own operating model and the rules and procedures that you have implemented to support your goals. Taking a generic social media policy from the internet or copying an existing one from another organization will not address the points that matter to you. It won’t encourage the right behaviors or align to your own culture and may just confuse your employees.
Language is powerful, so the language that you use in your policy should be appropriate for your objectives and the culture of your organization. Some organizations choose to use very legal-sounding language that would be more familiar in a contract, but is this really necessary in a social media policy? Having overly formal language around the rules of how employees engage on a predominantly informal platform such as social media is likely to confuse employees and encourage behaviors that don’t match your goals.
Consider which of the following two pieces of text is easiest to understand and delivers the point best:
1. Breaches, or suspected breaches, of any confidential information, as defined in information security policy section four paragraph two should be reported immediately to your line manager and failure to do so may lead to disciplinary action against you, including dismissal or, in some cases, criminal proceedings.
2. Share with care: some things need to be protected and you should never post confidential information on social media. If you are unsure if something is confidential or not, read the information security policy for more guidance [include a link so employees can easily access the policy].
It can be tempting to use overly formal language in policy documents but if you can say something in fewer words while keeping the same meaning, you should do so. Avoiding legal-sounding language and long sentences will make it far easier for your employees to understand the rules. Remember, the existence of a long policy with intricate and precise details won’t protect your company. Instead, how your employees interpret and abide by the rules in the policy will protect your company.
You obviously want people to read and understand your social media policy, so you should try to keep it short and succinct. As soon as a user sees that a document is pages and pages long, they might just skip reading it altogether. Keep your policy to only a few pages and instead of including detailed information within the policy itself, refer to, and include links to, other company policies.
Your social media policy should link well with other policies such as your code of conduct, IT security policies and other HR policies. For example, in your policy, you might ask your employees to act in a professional manner when they use social media. This point might benefit from a link to your code of conduct, where the reader can find out more about what it means to act in a professional manner.
Creating an effective social media policy
Structure of the policy
Your policy should not be a long document that gives detailed guidance on every possible social media scenario which you can think of. If you compare the social media policies from different organizations you’ll notice that the language, structure, and rules are different in each and there is no standard format accepted by all. That said, in my view the key sections to include are:
Introduction. This section should define the audience and set the scene for the content within the rest of the policy. Bear in mind that you may have people within your organization who are totally new to social media, so including definitions of key terms will help their understanding. Include the objective of your social media programme early on so that your employees know the purpose of their engagement in social media.
Main content. Paragraphs of text, each with their own heading, which set out what you expect of the employees when they use social media, are a good way of setting out and breaking up the main content of your policy. Pictures are also a good way to bring your content to life; for example, including screenshots of ideal social media profiles or good and bad social media posts.
Do’s and don’ts. Including a list of do’s and don’ts, usually, side by side will help to emphasize any key points you feel deserve particular attention.
Frequently asked questions (FAQs). A list of frequently asked questions will allow your employees to quickly skim through the policy to find the answers to any, particularly common problems.
Top and tail of the policy
Policy documents change over time, particularly those that refer to social media. Because of this, it’s best practice to include a change history at the start of all policy documents. The policy should be dated and include details about who is responsible for maintaining the policy as well as details of who approved it and when it came into force. The change history should show a table that includes high-level details and comments when changes were made when those changes were made and who approved them.
Regardless of how long you spend writing your policy, there will always be some people who have specific questions about what they can or cannot do on social media. Because of this, you should include contact details at the bottom of the policy to allow your employees to seek further guidance should they need it.
The content of the social media policy
The actual content that makes up a social media policy is hotly debated. The stories range from those companies which have adopted policies consisting of only four words, ‘Don’t Do Stupid Stuff’, to those who have issued 100-page documents. In my view, the key points a good social media policy should cover are as follows:
1. What to post (and what not to post). This is your opportunity to encourage your employees to share positive information and news about your company. By providing clear guidelines on what is acceptable and what is not, you’ll help your employees, and especially those who are new to social media, to engage effectively. A good way of articulating this would be to ask them to always protect your organization, backed up with references to your code of conduct.
2. Confidential or sensitive information. You should draw attention to the fact that employees should never post any confidential or sensitive information on social media. This will help protect you from any unfortunate data breaches or breaches to contractual terms.
3. Profile information. What should employees include in their profile? Will you allow them to identify themselves as employees of your organization? Will you require them to include a disclaimer, for example, to state that views and opinions expressed are their own and not those of their organization? You should also remind your employees that they should review the privacy settings for all of their social media accounts. The default settings are often changed by the social networks themselves so it’s worth reminding them to review and update them.
4. Interpersonal etiquette. Some people see social media as a ‘wild west’ where anything goes. You need to set out how you expect your employees to interact with other social media users. This can include not criticizing others, not engaging in ‘trolling’ (deliberately starting arguments or offending others on the internet), respecting others’ opinions and so on.
5. Sharing content. Highlight that you want to encourage your employees to share content about your organization, for example by retweeting the company tweets. What other content do you want them to share? For example, do you want your people to share interesting news or reports from your competitors?
6. Think before you post. You need to remind your employees that once they have posted something on social media or the internet, it can be extremely difficult, or in some cases almost impossible, to remove it if they change their mind later. Your policy should tell employees to think about the consequences of every post and consider whether it could be misunderstood or misinterpreted by other social media users.
There have been many examples in the past where a social media user has intended to send a private message to someone but accidentally posted it publicly. You need to make them aware of this to ensure that they think before they post. In 2014, this mistake was even made by one of the top executives of Twitter, which goes to show how easy it is to make this mistake!
7. Personal responsibility. Your policy should set out the fact that it’s the employees’ own responsibility to use social media well. You should encourage them to be themselves and use their own voice and style but remind them that what they post is their responsibility.
8. Add value. Encourage your employees to use social media effectively. Your policy should include examples of best practice so that your employees know how to use social media well and appropriately.
For example, you should discourage them from simply posting hundreds of links to websites that they like, with little or no qualifying text. This adds no value and will, at best, be ignored by other social media users. At worst, it’ll be seen as spam (posting irrelevant messages indiscriminately).
9. Don’t be deceptive. Have you noticed that your friends always look great in the photos that they post on social media? The reason for this is that most people won’t post unflattering photos of themselves online and will ‘un-tag’ themselves from unflattering photos uploaded by their friends. I’m not suggesting that this should change (I’d face a personal backlash from many of my friends if I did!).
However, it’s important to tell your employees that it’s not acceptable to try to deceive other internet users. You need to be transparent and trustworthy. Acknowledging and responding to negative feedback can actually work in your favor as it shows you’re listening and want to improve. Therefore, you should not allow your employees to post fake information about your products or services online and nor should you allow them to delete comments or reviews they dislike.
10. Personal vs work. You need to set out boundaries in your policies so that your employees understand when they are posting in a personal capacity and when they are posting, or might be perceived to be posting, in a work capacity. For example, if your employees post a mix of official content about your organization as well as controversial posts about politics or their personal views, these associations might harm your brand.
Furthermore, you should set out some basic guidelines about the use of your company brand. Your employees may be proud to work at your company and may want to include your logo on their page, or even to design their whole profile in your corporate colors and branding. Would you allow this? If so, you need to set out the conditions, and if not, explain what your brand restrictions are.
It can be helpful to include examples within your policy in order to bring to life the rules within it and ensure that your employees understand the reasoning behind the rules. Case studies and ‘do’s and don’ts’ are also a good way of painting a picture to the reader to illustrate what you expect from them and what you won’t tolerate.
Sometimes your employees will want to refer back to your policy during their day-to-day work. The employee might face a particular challenge and want guidance on what they’re allowed to do in social media so you should include a Frequently Asked Questions section at the end to cover any common points your employees may struggle with.
Examples of frequently asked questions might be ‘Can I connect with competitors in social media?’, ‘A competitor recently released a report which is gaining a lot of attention. Can I refer to their report on social media?’ or ‘Can I set up a dedicated social media account for my team?’ The answers that you choose for these questions will depend on your social media strategy as well as your overall business objectives.
The writing style and content
Is your policy written in a way that is easy to follow and which does not include overly legal-sounding words and phrases?
References to other policies
Have you included references (and ideally links) within your social media policy to your other policies, such as your IT security policy or HR policies?
Frequently asked questions
Have you included a list of frequently asked questions?
Have you included practical examples of where social media has been used well and badly?
Have you pointed out the reasons that something is considered a good use of social media vs a bad use of social media?
Format and accessibility
Is your social media policy easy to find, and is it in a format which is easily accessible?
Change history and further queries
Have you included a change history, details about who is responsible for the policy, and whom to contact if someone needs extra guidance?
Location and format of your policies
You should consider how your employees will read or find out about your social media policy, where they will be when they are reading it and what they will be using to read it. Having a hard copy of a policy somewhere in the office, pinned to a notice board is unlikely to be an effective place for it.
Consider making your social media policy as accessible as possible by making it available in a number of different formats, such as a PDF, a web page, or even a video to really bring the content to life. You could also use posters to make sure that it’s easy to engage with. If you have an enterprise social network, I strongly advise that you ensure that your policy can be accessed easily regardless of which page a user is looking at. You could do this by including a link to it in the footer at the bottom of every page.
Most enterprise social networks can be configured to force users to read and accept your social media policy the first time they log into the network. It’s also possible to force existing users to reconfirm that they have read the policy. Therefore, if you make some significant changes to your policy, it’s worth making them reconfirm their agreement with the policy when they next log in.
The issue of data privacy has become a hotly debated topic. In 2013, Edward Snowden, an IT consultant, leaked classified information from the US National Security Agency (NSA). The documents he leaked suggested that both the NSA and the UK’s General Communications Headquarters (GCHQ) had developed a global surveillance programme. This led to a great number of stories in the media and helped to further fuel the public debate about privacy.
Also, in 2013 the EU’s Court of Justice made a landmark ruling against Google Spain, which was brought by Mario Costeja González. Mr. González had demanded that Google remove links from its search results relating to his past social security debts, which had since been cleared.
The ruling has come to be commonly known as the ‘right to be forgotten’ and demonstrates how important the issue of data privacy has become. Both public and private sector organizations are going to come under more and more pressure to be transparent about the data that they are collecting and what they are doing with it. Privacy policies are one of the things that organizations can use to explain how they use user data and in turn be more transparent about their activities.
This transparency will allow you to build trust with your user and this knowledge will give the user the choice to use your system or not. However, don’t get worried that it will deter users because a well-written policy will give confidence that you are handling their data appropriately and with their consent.
For example, it’s very common for website operators to use tools to track how a user got to their website (ie which link the user clicked in order to arrive at your website). You might have noticed this type of thing yourself when the adverts you see on websites mysteriously show products that you have recently been researching.
What information you are collecting?
Why are you collecting it?
What are the implications for the user?
Would the user object to you using their information in this way?
The short version of the policy should set out the key points that you think will be of most interest to your users and the longer version should explain the key points from the short version in more detail. For example, one of the points in your short version of the policy might be that you will take great care to protect any information that users provide and that you won’t share any of this information without their permission. The longer version should go into detail, explaining what data you capture, how you protect it, and in which circumstances you might share their information with a third party.
Who has access to the information in your enterprise social network? Just your organization, or the group of companies that your organization belongs to? If you allow external people, clients or vendors to use your enterprise social network, what information can they see about your users?
How long will you retain the data in your enterprise social network? Is the data backed up and, if so, how often is it backed up? Where are the backups stored and who has access to them?
What happens if an employee leaves your organization? What will happen to their profile and the data within it? What about the comments or discussions they had posted? You’ll probably want to keep the comments, discussions or other work-related data that they posted, so you should include these intentions within your policy.
Do you track logins to your enterprise social network or the pages that your users have viewed? A common and valid reason to do this is to personalize the user experience in some way, such as by showing search results tailored to them, based on their previous searches. If you do capture this type of data, you should explain what you capture and why.
What have you done to ensure the security of the network and to guard against any data breaches? Have you gained accreditation or performed security testing? If so, these are valid things to note to give your users confidence that you are securing their data.
If you are a global organization and your enterprise social network is used by your people around the world this will mean that the users’ personal data may be viewed in foreign countries. If this is the case, details should be included in your policy.
Does your enterprise social network capture location data? If so, it might be possible for you to track a user’s movements. Whether you do track their movements or not, you should let the user know if you are capturing this data and explain what you are doing with it (even if you do nothing) and why.
The information that users include in their profiles will be visible to other users. Can the user change their privacy settings and, if so, how do they do this? It’s likely that if a user includes details about their skills and expertise within their profile, another user might contact them to ask for their advice. So that this doesn’t come as a surprise, you should include this as an example of how their personal information might be accessed and used.
In addition to the questions above, you should also point out to your users that they are responsible for the personal information they choose to share:
You should not encourage your users to share sensitive personal information on your enterprise social network, ‘What is personal data?’
You should push the responsibility for maintaining personal data onto the user and include instructions for the user to follow if they want to delete their account.
Training and awareness
Many organizations require their employees to complete some form of training on an annual basis. This could be because of a requirement from a regulator for compliance purposes or because the organization has identified a particular risk area and needs to ensure their employees are trained accordingly.
Because of how quickly social media develops, I believe social media should be included in the mandatory annual training. This is an excellent way of ensuring that your employees know about any major changes to your policies and procedures, and also gives you an opportunity to rearticulate the objectives of your social media programme. If the annual training process is well managed, you’ll also be able to track who has, and who hasn’t received training so that you can catch any teams that might have slipped through the net.
An effective and popular way of rolling out training is through the use of eLearning. ELearn is electronic self-service courses that employees can access and complete at a time convenient to them. Good eLearning usually incorporate text, exercises, pictures, diagrams, and videos. Some people find visual aids more engaging while others are happier reading text and answering questions.
By getting a good mix of content into the eLearn you’ll be more likely to engage all of your employees. There are, however, two downsides to eLearn. First, it requires your employees to complete the training on a computer, something that might not necessarily be an easy task for all of your staff. Second, the cost of developing an eLearn can be quite high.
