Social Media Risk (2019)

Social Media Risk

Social Media Risk

Social media is fast moving and evolving. This means that the risks it poses are also changing, with new risks emerging and existing risks gaining more or less potential impact. Because of this, it’s important that risk strategy is documented and that a risk assessment is completed on a regular basis. In this blog, we explain several social media risk in 2019. 

 

A risk assessment involves evaluating and documenting the potential risks involved in a project or activity. The risk assessment for a small short-term project will likely only take an hour or so to complete, but a larger project will need more consideration and the risk assessment may take much longer.

 

How often a risk assessment exercise is performed will depend on the organization’s risk strategy and risk appetite, but I would suggest that a full social media risk assessment be completed at least annually.

 

It’s important for organizations to be aware of the typical risks of social media. There are five categories of social media risk, which we will look at in turn later in this blog.

 

I strongly recommend completing a risk assessment in order to understand what risks exist, how they might impact the organization, the likelihood of them happening and weighting or prioritization of the risks.

 

Doing this will allow senior management to understand where an extra resource may be needed or where extra control, policy or process may need to be implemented in order to manage risk.

 

Not all risk will have an adverse effect on the company’s objectives; in fact, some risks may not be catastrophic and may represent an opportunity for the company to grow or to increase efficiency.

 

For example, rather than lobby against upcoming social media regulation or facing fines for non-compliance, risk management can help you focus ahead of time and implement programmes to be on the right side of it. This can also result in an improved reputation, and being recognized as a company that understands risk and has long-term ambitions.

 

Measuring risk is a tricky business.

It’s often difficult to quantify risk but it is possible to think through scenarios to understand how a particular risk event may impact an organization.

 

When considering the likelihood of a risk event occurring, it’s also useful to think about frequency. Is this risk event likely to happen weekly, monthly or annually?

 

By deciding the impact and likelihood of risk impacting, you can plot that risk on the matrix to see what weighting or prioritization a risk might have. As you move through the risk matrix you can see that a risk that is very unlikely to occur and which, if it did occur, would be insignificant, would end up with an overall weighting of low.

 

Using a numerical scale to measure likelihood and impact will help ensure that risks are reported accurately. This will help management to see quickly which risks require their attention.

 

The risk matrix can be tailored to be in line with your risk tolerance. For example, you may decide to change categories slightly by changing a risk that is possible and severe from ‘extreme’ to ‘high’.

 

When we think about the impact of certain risk, it’s also useful to think about the ‘velocity’ or ‘speed to impact’. By this I mean, how long will a particular risk event take to have a direct impact on the company, and how long will it last? Will it be a one-off event, or will it be a continued event that lasts for, say, a week?

 

In the world of cybersecurity, a distributed denial of service (DDoS) attack aims to make a company’s website unavailable by flooding the web server with thousands of requests. This event could last for a few days, a week, or longer, depending on how the company responds.

 

On the other hand, a natural disaster such as an earthquake may last only a few seconds but could have a big impact on the organization for months afterward.

 

Risk assessments should be documented and reviewed.

Any resulting actions should be tracked to ensure that the risks are managed appropriately, in line with risk strategy and risk appetite. When assessing risk, it may become clear that new controls need to be implemented, or existing controls changed in some way.

 

When used in conjunction with the risk matrix, a risk assessment helps to prioritize tasks or changes and inform decisions and future resourcing needs. Documentation like this is also useful to illustrate that risk management procedures are being adhered to, should a regulator ever challenge the organization over issues relating to social media.

 

An activity could be something like posting content to corporate Twitter from mobile devices and the risk may be that someone could accidentally mix up the corporate account with their personal account.

 

Controls that you may have in place to safeguard against this might be regular training or a policy dictating that corporate accounts should only be accessed from corporate devices.

 

You may assess the likelihood of this happening to be quite possible (3) because you have a large team, but that the impact would be severe (5) because of the reputational damage that it could bring, and because you operate in a highly regulated environment that could attract fines, for example.