While you will need to justify the time taken to deliver training, the cost of using advocates may be significantly less than developing an eLearn. Of course, this will depend on the size of your organization and the resource that you have at your disposal. Your advocate group should be trained up so that they can deliver your social media training updates and push the key messages out among their peers and teams.
Your social media training should familiarize your employees with your social media policy and provide practical examples of how they can use social media while remaining compliant with your policy. You should highlight examples of good and bad practice, preferably from your industry sector. Quizzes and discussions are also effective; for example, you might include some examples of tweets and ask them to debate which tweet will have the best effect.
CASE STUDY Risk in action: US Airways tweets pornographic image to the customer
In April 2014, US Airways made quite a spectacular mistake on Twitter. In response to a tweet from a passenger who was complaining about a delayed flight, US Airways tweeted back ‘We welcome feedback, Elle. If your travel is complete, you can detail it here for review and follow-up…’ They then included a link which was supposed to go to a form where the user could submit a complaint. Fairly harmless, you would think. However, the link that they included was actually an explicit photo of a naked woman with a toy plane somewhere… that you probably wouldn’t expect it…
It shouldn’t come as a surprise that the tweet was retweeted many times before it was deleted about an hour later and was reported in media channels across the world. US Airways then tweeted an apology for the inappropriate image and said that they were investigating.
The image had apparently been tweeted to the US Airways Twitter account earlier and the person responsible for the account had accidentally included it in the tweet. US Airways said that they would not fire the person who sent the tweet as it was an honest mistake; however, it was reviewing its processes to stop this sort of thing happening again.
When commencing a social media programme, an important part of the project is an awareness campaign. The purpose of the campaign is to tell your employees about your social media programme, to raise awareness about what you expect of them and to familiarize them with the policy.
I recommend that you include some of the following ideas in your campaign in order to drive awareness:
Posters. Put them everywhere you can! Eye-catching, colorful posters with bold headings can be a great way of getting your employees’ attention. Include key messages and perhaps even a question for them to consider. A drop-in session is an opportunity for people to ‘drop in’ to get one-to-one help on any particular social media issue they might have. They’re like training sessions, but are usually less formal and might take place over lunch.
I’ve personally found that offering free doughnuts at these sessions is a very effective way of enticing people to attend! The sessions could easily be run by your advocates, which would be a good way for them to raise their profiles and won’t require much time from your core team.
Internal communications. Most organizations have company-wide internal communications which include key information or news. Write a selection of texts, each with catchy titles, about the launch of your social media programme or your updated policy and feed these into the company-wide internal communications each week. Be on the look-out for real success stories from around your organization which you can showcase.
Webcasts. Webcasts are becoming commonplace. A webcast is a presentation that takes place virtually and means that people from across your organization, regardless of where they are physically situated, can join the webcast and participate in the presentation.
Advocates. Contact your advocate community and make sure that they are all aware of the changes to your policy. Reinvigorate them and encourage them to push out the key messages to their own teams.
The awareness campaign is important because, without it, you run the risk of your social media policy being just another one of those documents people cast their eyes over once or twice as part of their annual training. The ideas above can have a big impact, but I recommend you and your team explore other creative ways to push out your key messages in the most effective way for your organization.
Finally, we looked at techniques for driving awareness about your policies throughout your organization, such as communications campaigns and training. Strategy, we also looked at how advocates can encourage positive behaviors. This is something that is particularly relevant when thinking about how to push out the key messages from your social media policy.
Unfortunately, no matter how much work goes into managing the risks of social media, at some point in time an incident is likely to occur. In the next blog, we’ll look at crisis management and cover what you can do to plan for and manage incidents.
Crisis management Overview
A key element of effective social media governance and risk management is crisis management. Crises can hit any organization with little or no warning and can have devastating effects. In today’s world, rumors and news spread at incredible speeds over social media, which can make an incident escalate faster than ever.
In the past, perhaps only large international incidents would hit the mainstream news; however, with so many people using social media around the world, an incident doesn’t need to hit the mainstream news for it to get the attention of thousands of your customers.
In this blog, we’ll look at how crises develop, how you can assess a crisis when it happens and how to implement a strategy to manage the crisis effectively. We’ll also look at how human behavior changes when faced with stressful situations and consider how well-laid plans and a well-executed crisis response strategy can help an organization avoid disaster.
Planning and preparation
What is a crisis?
A crisis is an incident that has a high impact and has either already occurred or has a high likelihood of occurring. An organization may experience a high number of incidents in its normal course of business, such as making a social media post and including a link that doesn’t work. A crisis, on the other hand, is an incident that has a much higher impact on the business.
To continue the example above, an erroneous link embedded in a post would cause only minor annoyance to social media users; however, if an offensive image had accidentally been included in the post it would have a much higher impact on the company and is more likely to go viral, resulting in the company’s reputation being damaged by a large backlash from social users.
The risk matrix shows the relationship between the impact of a risk and the likelihood of it occurring. A crisis will be any event classed as ‘extreme’ in the risk matrix.
There can be a fine line separating an incident from a crisis. All crises will begin as incidents but not all incidents will spiral into full-blown crises. To assess a crisis you need to consider what the impact could be of an incident occurring to understand what might happen. Some examples of incidents that could turn into crises are as follows:
Hacked social media account. This will almost certainly be classed as a crisis because, during the time that you lack control of your account, the hacker could post a huge amount of negative material that could quickly attract the attention of the global media.
Inappropriate social media post. Many companies have experienced incidents where someone accidentally posts something inappropriate on social media. A good example of this was when a tweet was posted from the American Red Cross account which said ‘Ryan found two more 4 bottle packs of Dogfish Head’s Midas Touch beer…. When we drink we do it right #gettingslizzard’.
While this is an embarrassing mistake for someone to make (likely mixing up their personal and work accounts) and attracted a lot of attention across the internet, it could have been a lot worse. On the other hand, if the post had included more offensive language or imagery, and if it had stayed up for a long period of time, it would be more likely to escalate into a crisis.
The website goes offline. If your website goes offline unexpectedly in the middle of the night for a few minutes it might not have a big impact on your company; however, if you’re a multinational online retailer, any downtime could cause a real crisis, harm your reputation and negatively impact both revenue and investor confidence.
Data Breach. Data breaches would normally constitute a crisis; however, if an attacker had only managed to access your internal data you might be able to avert a wide-scale crisis. If, on the other hand, a hacker had gained access to the personal data of your customers or employees it could be considerably more serious, have a harmful impact on your reputation and attract fines from regulators.
In the above examples, it’s clear that not all incidents will have the same impact. Likewise, what one organization sees as a crisis another might see as just another day in the office. Some organizations are targeted regularly by activist groups or hackers and have become used to dealing with a wide range of incidents.
Human response to a crisis
It can be tempting for someone who is experiencing a crisis to act differently to how they would ordinarily. In the course of their normal work, they will follow policies and procedures diligently, for example by seeking approval for new content posts and documenting their actions as they go. However, in a stressful situation, these tasks can appear menial when compared with the crisis that the person is experiencing.
This can make them change their behavior by not following required processes and procedures. The person may feel that they’re doing the right thing and are prioritizing effectively. However, these actions can actually make a bad situation worse.
Picture this hypothetical scenario: a number of abusive images and offensive content are accidentally posted on the company’s social media account. Not realizing what had just happened, the social media team goes out for a pre-planned team lunch to a pub down the street. The pub has very poor mobile phone reception and no wifi. An hour into their lunch, a colleague runs into the pub and explains what has happened. Tensions heighten almost instantly.
Questions start popping into everyone’s head: ‘what do we do next?’, ‘how could this have happened?’, ‘what has the response been from other social media users?’, ‘who’s to blame for this?’ or ‘Oh no, this might be my fault, who can I try to blame?’. The team hurry back to the office and start trying to rectify the situation.
They’re receiving lots of posts every second and they try to respond to as many as possible. Normally, all content and replies need to be reviewed by the team leader before they can be posted, but due to the heightened stress levels, members of the team started making more posts, defending themselves and claiming that it wasn’t their fault. This annoyed other social media users and made the crisis worsen – it was then picked up by mainstream media and reported on the TV and main news websites.
We can relate to the team because there will be times when even the most laidback people have experienced stressful situations. However, if appropriate technical controls had existed and a crisis response plan initiated it would have helped to manage the crisis and avert an escalation.
It can feel counterintuitive to assess the options and plan the next steps when faced with a crisis because many people will want to act. Even after controls have been implemented, the teams that will have to deal with crises should be given appropriate training. Training is important to ensure that the team are familiar with crisis situations and know how they should act. Crisis simulations are an effective and fun way to test a team’s response to any given crisis and can help improve your crisis response strategy. Crisis simulation is covered later in this blog.
Avoiding a crisis
The best way to deal with a crisis is to avoid it in the first place. An effective risk management function and a risk-aware culture will go a long way to safeguarding your company from unfortunate incidents. You should spend time thinking about where the risks are to your business and what you can do to manage them.
For example, if you have engaged a third party to manage your enterprise social network, you are exposed to a risk that the third party may experience issues that have a knock-on effect to your company. If the third party’s IT network goes down, it may take your enterprise social network down with it. A common way to guard against this is by completing a due diligence exercise where you assess any third parties that you work with to gain confidence that they have appropriate processes and procedures in place to avoid any impact to your own business.
Your procurement team should already have due diligence processes in place, but if you’re purchasing an enterprise social network or a social media management tool, you should complete your own additional due diligence to ensure the tool meets your needs. Purchasing a social media tool without appropriate due diligence is risky because you are at the mercy of the supplier to provide the tools. Things you should consider are:
Security testing. Have the provider’s infrastructure and applications been independently security tested? Has the provider achieved appropriate accreditation that shows that they have assessed security risks and implemented mitigating controls? Can you comfortably rely on the security offered by your provider and does it meet your own requirements?
Availability. You should ensure that the provider has agreed to an acceptable level of availability of the tools or applications you are purchasing. When is it acceptable for the application to be unavailable? How quickly will the provider respond to unexpected downtime (when the application is unavailable)? At what times and on which days will maintenance be carried out?
The systems should have an appropriate level of redundancy, for example, to avoid downtime from unexpected events such as power cuts. To do this, ‘uninterruptible power supplies’ can be used, which will provide power for a short period of time while the main building power is off. Support. What support arrangements will be in place?
How quickly will the provider commit to responding to any support requests and how long will they take to resolve? Data protection. Is the provider aware of their responsibilities with regard to data protection law? Has the provider implemented controls to safeguard personal data? Where will the data be hosted/stored geographically? Will the data be transferred and, if so, have controls been implemented for this to happen legally?
Archiving. What data is archived? What is the process and schedule for archiving data? When will data be deleted?
Backups. How quickly can the provider access backups, should they need to? Will backups be stored on-premise or off-site? (If the building burns down and the backups are in the building, it’s not likely you’ll get access to them…) Who has access to the backups? How are the backups secured?
A problem with one of the challenges listed above is something that could lead you into a crisis, which is why oversight of these is vital. However, for all the planning and preparation that you do, nobody has a crystal ball and it’s impossible to guarantee that you won’t face a crisis at some point in the future. Therefore it’s important to put plans in place to deal with a variety of incidents quickly and effectively to stop them from becoming a crisis.
CASE STUDY Risk in action: Twitter Q&As backfire, attracting a barrage of public criticism
Twitter Question and Answer (Q&A) sessions, or ‘ask me anything’ events, can be a really effective way for organizations to connect with their customers. They give customers an opportunity to pose questions to a company’s senior leadership and, when executed successfully, can increase customer engagement and improve a business’s reputation. Unfortunately, however, there have been a number of examples of companies that have started a Q&A only to be faced with a barrage of public criticism.
One such example is UK gas company British Gas, which organized a Twitter Q&A in October 2013 and invited Twitter users to ask questions to British Gas Customer Service Director Bert Pijls, using the hashtag #AskBG. Unfortunately for British Gas, they decided to run their Q&A session on the same day that they announced a 10.4 percent increase in electricity prices. The session immediately started trending on Twitter as users joined in to voice their grievances over the increase in prices and the impact that it would have on their families. One user asked:
@britishgas is it true your top shareholders heat their homes by burning loads of £100 notes they have from excessive profits?
Another Twitter Q&A event which caused a stir on social media around the same time was planned by US bank JP Morgan. In this case, however, the bank received such a barrage of negative tweets before the event even began that they canceled it. Even after the Q&A had been canceled, messages continued to be posted with some highlighting how JP Morgan had failed to embrace social media as an effective PR tool. At the time, JP Morgan was facing a record fine of $13billion for misselling bad mortgage debts to investors prior to the 2008 financial crash. One user posted:
#AskJPM is the greatest social media fiasco ever contrived. A lesson in being completely self-unaware of public perception.
According to Topsy, a company that analyses tweets, at least two-thirds of the 80,000 tweets sent using the AskJP hashtag were negative. After a few hours the bank reversed its decision to hold a Q&A session online and posted:
‘Tomorrow’s Q&A is cancelled. Bad Idea. Back to the drawing board.’
The key takeaway from both of these examples is around the timing of the Q&A sessions. It’s hardly surprising that, at a time when both companies were already receiving negative press, users took to social media to publicly complain about them. Social media analytics could have been used to show overall sentiment over the brands and could have fed into their decision to run the Q&A, or not.
Assessing an incident
The crisis lifecycle
Crises are unexpected, can happen at any time, and are inevitable. Because of this, organizations not only need plans in place to deal with them but to assess them after the dust has settled. Performing an analysis of how the organization responded to a crisis will help make existing crisis management procedures more effective and will help prevent future crises.
Preparation. As the saying goes, ‘if you fail to plan, you are planning to fail’. Smaller businesses may be able to cope with a crisis with minimal planning because it’s quicker and easier to get all key stakeholders in a room to discuss next steps and response. A large organization, on the other hand, needs to plan in advance because when more people are involved, it is more difficult to respond to a crisis.
Assessment and analysis. When an incident occurs, you need to perform some analysis in order to assess how the incident might impact the organization. Clearly defined plans as to how to manage different severities of crisis will enable an organization to take the right actions at the right time. A thorough analysis of a crisis will also allow an organization to estimate how a crisis might escalate, allowing it to ready its response, should the crisis indeed escalate.
Response. Responding to a crisis should be well executed, with key tasks completed at the right times by the right people. An effective response will stop a crisis from escalating and will give the organization control over it.
Prevention. Once a crisis has been dealt with, it’s important to assess how the organization reacted, when plans worked well and when they failed. By doing this, the organization will have a better chance of managing future crises effectively.
Assessing crisis severity
There are five classifications of crisis severity. A crisis can start at any severity level and move in either direction, becoming less or more severe based on how the crisis develops. Assessing a crisis is subjective, In turn, this will dictate how you respond to the crisis. As a crisis moves from level 1 through to level 5, the intensity of the crisis increases and the impact on the business as a whole gets more serious.
The five levels of crisis severity are as follows:
Level 1 – Limited. At this stage, the impact to the business will be confined to specific teams or projects and will not have a wider impact on the continuity of the business. Only a small group of people within the company will be affected and, while it will cause some disruption to the business, it will not be a public event which impacts external stakeholders.
Level 2 – Moderate. At level 2, the impact of the crisis starts to go beyond a specific team or project and begins to have an impact on the business’s overall goals, albeit only in the short term. A larger group of people inside the company will be affected with an impact on some systems and processes. This will lead to a minor financial impact on the business.
Level 3 – Significant. At this stage, significant control will be lost in key systems and processes, which will impact the business’s medium-term goals and pose a higher threat to its financial performance. A significant crisis may involve minor injuries to people inside or outside the business and may attract attention from large groups of people and the media.
Level 4 – Severe. A severe crisis will bring into question the business’s long-term continuity. Major financial impacts are likely and damage experienced during the crisis may be irreparable. People may experience serious injuries or even fatalities.
This will result in news outlets picking up the story, which will further increase the scrutiny over the business.
Level 5 – Extreme. At this stage, the organization is stressed to the max. Failure or collapse of the business looks imminent and the knock-on effect could impact other companies. The story will be reported in mainstream media and attract widespread negativity. Loss of control in key systems will be sustained, which will further hamper efforts to rectify the situation. Multiple injuries or fatalities may occur. The business, or its leadership, will face regulatory scrutiny and may even face criminal proceedings.
Reporting a crisis
A useful way of capturing key information during a crisis is to use a crisis report template. Crisis reports should be used to describe what has happened, when it happened and outline the key tasks that need to be completed. A crisis report should be sent out to all the key stakeholders during a crisis and will allow everyone to work together towards a common goal.
Some crises may last many hours or even days, so new crisis reports should be issued regularly to provide official updates about the progress and to highlight the tasks each team is working on. Including a status against the key tasks will make it easier to see where extra resource or attention might be needed and it will help to identify areas of higher risk. Using a crisis report template also cuts down on rumors that may start to work their way through the organization because it is a standard and official report distributed internally.
Implementing a crisis response strategy
Your crisis response strategy should be documented and distributed to all key stakeholders who might be involved when a crisis hits, such as a department or team leaders, communications, senior management, legal and so on. The first step in a crisis response strategy is to include details about how a crisis can be assessed to determine its severity. The severity level will dictate the tasks that you will need to do and when they should be completed.
To establish a crisis response strategy I recommend that key stakeholders hold workshops in order to debate what content should go into the strategy. Checklists are a helpful way of ensuring that key tasks are completed and are not forgotten. Your strategy should also include an appendix of useful documents, such as the crisis report template and crisis severity definitions.
Hold stakeholder meeting to reflect on how the organization managed the crisis
You should also take into account geography when considering how to respond to a crisis. If you’re a global company, you might be hit with a severe crisis in only one of the countries you operate in. Your crisis response strategy should take into account the fact that people within that country will want regular updates on your response. People on the other side of the world, however, might want to know what you’re doing, but won’t require or want to know each and every detail as it unfolds.
Social media is an excellent tool to do this effectively because you can target which users will see your posts. If you have a main corporate social media account as well as individual native-language accounts within the various countries, the local accounts should provide far more information than the main corporate account.
This gives social media users the option to follow your local accounts if they want extra information, but if they don’t, they can still get intermittent updates from your main account. Of course, when implementing a global crisis response strategy you’ll also need to consider time zones and language. That way there’s less chance that you’ll wake up a colleague on the other side of the world just to give them an update that there is no change in the situation.
Any crisis will require you to communicate with outside stakeholders such as media organizations, your customers or the public, and it’s likely that shortly after the crisis begins your organization will be contacted for comment. You should preempt these requests by creating template holding statements or press releases that can be quickly and easily adapted to include all relevant information. The statement should be published wherever it will gain maximum exposure.
To do this, a defined list of approved communications channels should be included in your strategy detailing how to go about publishing the information. For example, if a press release will be published on your website, the document should include details about who it should be sent to and any other relevant details, such as information about the typical amount of time that it would take to publish. For social media channels, a list of the key individuals who look after your official accounts and their contact details will make it easier for the person issuing the statement to get it pushed out.
It’s also a good idea to keep an up-to-date list of journalists or news outlets that your company has a relationship with and to include details about how to obtain this information within the strategy. Contacting news outlets and journalists directly with updates about your response to a crisis will be a quick way of getting information out to the public.
Roles, responsibilities, and logistics
It’s important to have roles and responsibilities clearly defined within your crisis response strategy so that there can be no ambiguity as to who is responsible for what. Any uncertainty could delay your response and result in a crisis being escalated unnecessarily while your people scramble to work out who should do what.
You should maintain a list of approved company spokespeople who are authorized to make comment to the media about the crisis. These people should be identified within your strategy and should have received appropriate training to ensure that they are capable of dealing with the media. Your strategy should also make it clear that only those people who are approved company spokespeople are allowed to make any comments to the media about an ongoing crisis.
It’s also worth considering the mechanics of how you will operate during a crisis. For example, which room will you use to coordinate your response and where will it be located? Getting as many of the key people as possible in the same room will make decision making much quicker and will allow everyone to keep up-to-date on any developments.
You might want to include social media feeds and a news channel on a big screen. In some cases, you might need to set up a dedicated telephone line that customers or members of the public can phone if they need assistance or further information. All of this logistical information should be included within your strategy, as well as a list of key contacts who can assist with setting up telephone lines, access to the internet and so on.
Responding to a crisis
Having assessed the severity of a crisis, documented the cause and communicated it to your key stakeholders, you can move on to actually responding. Your crisis response strategy will be invaluable here and it’s important to refer back to your well-laid plans before charging ahead. The cause of the crisis, the current political environment, your business strategy, and other events will all have an impact on how you respond and what tasks you will build into your response.
One of the first things that you should do to respond to a crisis is to assess your options. What was the cause of the crisis? Is there something that you can do to easily rectify the situation? Not everything can be addressed quickly and easily, but if it can what will you do next to communicate your response internally and externally?
For example, if the cause of the crisis was a bad choice of advertising that ended up offending huge groups of people, you will have a few options. You could attempt to remove the offending advertising, or you could try to justify it. Justifying it might be dangerous because saying that ‘it’s not my fault’ can cause more anger and escalate the crisis.
If you want to remove the advertising, you’ll need to plan how to do this. If it’s online advertising, what channels is it on? Who are the people that you need to contact to get it removed? If it’s printed advertising, you’ll need to consider a communications strategy to apologize and explain. Once the advertising is removed, how will you engage with those groups who had been offended by it?
Social media may be a great way to quickly reach your customers or the wider public to communicate your response. But you need to consider where your target audience is and which platforms they are using. For example, if you experienced an incident in Russia, you won’t want to rely solely on Twitter and Facebook because most Russians use local social networks such as VK mobile version or OK.RU.
Will your audience even use social media? If you sell stairlifts to the elderly you might find that a social media communications campaign doesn’t reach your target audience and may just inadvertently publicize the issues which you are experiencing to a wider group of people.
Regardless of whether or not you will be using social media as your main communications channel, you’ll need to carefully monitor it. Rumors on social media spread incredibly fast so you’ll need to be prepared to respond if needed.
Having well-documented escalation processes is essential when you face a crisis. Teams who are dealing with a crisis need to understand at which point they need to escalate an issue to another team or to someone more senior and how they do so. Inappropriately escalating issues will bombard other teams and take their attention away from more serious issues they need to address. The process should outline criteria and situations that require the issue to be escalated to another team. Details of who in that team the issue should be passed to should be included.
CASE STUDY Risk in action: Greggs bakery logo vandalized
If you search for a business in Google you may have seen the panel that appears on the right displaying key information about the business including its logo, address, phone number. On 19 August 2014 social media users noticed that if you typed ‘Greggs’, the UK’s largest bakery chain, into Google, a fake logo with an offensive slogan was displayed instead of their official logo.
It didn’t take long for Greggs to be flooded with posts and comments via Twitter. Greggs faced two issues: 1) they needed to work out how to fix the issue and get their proper logo to appear again, and 2) they needed to deal with the barrage of tweets from customers.
How Greggs reacted was impressive. They created the hashtag ‘#fixgreggs’ and tweeted a photograph of a large plate of doughnuts to Google UK with the text:
Hey @GoogleUK, fix it and they’re yours!!! #FixGreggs
Google UK then tweeted back:
Sorry @GreggstheBakers, we’re on it. Throw in a sausage roll and we’ll get it done ASAP. #FixGreggs.
For hours while they waited for Google to fix the issue, Greggs was responding to hundreds of tweets from their followers. They didn’t respond with generic ‘we’re looking into it’ messages the way other brands have done in the past. Instead, they responded with appropriate and sometimes witty posts. They didn’t ignore their followers and didn’t shy away from what had happened; they rose above it.
Greggs managed to get in touch with Google California and after a few hours the logo was fixed, at which point Google UK tweeted:
That’s all done now @GreggstheBakers, #FixGreggs is now #FixedGreggs
Even after the logo issue had been fixed, Greggs didn’t stop there. They then tweeted a photo of sausage rolls laid out on a table spelling ‘Google’, with the text ‘Aaaand relax! Maybe those kind folks @GoogleUK could give us the doodle tomorrow?’ (The ‘doodle’ is the changing Google logo that you often see on Google’s homepage.)
Not long later Google tweeted back with a photo of an almost identical desk scattered with what appeared to be sausage roll crumbs and the text ‘Whoops! Sorry @GreggstheBakers’.
Google didn’t give Greggs the doodle, but it was an entertaining story with a good outcome for Greggs. They received a lot of support from its followers throughout and were able to respond in a very human way. The way Greggs handled this potential PR nightmare was reported positively in many of the mainstream newspapers and resulted in a lot of positive press.
This goes to show that social media can be used effectively to manage a potential PR nightmare and come out on top.
Reactive versus proactive communications response
When you face a crisis you can choose to respond either proactively, or reactively. In a reactive response you will wait to be contacted by customers or the media before you respond to them and you will only disclose as much information as you have been asked for. In a proactive response you won’t wait to be contacted, instead you’ll proactively push out messages on social media, contact the media and give regular updates on your progress.
The best response tactic will depend on the circumstances of the crisis, as well as how much you know about the incident versus how much the public know. If your company is well known and champions transparency and you become aware of an issue with a product or service you might choose a proactive response.
This would help you avoid being accused of hiding information, reacting slowly or not seeming to care. You might choose a reactive response tactic if there are already details of an issue emerging in the media, but not all of the detail has been leaked into the public domain.
In this example, you wouldn’t want to go out and put all your cards on the table as it might prompt an even bigger backlash against your company. Instead, you’ll monitor the situation to see what stories get picked up by the media and put your energy into responding to them rather than focusing on other issues that are not causing such a press sensation.
After an incident has been dealt with you should review your own performance to understand how you can improve should you face a similar incident in the future. Questions that you could ask are:
Was the crisis report template used and was it effective?
Was the response timely?
Were the policies and procedures followed?
Were any amendments to the agreed procedures made?
Were the amendments effective and should they be incorporated into the processes?
Did the teams collaborate effectively?
How has the perception inside and outside the company changed as a result of the crisis?
Were any improvements identified?
Once you have the answers to these questions you should have a fairly clear picture of how well your teams responded to the incident. You will also be able to see more clearly where your team had trouble or responded slowly. This valuable information should be used to update your crisis response strategy so that if there’s a next time, your response will be more efficient.
Crisis testing and simulation
Once you’ve crafted your crisis response strategy it will hopefully be a quite some time until you have to put it in action, if ever! But such a strategy is an unfortunate necessity. The organizational change many companies face as well as the constant changes in technology and social media mean that the strategy could quickly become outdated. To avoid this, your strategy should be reviewed annually and updated appropriately.
You should also consider running crisis simulations to test your response strategy. Crisis scenario testing can uncover issues in your strategy and helps people in your organization to understand what they should do and how they should act in a crisis. Such testing will inevitably require quite a lot of senior resource, but the benefits of familiarizing your people with the strategy and getting a view on how it can be improved will prove invaluable when the time comes to put the strategy into action for real.
The objective of a crisis scenario test is to simulate events that might happen during a crisis over the period of a day. This could involve phone calls from the press, IT infrastructure going down, or even parts of the office becoming inaccessible. Throughout the test, you will need observers to document how your people react to different situations, the decisions they take and the impact they have.
You’ll also need a team of people who will play the roles of key individuals in the outside world, for example, a journalist calling for information. At the end of the test, you should analyze the results and report back to leadership to summarize what went well, what didn’t go well and what aspects of the strategy need to be amended.
The key benefits of crisis scenario testing are:
It gives the organization an opportunity to rehearse its response capabilities and builds confidence in people’s roles and responsibilities.
It gives the organization confidence that they will be able to deal with a crisis but also highlights areas for improvement.