 

The resulting risk rating would be 3 × 5 = 15, ‘extreme’. After discussion and consultation, you may decide to implement a social risk and compliance tool, which you assess as having a risk rating of ‘low’.

 

Unfortunately, when dealing with risk there are no absolute right or wrong answers since much depends on the future which, as we all know, is notoriously difficult to predict.

 

However, once serious consideration has been given to the risks it’s much easier to prioritize them in a way that senior management or other stakeholders can understand. This means that risk management can be operationalized in a more effective way.

 

The risk continuum

In social media, for example, some activities need to be controlled, but placing too much control may, in fact, increase risk. Social media is fast moving, and it’s important that organizations are agile and able to respond to trends or conversations quickly.

 

If there are too many controls in place around what can be posted, by whom, when and from where, the organization may miss opportunities or be unable to respond to crises in a timely manner.

 

Effective controls demand resource and sometimes even require external consultants to advise on how they can be created. Too many overcomplicated controls are therefore expensive to implement, and the cost may outweigh the benefit of having them in the first place.

 

The sweet spot is where an organization has a balance over its risk management activities, where the organization is aware of the risks involved with social media and has implemented a strategy that will allow it to meet its objectives in line with its defined risk appetite.

 

Corporate culture

Culture has a big impact on how an organization uses social media and how much risk they are willing to be exposed to. People are a company’s biggest asset, but they are also the biggest risk.

 

If a culture of doing the right thing is well embedded into the organization, it will have a positive effect on how rigorously risk will need to be managed.

 

It is generally accepted that the tone set by those at the top has a great impact on the behaviors of the workforce, therefore it is the board that is responsible for defining, communicating and demonstrating its culture in line with its risk appetite and business strategy.

 

The organization’s people need to understand what risks they are allowed to take and what is unacceptable. They must also understand the consequences of taking risks beyond tolerable levels.

 

For all the policies, procedures and controls which an organization implements, if the culture does not naturally reinforce the right behaviors then these risk management devices will prove ineffective.

 

It’s all too easy to point the finger at someone who has taken an inappropriate risk, but there are a number of questions that should be considered when this occurs, including:

  1. Why did they take the risk in the first place?
  2. Were they driven to it by the corporate culture?
  3. Did they receive the right training to identify which risks are appropriate, and which are not?

 

Enterprise social networks can help embed the risk culture because they allow leaders to demonstrate the behaviors that they expect from their people.

 

Having leaders of the organization active on an enterprise social network, perhaps posting regular communications and interacting with people, sets an example to others in the company and it helps set the tone of what is acceptable and what is not.

 

It surrounds everything that a company is and does. The culture, set by leadership, influences the business’s goals, its strategy, and its mission or purpose. It influences how people within the organization behave and sets boundaries for what is appropriate and what is inappropriate.

 

A company’s culture should align with its employees’ personal ethics and values, which should, in turn, set a precedent for how employees behave. Furthermore, messages about corporate culture should be visible within all company communications, whether that be top-down corporate communications or those between individuals.

 

Finally, policies and procedures should be aligned with the culture of the organization. If policies undermine company values or ethics, for example by enforcing behaviors or actions that go against the ethics of that company, it will have a negative impact on culture in general.

 

All of this is particularly important for social media because, as you’ll see throughout this blog, good ethics are important to ensure social media success.

 

There are many examples where organizations have used unethical tactics in order to promote their products or encourage users to engage with them but, in almost all cases, unethical behavior like this results in more significant issues that could have been avoided.

 

Hashtag-hijacking is the most common example of the unethical tactics that some companies have used, by adding trending hashtags to their posts out of context and for the sole purpose of increasing the reach of the post. When a hashtag supporting a social cause is hijacked it often causes the highest level of resentment from users.

 

Social media risk maturity model

Hopefully, it’s clear that there is not just one accepted approach to social media risk management, and that the extent to which an organization manages social media risk depends on its culture, risk appetite, and overall business strategy.