The testing is realistic rather than theoretical. People will need to send emails and make phone calls as part of the test, all within a safe environment. This will bring the scenario to life and is more effective than just thinking about the tasks. For example, you might assume that to write a press release will take 10 minutes when in fact during the test it could take double that time.
If the response to the crisis involves teams in multiple locations around the world, it gives them a chance to work together and get to know each other. Crisis scenario testing is a fun exercise and a break from the norm. The tests are performed in a safe environment because they highlight fictional problems; however, they will go a long way to preparing an organization to deal with a crisis effectively when it occurs.
In this blog, we covered crisis management, an essential part of safeguarding your organization against social media risk. Being prepared for a crisis will help you deal with it more effectively. On the flip side, not being prepared for a crisis could have devastating consequences for your organization.
We covered the four stages of the crisis lifecycle: preparation; assessment and analysis; response; and prevention. In the preparation stage, you consider what threats the organization might face and what measures you will implement in order to respond to a crisis if it materializes.
The severity of a crisis can increase or decrease, so by defining the different levels of crisis severity, you are able to implement response plans to deal with the crisis effectively regardless of how it develops. Your crisis response strategy will have all of the tools and guidance that you need to deal with a crisis. Crisis response strategies need to be updated regularly as standard as well as after a crisis in order to tweak the strategy and help prevent future crises.
Finally, we covered crisis scenario testing – a key way to test your crisis strategy and an opportunity to identify and fix any issues within it. Running crisis scenarios helps bring the theory to life and will be a memorable experience for all of those involved, which in turn will help people to either prevent a crisis from happening or to respond appropriately if it does.
In the next section, we’ll look at social media security and how to implement measures to manage the risk of security breaches when faced by a cyber attack.
Cyber security is one of the biggest threats facing businesses, governments and individuals. In 2014 there were 42.8 million security incidents reported. This is the equivalent of almost 120,000 attacks every day. Cyber security is nothing new, but the threat has grown considerably over the last few years as we have grown more connected and as organizations have begun to rely more on their digital systems. In a survey from professional services firm, PwC, the cost of the average cyber attack against large companies in the United Kingdom in 2014 was between £600,000 and £1.15 million.
In this blog, I will introduce you to the topic of cyber security and cover some of the basics to give you a base level of understanding. We’ll cover who the main actors are and what their motivations and targets might be. We’ll then move on to consider where the security risks lie in social media and what you can do to safeguard yourself against them. Cyber attacks are not necessarily highly sophisticated. Likewise, there are some simple but effective steps that you can take to ensure the security of your social media accounts.
What is cybercrime?
Cybercrime is the term used to describe criminal activity on computer systems. A hacker is someone who aims to exploit weaknesses in computer systems for some kind of gain. The hacker’s motivation is not always monetary and there are a number of reasons why people engage in hacking. From teenagers getting up to mischief in their bedrooms to nation states waging cyber warfare, there are a number of different players and motivations.
Cyber risks pose a threat to both individuals as well as companies. Everyone is aware that fraud and identity theft are common crimes perpetrated in order to steal money. But there are less obvious risks posed to individuals. For example, many people go on holiday and post photos on social media of themselves relaxing, perhaps enjoying a beer on a beach.
Unfortunately, criminals have realized this and have started targeting people who geotag their posts with their location. There have already been cases of people having their homes burgled while they were away on holiday because geo-tagged social media posts have alerted burglars to the fact they are not at home.
Who poses a threat?
Cyber risks pose a number of threats to businesses too. Whether it be to steal money or designs for their latest products, the risk is already high and growing. So, who are these ‘cybercriminals’ and ‘hackers’?
The key players are:
Organized crime. Criminal gangs who engage in hacking for financial gain by stealing money from banks or personal information and intellectual property to sell on the black market.
Nation states. The term ‘cyber warfare’ describes how nation-states are using techniques to attack or defend against their adversaries. Nation states might use computers for intelligence gathering or develop and deploy cyberweapons that target a foreign country’s utilities or infrastructure.
Hacktivists. The word ‘hacktivist’ comes from the word ‘activist’ and usually defines groups of hackers who break security in order to publicize a social or ideological message. For example, some hacktivist groups are opposed to internet censorship, or indeed censorship of any kind, so launch attacks against governments or organizations who they see as supporting censorship. Some groups believe in the freedom of information and focus their energy on hacking to bring non-public, or confidential, information into the public realm.
Insider. The insider is a special category and refers to someone inside a company or organization. The insider may be used as a mule, unaware that their account is being used for hacking. For example, an external hacker may send malicious software to someone within a company in the hope that they will install it. This software could give the attacker access to the insider’s computer. Insiders, therefore, pose a big threat to organizations.
Independent hackers. There are many types of independent hackers, however, the main ones are:
‘Blackhat’ hackers: these are the hacker groups most commonly portrayed in popular culture or films. Blackhat hackers break security for little reason beyond malicious intent or personal gain. Blackhat hackers may break into computer systems to destroy or steal data, or to make the systems unusable.
Professional or elite hackers for hire: this group of hackers is highly skilled and often employed to uncover vulnerabilities in computer software and to write code that will exploit those vulnerabilities.
Ethical hacker: an ethical hacker, also known as a ‘white hat’ hacker, is someone who breaks security for non-malicious purposes. This could be in order to a test a system’s security and uncover weaknesses so that fixes can be applied. Ethical hackers perform ‘penetration tests’ or ‘vulnerability tests’, usually under contract.
‘Script kiddies’: these are relatively unskilled hackers who break into computer systems using tools created by black-hat hackers. Script kiddies can wreak havoc, but without their tools, they have little understanding of the underlying computer concepts.
What’s at risk?
As mentioned above, the threat presented by hackers goes beyond the financial.
The things that an attacker can target include:
Money. Money is often a big motivator. Hackers may try to break through your security in order to access your bank accounts and steal money by transferring it out of your accounts.
Corporate secrets. Corporate secrets are valuable: if they weren’t, they wouldn’t be secrets! What is valuable to your company would probably be valuable to others, whether that is a competitor, a government or an independent hacker who wants to sell your secrets on the black market.
Business deal information. Information about business deals, such as planned mergers or acquisitions, is sensitive as any insider knowledge about the deal could impact the stock market or could be used by the opposing party. For example, if your organization is planning to sell part of its business and has set a minimum price, that information would be extremely valuable to the purchasing party. Again, information with a high value will always be targeted by hackers.
Personal data. If someone were to get hold of all of your personal data, it would make it much easier to steal your identity, which is why personal data can have a large intrinsic value to criminals. Hacktivists may also target personal data because they want to expose it online in order to embarrass the company that controls it and causes the uproar from all of its customers and employees. In this case, a hacktivist may not make money from the hack, but the company they targeted may be fined by a regulator.
The hacktivist’s goal is to cause as much pain to their target as possible. Intellectual property. Designs for your latest products or the inner workings of your existing products clearly have a high value, especially to your competitors. If hackers were able to get a feature list of your new product and pass it on, it would erode competitive advantage, which is why intellectual property is often a target.
Payment information. Rather than stealing money directly from a company, it might be easier and more rewarding instead to steal the payment information of all of your customers. These payment details could either be used by the criminals to make purchases themselves, or they could be sold on the black market to other criminal gangs.
Operational data. This may not seem obvious at first, but if a hacker was able to obtain data about how your business operates, they could use that information to their advantage for large cyber attacks in the future. Alternatively, if an attacker can find out information about your delivery trucks, they might be able to work out the best time and place to rob them.
Industrial control systems. The systems that control water filtration plants, the electricity network, power stations and so on are called industrial control systems. These systems are usually targeted by hackers for cyberterrorism. Their purpose is to disrupt a nation’s utilities or to have a large impact on normal citizens, for example by manipulating water filtration systems.
Although not exhaustive, this list does help to show that there are a large number of incentives for cyber attacks. The key takeaway is to apply the same caution to your information assets as you would to your physical property. If something is valuable, it could be targeted, and should, therefore, be protected. If an attacker can gather intelligence about your company by stealing your operational data, then they will be able to use that data against you in the future.
Why is account management important?
I’m sure you’ll agree that it would worry you if it was easy for a hacker, or anyone with malicious intent, to get access to your corporate social media accounts. Unfortunately, there have been lots of examples of this happening, and in many cases, the reason has been poor account management. There are a number of tools and techniques available to hackers that they can use to gain access to your social media accounts. In this section, we’ll examine the ways that hackers achieve this, and look at what you can do to guard against it.
On the flip side, if the inappropriate or offensive content is posted on your social media account, it might not be because of a cyber attack. It might be an innocent mistake made by someone in your team who mixed up your corporate account with their personal account. There are a lot of examples of this, so we’ll look at what you can do to stop this from happening but you should also read blog 6 for guidance on how policy and awareness can reduce the risk of this happening.
The problem with many social networks is that they were initially conceived as tools to allow people to connect with each other. Only later did organizations start using social media to connect with their customers and promote their products. Because of this, many social networks only allow one username and password to be associated with a social media account.
So, if you have a Twitter account with the handle @[your_company_name] and have a team of 10 who need to use it, you’ve really only got two options: 1) share the username and password among your team; or 2) use some kind of social media management tool to control access. The easiest option might be to simply share the login credentials with your team;
There are other problems with sharing account credentials. Because everyone in your team is logging into the same account, it makes it almost impossible to control what is being posted. You have no control and if you want to block a disgruntled employee from the account, your only option is to change the password and communicate it to the rest of the team, provided that that employee hasn’t already changed the account password to spite you.
The use of a social media management system, or a social risk and compliance tool, is an excellent way to manage your accounts. By implementing a social media management system you will not only be able to give each member of your team their own login but you’ll also be able to implement controls to ensure that your password policies are adhered to. For example, you can configure how often you want your users to be forced to update their passwords and set rules that dictate password complexity.
Another advantage of using a social media management tool is that it will provide a different interface for your team when logged in using their mobile devices. Figure illustrates that more than one social media account can be connected to your smartphone. We often operate on ‘autopilot’, completing simple and common tasks while barely thinking about them.
It’s this behavior that has caused some people to confuse the corporate account with their personal account. However, when a social media management tool is used, access to the corporate account will be controlled through the management system’s own mobile application. This means that the personal account will be configured in the social network’s native application on your phone. The interfaces are likely to be significantly different from one and other, which will reduce the risk of a mix-up.
I don’t know anyone who likes having to remember lots of different passwords or who enjoys having to regularly change them. However, good password management is an unfortunate necessity. It’s tempting to set them to things that are easy to remember, such as the birth date or name of your first child.
But the problem is that it’s now even easier than ever to find out information about peoples’ lives: a quick look on someone’s public social media profile can often give a very detailed picture of their life: when and who they married, when their children were born, their names, where they live, where they go on holiday and so on.
It’s complicated further by the fact that the average person now has a multitude of different online accounts, which makes it tempting to just use the same password for every account. However, the problem with this is that if any of those accounts get hacked, the attacker will have access to all of your other accounts. Even if you signed up to a website just once to see what it was all about and never returned, if you used the same password as you use for your other accounts then you are at risk of your main accounts being hacked, even though you only used the website in question once.
In our personal lives, there are a few occasions when we might disclose our passwords to someone else. In theory, this should never happen, but I’m sure there are times when we have shared our passwords, perhaps with loved ones to allow them access to our emails or social network. In a corporate setting, one of the few occasions, when passwords will be shared, is when a new account is being created. Many companies operate a security model whereby the user has a global user ID (GUID) and password, which they use for all, or at least most, corporate systems.
This is good because it means that the user doesn’t need to remember a large number of passwords and there’s also no need for them ever to share that password. However, not all applications will use this security model and an exception might be a social media management system. This means that every time you create a new user you will need a way of communicating the password to them. The management system may have built-in mechanisms to deal with this, for example, by emailing the user a temporary password and providing a link for them to change it on first use.
However, if this isn’t the case you’ll need another way of communicating the password. As a rule, you should never use the same method to communicate the username and the password. For example, you might email a person their username and tell them their password over the phone. Alternatively, you might text them their username and verbally tell them the password face to face. Whatever you choose, you should ensure that the username and the password are not communicated in the same way because it decreases the likelihood that the details could be intercepted.
No matter how careful you are, there’s still a chance that your password could be stolen or ‘cracked’. Two-factor authentication differs from single-factor authentication because it authenticates someone based on something they know (such as a password) as well as something else that is inseparable to the user. Taking money out of a cash machine is an example of two-factor authentication because of the use of the bank card, which the user possesses, and a personal identification number (PIN), which the user knows.
Many online systems, including email providers and social networks, have adopted two-factor authentication as a way of overcoming the inadequacies of simple passwords. You may already use some form of the extra device from your bank in order to log in to your internet banking, which is another example of two-factor authentication. Nowadays, most people own a smartphone, which has led it to become the go-to device used for two-factor authentication for online services such as social media.
How both single-factor and two-factor authentication work. The single-factor authentication route to your social network is simply to log in using your username and password. Many social networks allow you to configure two-factor authentication using your phone.
When enabled, you log into your social network account using your username and password, then the network sends an automated authentication code to your phone, often via a text message or via an app installed on your device. You then type the code into the input box on the screen to gain access. The code will only be valid for a short period of time, perhaps between 1 and 10 minutes.
The beauty of this is that even if your password is broken, stolen or an attacker manages to get hold of it using some other means, they still won’t be able to access your account unless they also have your phone.
It’s obviously an extra hurdle and could be quite frustrating if you were in a location without any mobile phone signal, or without your phone, however, it’s one of the best ways to significantly reduce the risk of your account being hacked. You should check the account and security settings on your social networks and other online accounts to see if two-factor authentication is an option. If it is, there will be details about how to register your phone and turn it on. Some online services try to make it even easier for you by letting you identify certain trusted computers that do not require you to continually log in.
Viruses, spyware, and malware
Some of the tools hackers use against their victims are actually tools that unsuspecting users have running on their own computers. Often, malware (malicious software) is sent to users in phishing emails or can be automatically downloaded when a user visits a malicious website. Malware is the term used for any software installed on computers that perform unwanted tasks. There are different types of malware; the key ones are as follows:
Virus. Viruses have been around for almost as long as personal computers started to appear in peoples’ homes. A computer virus replicates itself on the infected computer and spreads itself to other computers, normally through a computer network or via email. A virus can damage an infected computer by corrupting the hard drive or by taking up all available memory to render the computer unusable.
Spyware. There are many types of spyware but their main purpose is to covertly spy on a user’s computer usage. Information about what the user is doing is then transmitted to servers controlled by the hackers. A ‘Trojan horse’ (or Trojan) is a type of malware that often acts as a ‘backdoor’ into the victim’s computer. Some Trojan horses can give the attacker full control over the user’s computer.
Adware. Software that serves up irritating adverts on a user’s computer, often bombarding the user and severely impeding productivity.
Ransomware. Ransomware is a particularly vicious type of virus that encrypts a user’s hard drive, effectively locking the user out of their own computer, and holding them to ransom. The user must pay a ransom (often in the region of around £250 but sometimes considerably more) to get the key to unlocking the hard drive.
Often a time limit is imposed whereby if the user does not pay up in the given time the contents of the hard drive will be permanently deleted. There’s no guarantee that the decryption key will be provided if the user pays. Ransomware is not new but became more popular among cybercriminals around 2013 with the release of a widespread ransomware package called ‘Cryptolocker’.
Keyloggers. These are types of spyware, often included in Trojan horses, which record all keys pressed by a user. Usually, the keylogger will run in the background of the computer and is difficult to detect by the average computer user. Because keyloggers record all keys pressed it means that they can capture all passwords entered. The fact that passwords are usually hidden on screen does not matter if a keylogger is installed because they record every key.
The best way to avoid unexpectedly installing malware on your computer or network is to ensure that your anti-virus and anti-spyware software is up to date. You should also have a good firewall to protect you from attacks over the internet and to detect whether malware is attempting to secretly transmit to criminals.
A firewall is a security system that controls inbound and outbound network traffic based on a set of rules. If malware is trying to submit information to an attacker elsewhere on the internet, a well-configured firewall will block the connection attempts. In the corporate environment, most of this should be the responsibility of your IT team, so unless you are in that team you shouldn’t need to install these programs yourself. Malware is also attached to malicious phishing emails so you should avoid clicking any links in any suspicious emails. Phishing is covered in more detail in the next section.
A less obvious way that malware can get onto your computer is through devices connecting with it, for example, a USB stick, a mobile phone or even a USB charger. Malicious devices can be programmed so that whenever they are connected to a computer (or mobile device), they automatically install malware. For this reason, many large organizations lock down the ability for users to plug anything into their computers by disabling USB or other inputs altogether.
So, you might want to think twice the next time someone asks you to do them a favour and let them charge their mobile phone using your laptop or computer. That mobile phone may be loaded with malware that will silently infect your computer. Likewise, USB memory sticks are now very cheap and often given away for free at conferences. Be warned – by accepting the ‘free’ memory stick and plugging it into your computer you might be handing over control of your computer to a cybercriminal!
CASE STUDY Risk in action: 2 million passwords stolen and posted online
In December 2013 reports emerged that more than 2 million passwords for a wide range of online services had been stolen. The stolen login credentials were then posted online. The site, written in Russian, claimed to offer valid logins to 318,000 Facebook accounts, 70,000 Gmail, Google+ and YouTube accounts, 22,000 Twitter accounts and 9,000 Odnoklassniki accounts (a Russian social network).
The passwords appeared to have been stolen from computers infected with keylogging malware. Keylogging malware logs all keys pressed on a keyboard, then sends them to servers controlled by the hackers. Analysis of the stolen passwords by security firm Trustwave showed that the most popular password in the database was ‘123456’, which was listed 15,000 times. Facebook said that all users found in the database had been put through a password reset process.
The moral of this story is that online users should be more careful with their passwords. Don’t use the same password for all of your online accounts, make sure that the passwords you do use are not simple or easy to guess and ensure that you change them regularly. An extra level of protection would be to use two-factor authentication, which would significantly reduce the likelihood of your account becoming compromised if your passwords are stolen.
Social engineering describes techniques used by hackers to deceive people in order to extract information or to encourage them to do things for them. Social engineering usually exploits an insider at a company, either by phoning or emailing them and making them think that the attacker is someone else, such as a senior member of the company.
Social engineering is a very powerful way of manipulating people in order to bypass controls or break a company’s security. An attack may consist of multiple attempts to manipulate users to build a picture of how an organization operates, get hold of names, phone numbers and other information that they can then incorporate into their deceptive techniques in order to make them more believable to their next victim. In the context of social media, there are two types of social engineering that pose the biggest threat to an organization: impersonation; and phishing.
Impersonation is when an attacker disguises their identity by impersonating someone else. The attacker may try a number of different techniques, such as impersonating senior members of staff or by claiming that they are calling from the company’s IT department. The attacker can be creative and will normally spend a lot of time building a picture of what it’s like to work at the company, who its suppliers are, who the key people are and so on. The more information an attacker can get, the more convincing he or she can be when they contact their victim.
The victim will often receive a phone call or an email from an attacker who is claiming to be someone else. The attacker’s objective is to either extract information or to get the victim to perform certain tasks. For example, the attacker might claim to be a headhunter interested in hiring the victim.
Once the victim gets talking they might expose information about the size of the team, the working hours, the types of social media accounts they have and so on. This information may seem harmless on its own, but it is extremely valuable to the attacker, as it allows them to build a more accurate picture of how the team operates.
They could then use that information to call a new member of staff claiming to be the boss’s boss and ask that the user hands over their login credentials, even issuing threats to the victim should they not comply. An attacker may also ask information such as the browser version which the employees use. This helps the attacker focus their attention on hacking the specific browser version in use at the company and discounting any others.
Other information that an attacker might want to gather from a victim could be the team’s holiday schedule or information about when nobody is in the office. This could then be used to launch attacks in a quiet time when there is less chance of it being noticed. Information about whether employees can access the corporate social media accounts on their phones could also be useful to the attacker.
In some cases, the attacker might be able to persuade their victim to explain the process for setting up access on a mobile device. Internal documentation, such as policies and procedures, can also be useful to an attacker as they often include details about key contacts or instructions about how to complete tasks within the organization, such as how to submit new content for approval on a social network.
Social media can also present the risk of impersonation. If you or someone within your company is widely known, for example, a well-recognized CEO, a reporter from a news agency, or a celebrity or film star, then members of the public can create false accounts in their name.
False social media accounts can be damaging in many ways, and there are numerous reasons impersonators may decide to set one up. A key motivator can be to satirize or mock the company or person or to damage a reputation in some other way. Fake accounts can also be created as part of a wider attack, for instance by mimicking a bank and contacting people through social media to tell them that fraudulent activity has been identified on their account in the hope that the user will provide their details.
Many of the social networks have tried to combat fake accounts by designating certain accounts in some way to show that they are official. On Twitter, for example, a blue tick appears beside official accounts which Twitter has verified. Other social networks have similar ways to help users identify official accounts.
Using deception to impersonate another person or organization is a violation of most social networks’ terms and conditions so you should ensure that you follow the network’s procedures to report the impersonated account as soon as possible. However, because many social networks support freedom of expression, many allow parody accounts to be created provided that certain conditions are met. For example, the social network may require that the parody is clearly identified as such by explicitly stating that the account is not official.
If you find that your company has been impersonated and you are not happy about it, the best action to take is to report it to the network. Unfortunately, the network may take a long time to review the reported account and, as stated above, may allow the account to exist if it complies with the network’s terms and conditions.
If this is the case, the best thing that you can do is to work harder to ensure that you attract supporters and that the content you create resonates with users. If you are facing criticism over a recent crisis it may be best to simply weather the storm and commit to producing high-quality content and engaging with your customers and followers effectively.
One of the most common techniques that attackers use to hack into users’ social media or other online accounts is phishing. A phishing attack involves an attacker sending an email to their victims that includes harmful content, such as an attachment that includes malware or links to fake or dangerous websites. If the user opens the attachment or clicks on the link, malicious code could be installed on the user’s computer, which could either cause damage to the computer or spy on the user in order to gather sensitive information such as bank account details or login credentials.
It’s important that your users are able to spot a phishing email to avoid falling victim to an attack. If you receive a phishing email you should report it to your IT department so they can attempt to block any future attacks, and delete the email without opening any attachments or clicking on any links. Figure 8.5 illustrates what a phishing email might look like.
If you suspect that you have received a phishing email you should consider the following:
How does the email refer to you? If the email says ‘Dear client’ or ‘Dear customer’, it might be a phishing email. It’s unlikely that official emails from your bank or your social network would refer to you using such a generic term.
Be wary of links within the email; however, if you hover the mouse over the link you might see that the actual target of the link is different.
Poor spelling or grammar. It’s unlikely that official communications from reputable companies will include basic spelling mistakes or grammar mistakes so this could be a good indication that the email is a fake.
From field. Check the address in the ‘From’ field. The address might be subtly different, for example by replacing the characters ‘l’ or ‘o’ or with the numbers ‘1’ or ‘o’ respectively. Even if the ‘From’ field appears to show a genuine address, you should remain vigilant. It’s easy to ‘spoof’ the ‘From’ field of an email address, which is to mask the real sender with a fake one. You could also look at the ‘reply to’ field as it could show a completely different email account, such as one that looks more like a personal account than a corporate account. This could be another indication that the email is malicious.
Finally, you may have a feeling that the email that you have received just doesn’t seem right. You might have received it unexpectedly and it may include content or references that make you suspicious.
Sometimes, a phishing email may encourage users to click a link and log into a phishing website. A phishing website looks like a legitimate website but is, in fact, a malicious copy, designed to make the user think that they are logging into the real website when in fact they are logging into a fake. The login credentials used on the phishing website will be captured and used to hijack the user’s account.
This also illustrates how two-factor authentication, as discussed earlier in this blog, can help protect a user from this type of attack. Figure illustrates how a phishing website might differ from the legitimate site it is impersonating. At first glance the websites seem identical; however, if you look carefully you can see that the web address is slightly different. The letter ‘l’ has been replaced with the number ‘1’. The idea of this is that if the user glances briefly at the web address they might not notice the subtle difference.
It’s worth pointing out that users should not rely on the web address alone because an attacker may have used other techniques to mask the web address. To guard against this, your IT department should ensure that you have up-to-date anti-virus and anti-malware software on your computer that is capable of detecting this sort of attack.
Spear phishing is a targeted phishing attack against a specific user, or group of specific users, rather than a mass mail approach where a generic phishing email is sent out en masse with little direction. A spear phishing attack could be launched on specific employees within an organization and will normally include specific details that an attacker may have gathered using other social engineering techniques.
For example, a spear phishing attack might target specific members in your marketing team by name and reference recent meetings or projects in order to fool the recipient into thinking that the email is legitimate. Phishing emails have become popular with hackers who are looking to gain access to a company’s social media accounts, and there are many examples of successful social media attacks as a result of phishing.
CASE STUDY Risk in action: the SEA targets media outlets
The Syrian Electronic Army (SEA) is a group of computer hackers who support the government of Syrian President Bashar-al-Assad. The group rose to notoriety during 2013 when it hacked a number of prominent Western media websites and social media accounts, including Forbes, The New York Times, The Associated Press and The Guardian.
A lot of the SEA’s hacks are not very sophisticated and instead look to trick people into clicking links within malicious emails. The SEA is known for using phishing attacks like this successfully. One particularly noteworthy attack was against the Associated Press (AP). The SEA managed to hack the AP’s Twitter account and post a tweet with the text:
Breaking: Two Explosions in the White House and Barack Obama is injured
This tweet had a particularly big impact because the Associated Press had nearly 2 million Twitter followers at the time so it was picked up and retweeted by other social media users almost instantly. It even had an impact on the stock market and one minute after the tweet was posted the Dow Jones Industrial Average started a short nose-dive. A Bloomberg reporter wrote that in the three minutes after the post the ‘fake tweet erased more than $136 billion in equity market value’ before recovering shortly afterward.
About an hour after the hack, the SEA claimed responsibility. Reports in the media claim that the SEA gained access to the Associated Press Twitter account through a phishing attack. An innocent-looking email asked AP staff to click on a link, which then downloaded malware to their computer to spy on them. This goes to show that cyber attacks don’t need to be highly sophisticated to be effective and, more often than not, humans are the weakest link.
Securing your network and data
The more security you put in place, the more difficult it becomes for users to access your systems. The most secure computer is one that is without power in a protected vault in an unknown location where nobody can access it. However, the computer is clearly not going to be very useful this way.
Therefore, you need to strike a balance between security and usability. When implementing an enterprise social network you’ll need to consider how to configure your network. You’ll need to assess the risks and make an informed decision about how users will be able to access it and what data they will be allowed to store within it.
Enterprise social networks are excellent collaboration and knowledge-sharing tools. Your colleagues are able to connect with each other and share documents, or even collaborate to create documents within the enterprise social network itself. Because of this, as time progresses the amount of valuable, and potentially sensitive, information within your network will increase. This will make the network an extremely attractive target for a hacker. If an attacker can gain access to your network they will have free reign to search and download a huge amount of information. Because of this, it’s vital that you ensure your network is well protected.
A data classification framework will help you set policy decisions about the types of data you will allow in your network. For example, you may allow internal information to be shared freely on the network, but more sensitive data to be shared only within closed groups with extra controls in place.
You will need to consider how your users will access your enterprise social network. The network provider will offer different options, such as simple web-based authentication or more complex requirements around the use of a virtual private network (VPN). A VPN allows users to connect to the private corporate network across a public connection.