 

That said, the social media risk maturity model can help an organization understand where they are in terms of social media risk management, their ‘current maturity’, and help them get to where they want to be, their ‘aspired maturity’.

 

The social media risk maturity model shows five levels of maturity, each of which builds on the previous levels. Level 1, ‘Initial’, is the most basic level of social media risk management.

 

As you can see from the model, an organization at this level will have recognized the risks of social media but has not standardized processes around the management of risk. As you progress through the levels, the amount of risk management, processes, policies, and controls increases until you get to level 5, ‘Optimized’.

 

An organization with current maturity at level 2, ‘Repeatable’, will understand the risks that social media poses and may even have completed risk assessments in relation to it. But there will be no standardized processes or procedures and social media will be managed in an ad-hoc fashion, with little or no formal training available to employees.

 

At level 3, ‘Defined’, efforts have been made to implement processes, procedures, and policies to govern the use of social media, but there is little control to ensure that they are being followed or adhered to consistently.

 

When an organization is operating with a maturity at level 4, ‘Managed’, social media ownership, responsibility, and accountability are defined, although there may be a lack of board sponsorship.

 

At this stage, robust processes and policies are defined, documented and controlled, although tools to support or monitor these processes and policies may be lacking. At level 4 you might find that systems to review processes and policies are in place, but that metrics to track social media are basic, or lacking.

 

Finally, an organization operating at level 5, ‘Optimized’, understands the impact of social media and it is a board-level agenda. The processes and policies are defined, documented and monitored and a regular review cycle is in place.

 

An organization operating at this level will likely have systems in place to manage social media, such as Social Risk and Compliance tools  and the tools themselves will be monitored and tested on a regular basis.

 

Incident and crisis management will be well embedded in the organization, including how social media incidents will be addressed or how social media might be used during some other unrelated crisis. Adequate resource and likely dedicated teams will be responsible for social media on a day-to-day basis.

 

It’s important to remember that not all organizations aim to be level 5, ‘Optimized’, and nor should they. It may be that the cost of achieving level 5 maturity could outweigh the benefit of a social media programme in the first place. Still, this model can be used to understand where you are and help you reach your aspired level of maturity.

 

Risk categorization

There are, broadly speaking, five categories of social media risk. Some risks may have an impact on one or more categories.

 

For example, a hacked Twitter account would probably be classified as an information security risk, but if the account was used to post abusive messages it may cause reputational damage.

 

Efforts to regain control of the hacked account would place a heavy demand on the resource, which is an operational risk. Finally, the hack may lead to an investigation by a regulator, which may enforce financial penalties.

 

Reputational risks

Reputational risks are most commonly attributed to traditional social media. The risk stems from people posting content online, either deliberately or by accident, which can harm the reputation of an organization.

 

As mentioned previously, a common mistake is when an employee who tweets on behalf of the organization mixes up his or her personal account with the organization’s official account.

 

It can be very embarrassing when a rude or inappropriate tweet is sent out from a company’s official channel, but unfortunately, there are many examples of this.

 

It’s surprising that there are still many executives who don’t understand how risky social media can be. For example, Ryan Air boss, Michael O’Leary, hosted a Q&A session on Twitter without regard to how Twitter users might react to some of his comments, such as ‘Nice pic. Phwoaaarr!’

 

A company’s reputation takes time to build and trust can be lost in the blink of an eye. Seemingly small mistakes on social media can go viral fast. If these incidents are not managed correctly it can lead to a loss of investor confidence and have a negative impact on a company’s share price.

 

Fake accounts

Fake accounts pose a threat to organizations and it’s important to have plans in place to deal with this risk. There have been examples in the past where seemingly official, but nonetheless fake, accounts have been set up to act as though they were speaking on a company’s behalf.

These accounts can attract a lot of followers as well as considerable media attention, which can be a real embarrassment to the company.

 

CASE STUDY BP fake Twitter account

In 2010 an oil rig exploded and subsequently sank in the Gulf of Mexico, causing a huge oil spill which is considered to be the largest accidental marine oil spill in the history of the petroleum industry.

 

In the space of a few months, the total number of users following the fake twitter account surpassed those following BP’s official Twitter account, gaining over 150,000 followers.

 

BP’s response to the Twitter incident was slow, which you might argue is understandable given that their attention was on fixing the spill in the first place. But this incident does show just how difficult it is for some companies to keep control over their reputation online.

 

World events

In order to use social media effectively, it’s important that companies listen to other users and think before posting. There are many examples of companies using disasters to sell their products. This is clearly a sensitive issue.

 

For example, many would agree it inappropriate for a life insurance company to promote their services in direct connection following some type of catastrophes, such as a plane crash or explosion.

 

Amazingly, though, this is what one life insurance company did shortly after the Malaysian Airlines flight 17 disaster in eastern Ukraine in 2014.

 

When disasters occur it doesn’t take long for hashtags or related words to start trending on social media. Companies should carefully consider the impact of posting marketing material linked to disasters as it often attracts high levels of condemnation from social media users.

 

It’s often also picked up by the traditional media channels such as TV or the papers, and consequently has an even more damaging effect on the company’s image and reputation.

 

Operational risks

The operational risks of social media also threaten organizations. Far too often I see companies who are worried that their employees are going to be wasting time on social media when they should be working. Often this means that the company has a policy of blocking all social media sites.

 

But really, is there any point in doing this in this day and age? If you’re a fan of social media then the chances are that you’re going to have a smartphone to access all of your social media accounts.

 

If an employee can’t access Facebook or Twitter at work, they can easily circumvent the block by using an alternative personal device such as a smartphone or tablet. There are other regulatory and compliance issues to consider but we’ll cover them in the Regulatory compliance risks section of this blog.

 

So, let’s think about employee effectiveness and how social media impacts it. I would argue that employees can be motivated by being allowed to use social media for personal use, but what we’re ignoring is the business benefit.

 

If you do a quick online search for social media and business you see that there are many articles about how businesses are using social media to gain competitive advantage, recruit top people and even sell products and services. The main risk here is that if a business doesn’t embrace social media, it could lose its competitive advantage.

 

An additional risk relates to culture. The exact definition of ‘Generation Y’, or ‘millennials’, is contested, but generally speaking, it refers to those people who entered work between 2000 and 2010. These people are ‘digital natives’ – they have grown up with technology and expect their employers to have embraced it.

 

The reports highlight how millennials approach work and employment. Some millennials admit to breaking policy if it is going to help them complete a task more quickly or efficiently. 

 

For example, DropBox is a cloud-based file sharing service that many organizations block because they are – quite rightly – concerned about what data might be exchanged on the platform. The reason for the concern is because the organization will have no control over what happens to that data once it is uploaded.

 

Yet, many millennials admit to using such systems, even though they know that they are breaking company policy, usually because the company offers no alternative. The solution is to offer a decent alternative that the organization can control.

 

Millennials are used to easy-to-use, always-on, connected services and devices. If you offer them no corporate or approved services to use, they will simply use others without your knowledge.

 

Furthermore, many millennials expect their employers to be as comfortable with digital technologies as they are themselves. Organizations are constantly fighting a battle to find and employ the best talent, and organizations can appeal more to the younger generation by showing that they are forward-thinking digitally-aware companies.

 

Moderation

Another operational risk of social media is the risk that social media is not sufficiently governed.

 

An example of this could be around moderation. In social media, moderation is the act of removing or censoring posts that appear on your various pages. With a lack of governance and oversight, moderation may be sporadic or could even have serious legal implications for a business.

 

For example, if you run a social media account and users post abusive or threatening messages on it, what should you do?

Most would agree that you should remove these posts, but by doing so you are setting a precedent that the post will be moderated.

 

It then becomes your responsibility to continually monitor the posts and determine what is appropriate and what is not. This poses a few risks because, first, it may require a considerable resource to monitor and moderate the pages.