For example, you may use a VPN to connect to your corporate network from home. The advantage of using a VPN is that it’s an added layer of protection which authenticates your corporate users and allows them to access company systems, such as your enterprise social network, when outside the office. The disadvantage is that it requires extra configuration and support from IT in order to set up and run the network. It also requires the users to configure their devices to access the network.
From a user perspective, the simplest way to authenticate a user into your enterprise social network is to allow them to connect to it by using a web login. The problem with this is that without any additional controls, a user could go on holiday and decide to go to an internet cafe and access your enterprise social network. The computers in the internet cafe could be riddled with malware spying on the user’s login credentials. Once the login credentials have been exposed in this way it will give the attacker an easy route into your enterprise social network.
Configuring your enterprise social network to only allow connection from within the corporate network, or via VPN, is an extra hurdle your users would need to jump through. However, I believe that the added protection that this offers is worth it.
Most enterprise social networks allow users to upload and share documents, as it is a very practical way of enabling effective knowledge sharing. However, some organizations make the decision to prohibit documents from being uploaded due to security concerns. The organization may be worried about losing control over sensitive documents uploaded to the network. If you decide to allow documents to be uploaded, you should consider what types of file you want to permit.
For example, you may wish to prohibit executable (.exe) files from being uploaded because you want to reduce the risk that users might accidentally, or deliberately, upload malicious software to the network. Many good enterprise social networks have built-in features that scan any uploaded files for viruses.
If you allow files to be uploaded, it’s essential that this feature is enabled. You should also consider how the virus definitions (the rules the software uses to detect viruses) are kept up to date. This may be a question for the vendor but is one that you should definitely raise during your preliminary discussion. If virus definitions are not updated regularly it could mean that newer viruses get missed by the software.
Security is an important part of social media risk management and governance. There are large numbers of hackers around the world who work tirelessly, so IT security professionals need to be ever vigilant in order to stay one step ahead. IT security is evolving, but in many organizations, the ‘traditional’ IT systems get more attention than the newer ‘social’ systems. This can result in weaknesses that not only impact the social systems themselves but also threaten a company’s IT network more broadly.
In this blog, we introduced the topic of cybersecurity and looked at the key actors and their motivations. The good account and password management is one of the simplest things to get right; however, many people neglect best practice because they don’t perceive the extra effort as worthwhile. However, even some of the most notorious hacker groups launch attacks using fairly unsophisticated techniques that have proven very effective.
We looked at some of the practical things you can do to protect yourself and your team online, such as enabling two-factor authentication on your social network accounts. Finally, we considered how an attacker might target your enterprise social network and looked at some of the steps that you can take to secure your network, such as by prohibiting connections that do not use the corporate VPN.
In this blog, we’re going to look at how regulation impacts social media. Regulation differs around the world, and the laws and regulations that are applicable to your organization will depend on the country, or countries, in which you operate, as well as your industry.
As such, rather than include a long list of regulations that impact social media worldwide I’m going to highlight the key themes that these laws and regulations aim to control. In doing so, you’ll get a broader view of what to look out for in the countries in which you operate and understand what practical steps you can take to manage social media risk and achieve compliance with these laws and regulations.
Ultimately, you will be responsible for researching, understanding and applying any particular regulations that might impact your social media programme. However, this blog will equip you with the knowledge of the types of regulation that might impact your programme and provide ideas as to how you might fulfil any regulatory obligations.
The social media regulatory mix
Regulations that impact social media are more developed in some countries than others. In the majority of cases, however, laws and regulations have not had a chance to catch up with social media. This makes it difficult to understand how a particular regulation might apply in social media or how you might remain compliant with a regulation through your use of social media.
Most regulators have chosen not to change their rules, but to publish guidance about how social media can be used within the existing constraints of the rules. I often hear regulation cited as a reason why an organization is not fully embracing social media, however, I believe that it’s possible to use social media and experience its benefits while remaining compliant.
Regulations that impact social media can be split into three main categories. These categories overlap with each other because of the way that social media has grown organically and because it impacts so many people.
Communication and advertising
Organizations need to comply with laws and regulations when communicating with their customers. The key points covered in this section are:
financial promotions; and
Many countries have laws that govern how a company can advertise its products and services. The purpose of these laws is to protect the buyer by ensuring that companies don’t mislead consumers by making false claims about their products. Clearly, social media is a great place to advertise products and services; however, there are new constraints and challenges that organizations face.
A simplistic example is that a company can post an advertisement on a bus stop, which complies with advertising, standards, and hope that passers-by notice it. However, on social media, a company can do more because it can interact with its customers directly and can encourage other social media users to make recommendations about its products. For example, a company might give a celebrity-free product in return for a positive social media post.
This sort of behavior gets a bit
murky and is where some companies have got into trouble. The celebrity’s followers might see their tweet and think that they genuinely do like the product they are recommending, when in fact they are recommending it only because they have been paid to do so. This can mislead the customer and is why regulations exist to help make consumers aware of this activity and not be unfairly influenced into buying a product or service.
The same is true for other types of endorsements, such as retweets. In response to this, it is becoming common practice to include the hashtag #ad or #spon (sponsored) within advertising endorsements to highlight to social media users that the post is sponsored.
Financial products are contracts that stipulate movement of money between two parties. Banks, credit card companies and insurers all offer financial products, such as bank accounts, mortgages, loans or insurance. There are strict rules around how financial products can be advertised and these rules apply to both online and offline advertising.
However, space constraints make it more difficult for companies to include any necessary disclaimers that they would include as a matter of course in offline or print advertising. The most important point is that financial promotions should be fair and not misleading. Financial promotions should be balanced so that consumers have an appreciation not only of the potential benefits but also of any relevant risks.
The reason that regulations that cover financial promotions are stricter than standard promotions is that of the impact that a bad investment decision can have on someone’s livelihood. In some cases, a bad investment can make unlimited losses. Banks and financial institutions are not known for their innovative use of social media, mainly due to their caution when it comes to social media regulation.
Financial regulation is complex and governs how financial institutions operate. Promoting financial products through social media has been seen widely as difficult or risky. For example, financial institutions are often required to include terms and conditions in any financial promotions, something that can be difficult in the space-constrained world of social media.
In March 2015 the UK’s financial regulator, the Financial Conduct Authority (FCA), published guidance on how to use social media for financial promotions. The rules themselves weren’t a change to existing regulation but instead provided guidance to financial institutions on ways that they could use social media to promote their products and services while remaining compliant with existing regulation. Financial regulators understand the benefits of social media and want to encourage companies to use it, provided it’s used fairly and rules are not broken.
Publicly listed companies, whose shares trade on the stock market, have extra levels of regulation that they need to abide by. One such example is related to the disclosure of investor information. Information about a company’s performance will be of particular interest to investors because it might have an impact on the company’s share price.
Because of this, regulation exists to ensure that the disclosure of such information is done fairly. Social media is a communications medium and it’s not surprising that companies want to use it to engage with their customers, the public and their investor community. If they’ve performed well during a particular quarter, they will want to share the story through social media, as well as through their traditional channels, such as press releases.
However, most regulators are still catching up with social media; therefore, if they believe that information has been inappropriately released on social media before investors or shareholders had been informed, they might take action against the company. Regulators are, however, catching up and the US Securities and Exchange Commission (SEC) now allows companies to disclose information through social media, provided the company’s investors have been notified to expect to see such information there.
CASE STUDY Risk in action: Netflix SEC disclosure
Netflix is a subscription service for watching TV programmes and movies. In July 2012, Netflix CEO and co-founder Reed Hastings posted on his personal Facebook account that for the first time in his company’s history viewers had consumed over 1 billion hours in one month.
The US Securities and Exchange Commission (SEC) issued what is known as a Wells Notice to both Reed Hastings and Netflix, which meant that they intended to pursue enforcement action over the inappropriate disclosure of investor information.
However, in April 2013 the SEC announced that it would not be bringing an enforcement action against Netflix or Reed Hastings and issued a report which said that companies were free to use social media networks to announce key information, provided that investors had been told where to expect this information to be published. This example shows the difficulty that many organizations face when engaging in social media but it also shows that regulators are changing the way that they view social media.
The issues that arise from the use of social media for recruitment are mainly in relation to discrimination. Many countries have strict laws to combat discrimination. It’s now common for employers to look at a candidate’s social media footprint as part of the recruitment process. There are valid reasons to do this.
A person’s social media account can give insight into a job candidate’s experience and character. In LinkedIn, recommendations from previous employers or connections are listed on the user’s profile as well as a list of skills endorsed by colleagues and associates. I’ve heard many recruiters talk about how a person’s LinkedIn profile is often a more accurate representation of a candidate than a CV. Job candidates tweak their CV for the job that they are applying for, but it’s harder to tweak a LinkedIn profile for specific jobs because the recommendations and endorsements are provided by other users.
But, reviewing a candidate’s social media profiles without their knowledge is an area for concern. This concern is heightened when a company uses deceptive techniques to gain access to a candidate’s social media profile, for example by sending connection requests to candidates from a fake account.
Companies face a risk when reviewing candidates’ profiles due to the potentially large amount of sensitive personal information that might be available in the candidate’s profile, such as their gender, age, religion, sexual orientation, political views etc. Organizations need to ensure that they do not discriminate against candidates as a result of information gleaned from social media because an unsuccessful candidate could claim they have been discriminated against due to the personal information in their social media profile.
If you intend to review a candidate’s social media footprint as part of the recruitment process, the best course of action is to inform candidates that you will be conducting a review. This is fair as it gives the candidate a chance to review their profile and remove anything they might want to keep private. You should also give the candidate an opportunity to defend any findings from your review as this will remove the risk of you making assumptions or decisions based on inaccurate information.
An example of this is the appointment of 17-year-old Paris Brown as Britain’s first youth police officer and crime commissioner. After her appointment, she was found to have posted offensive and potentially racist messages on Twitter. As a result, she resigned and Kent Police and Crime Commissioner faced criticism in the media for not having conducted appropriate background checks.
Employment and HR
Organizations need to comply with an array of laws and regulations relating to employment. In social media, the key issues that arise are:
ownership of social media accounts;
acceptable behavior and conduct;
bullying and harassment; and
Discrimination, whether active or passive, will cause problems for companies. Because of a large amount of personal information in social networks, it’s possible that employers might discriminate against recruitment candidates or their own employees based on their personal characteristics. Laws around the world prohibit discrimination and companies must ensure that they don’t discriminate when engaging in social media. Companies need to provide equal opportunities for their employees, regardless of race, religion, gender, age etc.
Employee monitoring is a sensitive subject. Most organizations will already monitor their employees, perhaps through the use of CCTV cameras in and around their offices or through the monitoring of company emails. Some organizations may even have a regulatory requirement to monitor their employees in order to detect fraud or other illegal activity, such as insider trading.
However, issues and risks arise when a company starts to monitor its employees’ social media accounts without good reason and without their knowledge. While regulations allow organizations to conduct employee monitoring on social media, certain safeguards and rules may need to be in place. For example, policies need to include details of the monitoring to ensure that the employees are aware of what will be monitored.
Ownership of social media accounts
It can be difficult to determine the ownership of social media accounts. While corporate social media accounts are fairly easy to distinguish, uncertainty arises when an employee uses their personal account as part of their work. If that person has a prominent position in the company or if they have gained a large number of followers or connections, the company that they work for may feel that they can claim ownership of the person’s account and that they should either have access to the account or that the account should be handed over if the person leaves the company. Regulations exist to make the rules around this sort of thing clear.
It’s unlikely that an organization will be able to legally state a claim over an employee’s social media account. If an organization requests access to an employee’s social media account they are likely breaking both the law and the terms and conditions of the social network in question. Most social networks state in their terms and conditions that accounts cannot be transferred and that passwords should never be disclosed to anyone.
If you are concerned that an employee might leave your company and take with them a long list of contacts, the best way to combat this is by encouraging your employees to log new relationships on the company’s customer relationship management (CRM) system.
Many organizations require all work relationships to be logged and tracked through their CRM system, which means that even if the employee leaves, the company will retain details about the relationship including contact details. This may seem like quite an onerous task; however, you could incentivize your people to update the system by reporting on how many new connections, opportunities or sales each person or team made to encourage competition between teams.
Acceptable behaviors and conduct
Many employers have regulatory responsibilities to ensure that their employees maintain certain levels of professionalism. Most organizations already have codes of conduct in place that set out what behaviors they expect from their employees. These behaviors should also be reflected in the company’s social media policy.
Bullying and harassment
Unfortunately, bullying and harassment exist in both society and business. Because of the perceived anonymous nature of social media, there have been many cases of abuse online, such as cyberbullying. Some people think that normal rules of politeness and human interaction don’t apply in social media. In January 2014, two people pleaded guilty to sending ‘menacing’ tweets to feminist campaigner Caroline Criado-Perez, who had been campaigning for a woman to appear on a UK banknote.
The court heard that one tweet started with an expletive and continued ‘Die you worthless piece of crap’. Caroline was also told to ‘go kill yourself’. Many countries have laws to stop this type of behavior and organizations need to be aware of these laws and ensure that abuse does not take place within their organizations, either offline or online.
In some countries, there are restrictions on how social media can be used as a tool for assessing employee performance. Germany is one country where such activities can be meet with opposition from works councils. A works council is an organization that represents workers and that complements national labor laws.
Organizations that operate in Germany, or other countries that have the concept of works councils, should involve works councils in discussions from beginning to end to agree on how employees will use an enterprise social network or another social system. The works councils are entitled, by law, to be involved in any discussions around the use of security cameras or IT tools that are able to monitor and assess employee performance.
Data protection and control, organizations must ensure that they comply with regulatory requirements related to consumers’ rights to privacy. There can be a fine line between when a company is monitoring its customers or employees and when the organization is seen to be invading their privacy.
A simple rule of thumb is that monitoring should be clear and fair and that deception is always wrong. An organization has the right to monitor its employees’ social media use, provided that the employees are aware of what is being monitored. Similar to my earlier example, if an employer uses deceptive techniques to monitor the employee, such as through fake social media friend requests, this is likely to attract the regulator’s attention.