 

Second, unless very clear guidance exists about what should be moderated, and in what way, the removal of posts may anger social media users who feel that their voice is being censored.

 

If you run an enterprise social network that is used to share knowledge, reports and other work-related documents, your organization will be responsible for the content within that network.

 

The risk of not monitoring or moderating the network is high because your users may use it to distribute documents to which they do not have copyright licenses, or worse, to distribute illegal materials.

 

Regulatory compliance risks

There are a number of regulatory and compliance risks that affect social media. The risks differ depending on where you are in the world; for example, there are a large number of regulatory bodies in the United States that have issued specific requirements and guidelines around social media.

 

In March 2015 the UK’s financial regulator, the Financial Conduct Authority (FCA), published guidance on how to maintain compliance when using social media.

 

Apart from that, however, at time of writing other UK regulators had very little in the way of requirements or guidance around social media specifically. Instead, UK advertising codes cover social media use in advertising.

 

A particular challenge that companies have experienced when implementing global enterprise social networks is data privacy and protection. Organizations need to be able to prove that they have appropriate controls in place to safeguard data. Much of the data privacy and protection legislation around the world conflicts.

 

For example, in the EU much of the legislation seeks to protect data and stop it being shared without the explicit permission of the owner. In the United States, on the other hand, eDiscovery laws dictate that all information is discoverable when needed for legal proceedings, meaning it can be accessed and held to support a legal case.

 

This often puts the laws head-to-head – on one side, EU data can’t leave the EU without permission; on the other side, US data needs to be discoverable.

 

Significant challenges arise when we think about a global system, hosted in, let’s say the United Kingdom, but accessed by employees in the United Kingdom, the United States, and Germany. What happens to the data? Which laws take precedence? 

 

The plot thickens on our data privacy journey when we start thinking about data retention and archiving laws. Companies are required to retain certain documents and files for set periods of time.

 

An example of this is the number of years that a company is required to keep its tax returns or accounts before they can, or should, be deleted.

 

If a company breaks these laws it risks heavy fines. Companies also need to keep archives of emails and other communications sent and received so that they can use them if required in a legal case.

 

Now, what about data held on enterprise social platforms or messages posted on external social networks? If email communications need to be retained then it’s a safe bet that social networking communications also need to be retained. 

 

Many countries have laws about advertising standards that aim to protect the consumer. It’s important to remember that these standards apply to all forms of marketing, and therefore include social media.

 

The regulations may state that advertisements and endorsements need to be clearly marked as such so that social media users understand that that’s what they are.

 

Because of this, many companies use the hashtag ‘#ad’ or ‘#endorsed’ to denote posts that are advertisements or endorsements. Another strategy for ensuring regulatory compliance is attaching an image containing terms and conditions to the original post. Y

 

Financial risks

Probably one of the most serious financial risks for larger companies is the negative effect social media can have on its share price. Yet, amazingly, many business executives just don’t understand this.

 

They understand that reputational issues or a bad article in the press or print media can impact their share price so I’m surprised that a disconnect to social media still exists.

 

After all, there’s a giveaway in the word ‘media’. There are lots of examples of companies who have suffered declines in their share price following an error.

 

In April 2009 Domino’s Pizza suffered a 10 percent drop in the value of their share price when a video showing two rogue employees committing public health law violations went viral on YouTube and disgusted viewers.

 

The lack of appropriate processes to identify a social media incident and then to respond in a timely manner can lead to investor confidence being lost due to the incident spreading across the globe virally through social media.

 

Social media can also impact the stock markets more broadly. In April 2013 a hacking group called the Syrian Electronic Army (SEA) hacked the Associated Press Twitter account and posted a tweet with the text ‘Breaking:

 

Two Explosions in the White House and Barack Obama is injured’. This caused panic on Wall Street and led to an almost instant drop in the Dow Jones Industrial Average, wiping out $136 billion in value before recovering shortly afterward.

 

Remediation efforts are another big financial risk. In 2012 a UK-based bank suffered an IT outage that affected many of its customers. The remediation efforts to fix the problem and provide assurance that it wouldn’t happen again were likely sizeable. These risks exist in social media also.

 

If you suffer a social media incident – for example, if your main company account is hacked – you must act quickly to resolve the issue. You’ll likely have to pull a resource from other projects to provide focus on resolving the issues with your account.

 

This may, in turn, attract the attention of the regulator, who can impose fines or financial penalties on your organization.

 

Information security risks

Social media developed organically, meaning that certain security controls that you would expect in corporate systems nowadays weren’t implemented very effectively in the early days of social media. Social media has also changed the way that we communicate, which has led to changes in what we share about ourselves online.

 

Access controls

One of the problems with social networks is the challenge around account management. Twitter, for example, does not allow multiple people to log in to one account. So if you have an account for @MyCompany, you only have one username and password to access that account.

 

This means that if you have a team of people who are tweeting on your company’s behalf, they will either be sharing the username and password or using some kind of third-party management system.

 

The problem of sharing usernames and passwords is that it increases the risk of the credentials being intercepted by a hacker. For example, if the password for the account is changed you will need to communicate it to the group of people who need access to the account. Although not ideal, most people will send the details by email.

 

This increases the risk that a recipient may be included in error, or that one of the recipients could forward on the message (either intentionally or by mistake). When login credentials are shared via email there is a risk that the email could be intercepted by applications installed on computer networks by hackers which eavesdrop on email traffic.

 

Or, if the login credentials are communicated over the phone, the person receiving the credentials may decide to write them down on a piece of paper and pin it to their screen.

 

The sharing of login credentials also means that it’s not possible to see who posted what to the twitter page as everyone is sharing the same username. Whichever way you look at it, sharing login credentials is risky.

 

The best way to solve this predicament is to implement a system to manage social media interactions. These systems are referred to as social risk and compliance tools. There are many vendors out there and each offer different features such as analytics, sentiment analysis, post scheduling etc.

 

Something that most have in common is that you connect your account to the management system, and each of the users who need access to that account gets their own login credentials to the management system.

 

This means that they log in to the management system and post updates through it rather than logging indirectly to the social media account.

 

This helps reduce the risk of login credentials being stolen. It also means that there is a central management system that is used to create or disable users, for example when someone leaves the company.

 

While this sounds like the ideal solution for managing this risk, it means that you are putting your trust in the vendor to ensure that your account details and other information are secure. If the vendor does not follow good security practices it may be hacked, exposing all of your data or information.

 

Strategy Overview

The strategy is an important element to consider when it comes to thinking about governance and risk management. 

 

Governance and risk management are redundant if they have no strategy to support. Likewise, a strategy without supporting governance and an understanding of any potential risks are likely to fail.

 

‘Social media’ is far broader than just how a company uses Twitter, Facebook or YouTube. In this blog, we look at some of the other ways that you might want to use social media as part of your overall social media programme.

 

Throughout the blog, the examples and ideas will be presented with governance in mind so that the concepts can be implemented and their benefits realized.

 

Whether you’re looking at social media inside or outside of your organization, you will need strategies to engage a wide range of stakeholders. These could include company employees, customers and other departments such as HR, IT, Risk and Compliance and so on.

 

Third parties

Knowing where your data is and how it is protected is vital to the longevity of a business. In an enterprise social network, your data may be hosted on data servers that are owned and controlled by the platform vendor.

 

This means that you are reliant on the vendor to ensure that the appropriate information security controls are in place and that the platform itself is resilient, meaning that it won’t be unavailable or offline. This risk can be a real headache for many businesses and requires a lot of thought.

 

The process of acquiring an enterprise social network can be long and drawn out. It can involve a long contracting period, security, risk and privacy assessments, external assurance on the vendor’s platform and sometimes even security testing, or ‘penetration testing’, to ensure that the platform sufficiently protects its users’ data.