Healthcare is one regulated industry that specifically requires any patient data to be kept private, for obvious reasons. For example, you should not share any information or make social media posts that might identify that a person has visited a particular clinic or hospital.
Data regulations around the world set out the specific requirements around privacy and data protection. A common requirement is that organizations implement robust privacy policies that explain what data is being captured about individuals and how it is being used.
Some regulations, such as the forthcoming EU General Data Protection Regulation, affect many parts of an organization and the impact on social media is just one of these areas. Because of this, some organizations already have project teams in place that are tasked with addressing the requirements. This is clearly a good opportunity for you to link in with the project team to ensure that your own social media projects remain compliant, and it may mean that you work closely with the team to ensure that this happens.
Organizations must comply with regulations around record keeping. Certain types of data must be held for certain amounts of time, while other types of data cannot be stored for longer than they are needed. Organizations need comprehensive archiving and backup strategies in order to comply with these regulations. Because social media data often includes a mix of personal data and other business data, it can be difficult for organizations to categorize the data that they hold and deliver archiving programmes that meet their regulatory needs.
Regulators also have the right to request information to support their investigations or other legal cases. It can be difficult for organizations to respond to these requests, particularly if they are global companies because a regulator in one country might require the organization to protect data about its citizens by not transferring it outside the country’s jurisdiction.
On the other hand, a regulator in another country may require the company to provide all data related to a specific individual because of an ongoing legal dispute. In this example, it is difficult for the company to comply with both regulators, and this sort of scenario is one where the company’s lawyers should provide guidance.
Many people copy and paste information from the internet and save online documents to their computers or email them to friends and colleagues. Copyright laws and regulations around the world protect works created by others, and organizations need to implement controls to ensure that copyrighted materials are not being hosted on company servers without permission.
All businesses want to ensure that they protect against and avoid falling victim to cyber attacks. However, there are numerous regulations that require companies to maintain their IT security and some that specifically state requirements around how businesses should go about protecting themselves.
Organizations need to be aware of laws and regulations around malicious communications, what constitutes malicious communication and what they are required to do if they receive such communications, or become aware that their employees are sending malicious communications.
Some regulators require companies to have robust security awareness programmes and to undergo regular security penetration tests. Security penetration tests are simulated attacks against a company’s infrastructure or IT systems in order to uncover any weaknesses or security vulnerabilities.
Once any weaknesses have been discovered, the company should run a remediation project to address these weaknesses. Other common security requirements imposed by regulators are for organizations to have processes to address deficiencies in information security policies as well as to detect, report and respond to security incidents.
Some regulators have started setting out what they expect companies to do to manage social media risk through the provision of appropriate governance. The US Federal Financial Institutions Examination Council, for example, requires companies to have a risk management programme that enables companies to ‘identify, measure, monitor, and control the risks related to social media’.
In addition, regulators will want to see documented policies and procedures as well as evidence that robust controls operate to manage social media risk. Training is a common requirement from regulators to ensure that the company’s employees have an awareness of risk and so that they understand their own responsibilities in managing it.
In addition to training requirements, some regulators also insist that employees who communicate through social media on behalf of the company are appropriately supervised. This supervision might take the form of systems and controls, such as social risk and compliance tools, which are configured to force content through approval processes.
This whole blog should equip you with the knowledge to implement effective governance programmes to support social media and manage risk.
Dealing with character limitations
One of the main challenges to regulatory compliance on social media is that many social networks impose character limits on posts. For example, Twitter posts can include a maximum of 140 characters, videos on Vine are six-second loops, adverts on Facebook allow 25 characters for the title and 90 characters in the body. This makes it challenging to include both your key messages and any relevant terms and conditions or additional information within a single social media post.
There are a couple of things that you can do to overcome these limitations. Firstly, you can split your content across two or more posts. Splitting content across two or more tweets is a common way of including more content than the 140 character limit allows on Twitter; however, to be effective the tweets must come in quick succession. Otherwise, a user might see the first tweet, but miss the second tweet, or vice-versa.
Another way to include extra content is by embedding an image within a tweet. So, you could include the headline in the text of the tweet and include a picture that includes more details as well as any necessary disclaimers, terms or conditions. However, it’s possible for users to turn off images so it’s important not to use an image for the disclaimers only; instead, the whole advert should be included within the image itself and the text should remain compliant on its own.
Finally, don’t try to hide any disclaimers by making the font size so small that it’s difficult to read. If you do this, a regulator will probably rule that the advert is neither fair nor clear.
Future of regulation
Regulators are catching up with social media, which is why we’re already seeing them issuing guidance to companies about how they should use social media and manage risk. Social media and digital technology continue to evolve, with new social media networks gaining popularity and existing social networks adding new functionality.
In January 2015 Facebook announced that it had begun testing a service, called ‘Place Tips’, which will deliver information about nearby shops and landmarks to Facebook users. If successful, this new functionality could offer businesses new advertising and marketing opportunities. Even if it fails, I have no doubt that other new developments and functionality will come along and change the dynamics of business–customer interaction.
Changes in the social media and the digital landscape will continue to make regulators reassess the rules and guidance that they set out for businesses. Regulators don’t like to make knee-jerk reactions to incidents and prefer instead to observe how companies and the public react. Because of this, regulators will remain behind the curve when it comes to regulations that impact social media and digital technologies.
That said, organizations will need to keep a watchful eye on any upcoming rules or regulations to ensure that they maintain compliance and safeguard the future of their business.
In this blog, I introduced the social media regulation mix, which is a useful way of categorizing the types of regulation that impact social media. The laws and regulations related to social media around the world differ and the specific regulatory requirements in the countries where you operate will differ from other companies.
You are now aware of what to watch out for and you should seek advice from your risk, compliance and legal colleagues for specific details about how to ensure that your social media programme remains compliant. There are practical steps you can take to help you deal with character limitations on social media, and elsewhere in this blog, I have highlighted other strategies to help you manage risk and maintain regulatory compliance.
In the next blog, we’ll look to the future by assessing emerging trends and technologies that might impact social media.
The future and its opportunities
In this blog, we’ll look to the future to consider how social media might evolve and what it might mean for businesses. I believe that the future of social media holds a wealth of opportunities to increase engagement with your customers and your employees, drive efficiencies and encourage innovation. But where there is an opportunity, there is a risk.
Social media analytics will evolve and allow organizations to predict more accurately who will purchase their products and services and when they are most likely to purchase them. We will see the decline of email as the de facto communication tool, with more social-type systems taking their place.
The kids will continue to be years ahead of us adults in their use of digital technologies and social networks, which will mean that more emphasis will need to be placed on educating them of the risks of the virtual world. Social media will evolve and more secure, encrypted services will emerge to protect users from unwanted monitoring. Our reliance on technology will increase, which will increase the impact of IT failures on our lives.
Social media analytics
Social media analytics is a topic that already attracts much interest and hype. The ability to understand which products your customers buy, which promotions and advertisements resonate with the best, and which social networks they spend time on is really useful to organizations looking to drive sales. A lot of work is going into improving sentiment analysis, which is the ability to automatically measure the positive, negative or neutral sentiment of social media posts.
Predictive analytics takes analytics to the next level and instead of offering insight into events or behaviors in the past, uses large amounts of historical data trends to predict what might happen in the future. There are already many examples of predictive analytics correctly predicting future events.
One of the best known is when US retailer, Target, ‘predicted’ that a girl was pregnant before her father had found out based on the products that she had purchased. The girl received coupons for baby products such as clothing and cribs which the father thought inappropriate until he realized that she was in fact pregnant. In this example, the retailer used information about the products she had purchased to predict that she had recently become pregnant, and similar predictions can also be made by analyzing social media posts or internet activity.
Predictive analytics is particularly interesting and powerful because of the vast amounts of data we share on our social networks every day. Not only do we share posts about our personal lives, we often geo-tag them with the location and ‘tag’ our friends in posts when we’re ‘checking in’ to a nice restaurant for dinner. Furthermore, it’s also possible for the social networks to track which posts a user has seen and how long they spent looking at them. All of this information is extremely valuable to companies who are looking to target their advertising more effectively.
Consider the key events of a couple’s love story. They meet, get engaged, get married, get pregnant, have a baby, celebrate the baby’s birthdays, their wedding anniversaries, and so on. Now, while not all of these things will happen in the same order (or indeed, happen at all), there is a typical trend a company can analyze.
If our social networks know the date of our wedding anniversary, a company could make a prediction that adverts for flowers, chocolates or jewelry might be more effective during the weeks leading up to the date. So, a company may pay more for placement of their advertisements during these times, then cut the advertisement on or after the date.
Many analytics platforms have been built for a specific purpose to give insight into social media data and offer predictions using pre-built algorithms. The more technically advanced and accurate way to perform predictive analytics is to build your own algorithms. The advantage of this is that it allows you to pick what data you want to input and choose exactly what you want to predict instead of having to rely on off-the-shelf analytics packages that are available to everyone.
The disadvantage is that there is a fairly high barrier to entry into the world of predictive analytics. You’ll need to employ specialists such as statisticians or data scientists who will use advanced tools such as ‘R’ or ‘python’. Building your own algorithms is likely to give you an advantage over your competitors because they will allow you to predict future trends more accurately. There is already high demand for job candidates who have skills and expertise in analytics and this trend will continue for years to come. Incidentally, Harvard Business Review named Data Scientist the sexiest job of the 21st century!
There are a number of ‘use cases’ for social media predictive analytics, such as:
Recruitment. By using data from multiple social networks, including LinkedIn, it will be easier to predict if an employee is more likely to leave for another job. This can be useful for headhunters when targeting candidates or for companies looking to retain their staff.
Industry trends. Extrapolating trends in social media data that discuss certain industries, such as utilities, could be used to predict spikes in energy usage.
Crime prediction. Data that tracks where a crime takes place might help authorities to increase their presence if incidents are predicted in certain areas. Likewise, the monitoring of social networks, however controversial, could alert authorities to individuals or groups who are planning to commit crimes such as terrorism. Law enforcement agencies around the world already use social media data to track fraud or predict where it is likely to occur.
Public opinion. No longer will we need to rely on the polls reported during elections, instead relying on data from social networks to get a more accurate prediction on the outcome of elections.
Users are already becoming more aware of how companies mine their data in order to advertise products and services they might like. While this is good for customers, as it means the adverts that they see will be more tailored and relevant to them, users may view it as an invasion of privacy.
The EU General Data Protection Regulation, is going to have a huge impact on all businesses in the EU as well as companies around the world who process data on EU citizens. Because predictive analytics relies on vast amounts of personal data, we will see legal cases brought against companies who exploit predictive analytics to sell their products. Businesses will need to ensure that they are processing data ethically and in a manner, users would not object to.
Although not everyone will agree, I believe email is wildly inefficient. We use it every day and many of us have to sift through hundreds of emails to work out which ones are for our information, which ones need us to do something, and which ones are just junk offering us a promotion for something that we just don’t want or need. The big problem with email is that we’ve grown so reliant on it that it’s difficult for us to imagine a world without it.
Have you ever considered how difficult and long-winded it can be to make a decision among your team through email alone? Let’s say that you need to agree on a decision with your team members, so you email all of them. One member replies to you only with their comments, the others reply to all and one of the team also forwards the email to someone else for their input.
The person who received the forwarded email replies to you and all, but has missed some of the emails from the other members. You then compile all of the responses and reply to all with a synopsis. This is complicated and could go on and on with multiple email trails breaking off and bringing other people into the conversation without your knowledge.
Many of the so-called digital natives, the people who grew up with social media, smartphones, and tablets, don’t use email. They communicate using social networks or instant messaging apps. Often, email is just one of those things that they need in order to sign up for certain services in the same way that we all need a postal address so that packages can be delivered.
However, many online services have started allowing users to sign up to their services by connecting their social network, rather than requiring an email registration. Doing this is a quick and easy way to set up a new profile on an online service as it only requires a few clicks and all of your information is pulled to the new service automatically. These systems will continue to contribute to the decline in an email.
When I first mentioned my prediction to my wife that email will eventually die she said that I was mad. However, just a few days later, she asked her niece (a 19-year-old from Russia) to email her a document. The niece’s response was ‘email? Nobody uses email anymore! I’ll send to you it via Facebook’. At this point, my wife realized that maybe email isn’t the great tool that we’ve become so over-reliant on over the years and that perhaps something else will eventually replace it.
Of course, I don’t think that email will completely die altogether. Good old snail mail has not completed died. After all, having a washing machine delivered to your house is far better than receiving a photo of one via social media, or indeed better than receiving instructions on how to 3D-print your own! Some people do take pleasure out of using a real-life pen to write a real-life letter, put it in an envelope, affix a stamp and send it to a loved one.
But, you must agree that this sort of communication has declined significantly over the last few years. Many of my family members are abroad so at Christmas time I now expect electronic greeting cards that have a corny animation and cheap music instead of an actual physical card. Although receiving a physical card would be a nice surprise, it would probably mean that I would be obliged to send a physical card in return, and I’m far too digital for all of that paper nonsense!
Other advantages of social collaboration over email include:
Centralization: everything is not stored across multiple mailboxes and is instead in one location, making it easier to refer back to at a future date.
Audit trail: changes to documents or discussion on an enterprise social network are all logged with the time that they were changed as well as the person who made the change.
Time-saving: rather than sending emails and collating the responses, social collaboration does all the work for you.
Space savings: If an email includes a large attachment, that attachment may be recreated every time a reply is sent, clogging up the inboxes of all recipients. If an enterprise social network were used, the attachment would be uploaded to the discussion thread and would be downloaded only by those who wanted to view it.
Hopefully, I’ve convinced you of the inefficiencies of email and that something more ‘social’ will surpass it. The problem, however, is that I don’t believe social networks, as they stand at the time of writing, are ready to replace email. Traditional social networks are public, meaning anyone can use them. But, each person needs to be a member of the same social network or platform to be able to send messages to each other.