 

This point is also valid for traditional social media as well as cloud-based services in general. By storing your data in the cloud or on a vendor’s servers you are relying on that vendor to keep your data secure.

 

If you use a social risk and compliance tool you are entering a trust relationship with the vendor as they have access to your accounts and some of your data. You should seek assurances that security issues are addressed and that data is being handled appropriately.

 

In the eyes of a regulator, this is the company’s responsibility, not the vendor’s, and it is the company that is ultimately responsible should a data breach occur.

 

Regulatory compliance risk rears its head here too. You risk litigation if you do not have the appropriate controls in place to stop information being shared incorrectly cross-territory.

 

For example, you may need to adhere to laws in the EU which dictate where HR data can be accessed from, or in the United States you may be required to provide data to adhere to a data request from a court, but you need to be careful not to break the EU laws at the same time.

 

Summary

In this blog, we covered strategy in the context of governance and risk management. We covered how to define the purpose of your social media programme and tactics that you can use to achieve your goals.

 

We also looked at ways of engaging people inside and outside your organization, as well as how to motivate them and encourage them to help you meet your own goals.

 

You learned that governance is about how your strategy operates and how being risk-aware while designing a strategy allows you to focus on what you want to achieve and, in turn, what governance you might need to implement in order to support.

 

In the subsequent blogs, we will delve deeper into the risks which you may face while running your social media programme and we’ll look at what controls and governance can be implemented to manage those risks. 

 

Any social media programme will involve handling personal data. The next blog will give an overview of the risks of handling personal data and outline some of the controls you can implement to ensure that it is safeguarded.

 

Social risk and compliance tools

There is a significant information security risk related to the sharing of login credentials for traditional social media networks. If you’re creating an account on Twitter, for example, you may have 10 people in your communications and marketing teams who all need access to the account in order to make posts on your company’s behalf.

 

Unfortunately, without a tool to manage the accounts, it means that the users will need to share the login credentials between each other. This represents a number of issues:

 

It increases the risk that the credentials could be intercepted by a malicious attacker if they are sent over email. For example, a user may receive a phishing email containing a bogus link.

 

The user clicks the link and enters their login details. At this point, the attacker would have captured the password and could then change the password for the social media account, meaning that nobody can log in until they have regained access to the account (which could take some time).

 

If an employee who has access to the account leaves the company, you will need to have a process in place to change the login credentials. Again, the credentials will need to be communicated to the whole team.

 

If the account credentials are changed too regularly users are more likely to start writing the credentials down, such as on a note attached to their computer screen. This obviously increases the risk that someone may spot the credentials and use them for malicious intent.

 

In the example above, one method of allowing multiple people to use the same account would be to implement a social risk and compliance tool, or a social media management system.

 

These tools allow users to log into them with their own username and password and, once authenticated, can post content to the company social media account through the tool itself.

 

This means that only the administrator of the tool would need the login credentials for the corporate social media account. The password would be configured in the tool, so there would be no need for users to log into the corporate social media account directly.

 

There are other advantages too – many of these tools can be configured with rules around what can be posted. For example, you may decide to include a dictionary of certain words within the tool and set rules around them as to what the tool should allow and what it should stop.

 

It’s possible to configure these tools to allow certain words, to block others, or to push certain posts through an approval process before being posted. This is clearly an attractive approach for those worried about the risks of social media.

 

However, if all posts were forced through an approval process it can have a detrimental impact on the effectiveness of the posts since social media is inherently a fast-moving environment.

 

Figure  shows the difference between how employees access a social media account directly and how they would access a social media account when a social risk and compliance tools have been implemented. It illustrates that a social risk and compliance tool is an extra level of protection between your users and your social media account.

 

Another feature commonly included in social risk and compliance tools is archiving. Because all social media interactions take place through a social risk and compliance tool it means that it can easily capture and archive what was posted, to whom and when. By using such a tool you may be able to satisfy your data archiving requirements more easily.

Recommend