Email, on the other hand, allows a person to send a message to anyone else and it doesn’t matter which email provider or email software they are using. Internally, people within organizations are already communicating using their company’s enterprise social network, but this only allows communications within that network. So, if they want to contact one of their suppliers, they will have to resort to email and all of its inefficiencies. There is no standard system that everyone uses to get the benefits of social collaboration.
I believe that the solution to this is a new protocol that will emerge and allow social-type communications to be sent from person to person without the need for everyone to use the same social network. A new authority or network will emerge that will handle all social-type messages and become a hybrid between a traditional public social network and an enterprise social network.
When this happens, I believe it will herald a whole new form of communication. Email is definitely wildly inefficient and there are already tools that go some way towards addressing these issues but they do not have the required security or ability to share content outside of the corporate network.
Social media offers people, young and old, opportunities to stay in touch with friends and family, to collaborate and to share their thoughts and ideas. Many social networks and online services offer users the ability to hide their identity. The unfortunate side effect of this is that anonymity can lead to some unsavory behavior. Some users hide behind the anonymity and act in a totally different way online than they would in the real world.
Social media and other digital technologies are usually adopted by the younger generations first. Only later do adults follow suit. At which point, the platforms become too ‘uncool’ because the parents have joined. This makes it difficult for parents to keep up with the technology that their children are using and makes it hard for them to determine where the risks lie.
Education is key and we will need to see far more of it to ensure our young people know how to use the internet responsibly and what to do if they ever encounter inappropriate material or behavior. There have been a number of examples where both children and vulnerable adults have been exploited online or faced cyberbullying.
The scary difference of cyberbullying to playground bullying is that cyberbullying can give the bullies anonymity, enabling them to be even harsher than in the playground. Another issue is that while playground bullying may take place while the child is at school, cyberbullying can take place relentlessly at all hours of the day and night. There have been a number of sad cases where young people have taken their own lives as a result of cyberbullying.
Unfortunately, the internet has long been used by people to share indecent images, sometimes involving children. We’re now seeing a worrying trend whereby children themselves are being exploited directly. Some of the new social networks allow users to send messages and photos that will allegedly be deleted a few seconds after they have been read or viewed.
The system isn’t 100 percent effective though, as it’s easy to take a screenshot when a temporary message or photo is received, thereby making a permanent record. Sometimes, children have sent indecent images of themselves to other users thinking that the other user is an attractive boy or girl of a similar age. Unfortunately, in these examples, the person sending and receiving the image has been a criminal who then uses the indecent image to exploit the child by threatening to post the photo online unless they pay money.
In February 2015, Google announced that it would be launching a version of its popular video sharing site, YouTube, for children below the age of 13. At the time of writing, only children who are 13 or over can create accounts on YouTube. This represents an interesting shift, in that it may signal a change where other technology companies begin to offer more services for children under the age of 13.
Of course, it’s easy for children younger than 13 to circumvent the age restriction by simply checking a box or lying about their age. But these age-specific versions of popular sites will rely on parental and network permission, which is clearly preferable. If successful it should make the internet safer for children as the content will be monitored to ensure it is age-appropriate. It also presents opportunities to advertisers who will be able to market their products and services to a younger age group, in the same way, that they already do on television.
It’s not just children who face the risk of cyberbullying. There have been a number of cases of adults being ‘trolled’, which is a term used to describe when someone is bombarded with offensive messages on online platforms. We covered an example of this in blog 9, which resulted in the Twitter troll being jailed due to a campaign of abuse on Twitter.
Many people are guilty of so-called ‘oversharing’, when they publish so much information about their personal lives that they put themselves at risk of stalking or burglary. Where stalking used to involve physically the following someone, in today’s world those people can track their victims using social networks far more effectively.
On a more positive note, social media is an effective tool to support distance learning. University fees are high in many countries, which often means that young people have to take out huge loans to pay their way through studies. Because of this, distance learning has grown in popularity.
People who use distance learning engage with content, tutorials, video and other rich learning materials through the internet. They don’t need to sit physically in a classroom and instead can form virtual groups with fellow students and work together over the internet using social media and other learning and messaging platforms.
Education will not only help raise awareness of the risks of the internet among young people, but it will also give them the skills needed to work in a more connected and fast-paced world of technology. Research from London First, a non-profit organization with a mission to make London the best city to do business in, shows that 80 percent of companies in London’s ‘tech city’ cite a lack of skills as the biggest single barrier to growth. The UK school’s curriculum was changed in 2014 to ensure that children are equipped with the new skills that they will need when they enter work, such as programming and graphical design skills.
CASE STUDY Risk in action: Teenagers commit suicide because of cyberbullying
In 2013 tragic reports emerged in the media about teenagers aged between 12 and 17 years who had taken their own lives due to cyberbullying. Many of the teenagers were users of Latvian-based social network ASKfm, which allows users to ask questions and post responses anonymously. While this may seem innocent at first, it turned out that many teenagers were being bullied on the site.
One such teenager who took her own life was 14-year-old Hannah Smith from Leicestershire in the UK. Hannah’s father, Dave Smith, said that he found posts on ASKfm from people asking her to die. The messages on the site urged Hannah to ‘cut herself, drink bleach, and kill herself’. Mr. Smith has called for tighter controls to be placed on social networks.
In another case in September 2013, a 12-year-old girl from Lakeland, Florida, committed suicide after receiving text messages saying ‘You’re ugly’, ‘Why are you still alive?’ and ‘Go kill yourself’. On the day that she killed herself she changed her name on a social network to ‘That Dead Girl’.
In total, ASKfm has been linked to six suicides.
UK Prime Minister David Cameron commented that the social networks must ‘clean up their act’ or face boycotts from users.
Peter Wanless, chief executive of the UK’s National Society for Prevention of Cruelty to Children (NSPCC), said:
The cruel nature of cyberbullying allows perpetrators to remain anonymous and hide behind their screens.
This is something that must be tackled before it gets out of hand. We must ensure young people have the confidence to speak out against this abuse, so they don’t feel isolated and without anywhere to turn.
These examples of cyber bullying are clearly worrying and shocking. Children need to be taught about the internet and how to stay safe while on it. Companies also need to be aware of these risk. Advertising is often purchased through agencies in ‘bundles’, which place their adverts on a wide range of websites. Because of this, some companies were unaware that their adverts were appearing on ASKfm beside such worrying content. Many advertisers later pulled out from advertising on ASKfm as a result of the revelations in the media about child suicides.
The revelations of Edward Snowden in 2013 caused a public backlash against the way that technology companies were passing information about their users to governments. The technology giants claimed to have been under pressure from governments to release information about their users so they publicly fought back by introducing the publication of so-called ‘transparency reports’.
The transparency reports detail the number of requests from governments for user data to be handed over or for data on the networks to be removed. The reports also show how many requests were fulfilled by the tech giants and how many were rejected. In February 2015, Twitter reported that it had seen a 40 per cent increase in the number of requests from governments since its last report in July 2014. Twitter received a total of 2,871 requests from governments across the world asking it to reveal data about 7,144 of its users during the second half of 2014. Twitter reported that it had fulfilled 52 per cent of the requests.
Governments in non-democratic states have to work harder to control their citizens’ online activity. Social media is an inherently open place where people can post whatever they wish. A government censoring the internet will keep a constant watch on social media to understand public sentiment and to work out which pieces of content pose a threat and which it might, therefore, remove or censor.
Bitcoin and the dark web
It’s difficult to tell what the future will hold for social media in the context of internet censorship. We’ve already seen social networks and other online services get banned in certain countries; for example, in 2013, Twitter was blocked in Turkey. Savvy users in countries where censorship is more pertinent know ways to get around these blocks. Twoof the most common are:
Virtual Private Networks (VPNs). These are often paid services which route internet access through another country and encrypt the connection to the user’s computer. This makes it far more difficult for a government to monitor a user’s internet usage and it is also an effective way of bypassing local internet censorship.
The Onion Router (TOR). TOR is a tool that heavily encrypts a user’s connection by routing it through hundreds of other computers (like the layers of an onion). Using TOR gives users access to the so-called ‘dark web’, websites that are accessible only through the TOR network, like a parallel internet.
Using TOR allows users to avoid internet monitoring and bypass internet censorship. There are legitimate reasons to use TOR; for example, journalists might use it to report news from somewhere the internet is heavily restricted or censored. However, some of the dark websites that operate on the TOR network have become infamous black markets for illegal goods and services.
Transactions on the dark web marketplaces usually make use of crypto-currencies, such as Bitcoin. Crypto-currencies are decentralized digital currencies that use cryptography to secure transactions and control the creation of new units. The security that crypto-currencies offer means that criminals can make transactions on black markets anonymously.
Since TOR is all about anonymity, the ‘social networks’ that exist on the dark web tend to be messaging boards where users are identified by their username or alias, rather than their full name. Many hackers use the message boards to discuss vulnerabilities in security systems and to organize cyber attacks.
If you want to find out more about the dark web, once connected to the TOR network you can visit the ‘Hidden Wiki’, which is a guide to the dark web: http://zqktlwi4fecvo6ri.onion. It’s easy to understand why some governments want to control internet usage because we’ve already seen the effect that it can have. In July 2014, Russia announced a reward of 3.9 million roubles ($110,000; £65,000) for anyone who can who can crack the identity of users of the TOR network.
The Arab Spring was a revolutionary wave of demonstrations and protests that began on 18 December 2010 and swept through countries of the Arab League and its surroundings. During it, people used social media to organize demonstrations and circumvent state-operated media channels. In August 2011 the London Riots were said to have been coordinated through social networks.
Incidents like these have led some governments to censor the internet and monitor its use. But, this move towards internet censorship and monitoring has prompted public scandal and opposition. It has also had a knock-on effect on how companies use data to track users and serve advertisements. New social networks have started to appear, such as Ello, which is a social network that claims to never sell user data to advertisers and to never show adverts. There’s also Telegram, an alternative to Whatsapp developed by Pavel
Durov, who is sometimes described as ‘Russia’s Mark Zuckerberg’ after having launched Vkontakte (VK mobile version, Russia’s equivalent to Facebook). Durov stepped down from his company in 2013 amid wide speculation and rumors that he was forced out by the Russian government. His new venture, Telegram, claims to be highly secure and rely on complex encryption algorithms which make it far more difficult for governments to track usage.
I believe that we’re only at the start of the movement towards greater encryption and protection for user data in social networks. We will see more high-profile incidents and examples of excessive monitoring and censorship of the internet by governments and companies. This will increase the public’s interest in internet and social media monitoring and will result in more social networks and platforms being created in order to safeguard free expression and protect user data.
Encryption will be key to this protection. Once data has been highly encrypted, without the password (or key) it takes an enormous amount of computing power to crack. It’s possible to encrypt data so strongly that it would take even the most powerful supercomputers in the world years to crack the encryption.
Once social networks have developed their security to a high level it will make it extremely difficult for governments to monitor or censor the internet. This will mean that governments will find it more difficult to control or influence public opinion, which will, in turn, lead to more transparency, more freedom and thus a more pure form of democracy – what I like to call democracy 2.0. This isn’t without risk though, because without effective monitoring it will be easier for terrorists to use encrypted communications to plan attacks. Because of this, encryption and anonymity remain hotly debated.
Identity verification and biometrics
As we discussed in the previous section, one of the issues with social media is that it’s easy to hide behind anonymity. Many social networks try to stop users from being anonymous by imposing terms and conditions as well as by asking users to verify their identity by connecting their email address or phone to their account.
However, it’s easy to circumvent these types of controls. Many governments have ambitions to introduce digital methods for identity verification which, if successful, could even allow voting to take place electronically rather than in a polling station. Estonia is one such government that has already introduced electronic voting which builds on the Estonian ID card.
A secure database will authenticate someone, similar to the way that we authenticate ourselves to gain access to our internet banking. The big difference in the future, however, will be that when it’s possible to authenticate someone with 100 percent certainty, it won’t just allow people to withdraw money from their banks, it could also be used to pay for things in shops or to vote in an election and it would mean the end of the dreaded password.
There are dangers, however, because if the authentication was hacked, it would make it easy to steal someone’s entire identity. If you are a victim of bank fraud, it’s a serious matter, but if this form of identity verification could be circumvented it would prove a considerably greater risk. It’s dangerous because it represents a single point of failure, a bit like putting all your eggs in one basket.
One new technological development that may go some way to solving the identity verification problem is the use of biochips and biometric data. In theory, biochips or other forms of biometric authentication, such as retina or fingerprint scanning, will make our lives easier. We will no longer need to struggle to remember all of the passwords for our various accounts, instead of relying on something unique to us, such as our fingerprint or a microchip embedded under our skin.
There have already been trials in Sweden where employees of a company experimenting with biometric authentication offered their employees the chance to get a biochip implanted under their skin. This meant that when performing simple authentication tasks, such as getting into the office or logging into a computer, they didn’t need a password or a physical ID card, instead, they just needed to swipe their wrist (the place where the biochip had been implanted).
Hannes Sjoblad, Chief Disruptive Officer of the Swedish bio-hacking group BioNyfiken, which implanted the chips into the workers told The Times: ‘We already interact with technology all the time. Today it’s a bit messy – we need pin codes and passwords – wouldn’t it be easy to just touch with your hand? We want to be able to understand this technology before big corporates and big government come to us and say everyone should get chipped – the tax authority chip, the Google or Facebook chip.’
There will always be people who try to crack security systems and unfortunately, there will always be criminals who won’t think twice about killing someone to get at their biochip in order to steal all of their money. If a criminal is capable of killing someone in order to steal their bank cards today, are we to expect that if bank machines start to allow fingerprint scanning that criminals would start cutting off peoples’ fingers?
There’s no doubt that technology will continue to evolve at a rapid pace but whether or not it will change our lives will depend on the public’s readiness to adopt new technologies, such as whether we will allow biochips to be implanted in our bodies. It will also depend on the technology companies’ abilities to build security into their systems, products, and services from the ground up.