Subscribe to PSTV 'Views and News'

Our monthly 'PSTV Views and News' gives extra tidbits on guest interviews and upcoming guests..

First Name *
Last Name *
Email *
26 2011

Viewpoint: Risky Business

Syndicated from: Randall Craig

Picture this scenario: An employee gets charged with a serious offense and the company’s name gets mentioned repeatedly in the news reports.  The reporters found the connection to your organization by scanning through Social Media. Or this scenario: A subcontractor tweets (or posts pictures) celebrating the conclusion of a major, confidential project. This alerts competitors, customers, and suppliers, resulting in millions of dollars of lost sales. Or this one: Someone looks at your Facebook (or LinkedIn) profile, peruses your “friends” to determine your mother’s maiden name, then grabs your birth date and other freely available personal details. Then they call your bank and gain access to your account by “verifying” your identity. Too often, we (or rather “people”) rarely think about Social Media Risks, let alone how to protect against them. As individuals it is caveat surfer, but at an organizational level, the responsibility for protecting corporate assets, including customer information, trade secrets, and ultimately the brand, falls to IT security professionals. They sometimes even have the job of protecting us from ourselves. Sadly, they are inadequately equipped to do this job, for many reasons: IT departments are stretched, and often don’t have the resources to stay ahead of every possible new security threat. More technology comes through the door each day via smart phone, and these devices are completely beyond the control of the IT department. Many managers assume that 100% of the responsibility for information security sits with IT staff, particularly in the area of employee productivity. (Technology can help, but productivity is a management issue; risk reduction is really the responsibility of everyone.) Innovation in Social Media is happening so quickly that many (both marketers and IT) have outdated assumptions about what appropriate Social Media usage looks like. Poor assumptions cause poor decision-making. Many organizations don’t even have a comprehensive Social Media policy. With no standards, everyone makes their own rules about what is right and what is wrong. It is impossible to police, let along protect. Rarely are staff trained in how to use Social Media, and particularly, how to use it responsibly so both the organization – and themselves – are protected. Clearly, for an organization to manage Social Media risk effectively it needs to delegate information security responsibility well beyond the IT group. Yet this is a challenge when many managers cannot even identify more than a small handful of potential problem areas.  (Test yourself: without reading onward, how many can you name?) Here is a basic Social Media risk list; note that some are marketing risks, some are HR risks, some are technology risks, etc: Identity theft Mistaken identity Brand hijacking Bandwidth contention Social Media venue consolidation / data loss Privacy / confidentiality breaches Legal and regulatory breaches Intellectual Property theft Productivity loss Human rights violations Libel / slander Contest fraud Trojans and malicious code Unwanted publicity Inappropriate recruiting practices Social engineering With such a broad range, how might one embed a Social Media security mindset within an organization? Consider the following five step process: Executive Briefing: Senior management must be educated both on Social Media strategy, but with an embedded risk management context.  It is no longer acceptable to propose a strategy without acknowledging – and protecting against – the risks.  Senior managers ask great questions; an executive briefing gives them the data points to do so. Develop a Social Media policy to reduce risk. Going through the discussions and knowledge transfer that occur as the policy is being formulated is far more powerful than merely adopting a generic off-the-shelf policy. Develop a Social Media strategy: Usually done concurrently with the policy work, the strategy binds the organizations goals to specific activities at an individual or departmental level. Communication and Training: This is the mechanism to connect the policy to the people. It’s not possible to manage (or measure) without first letting people know what’s expected of them, or how to actually use the tools. Monitoring: Monitoring fulfills the dual objectives of evaluating the effectiveness of strategy, while at the same time surfacing risks. This week’s action plan: Where are you in this process as an organization? This week, assess where you are and commit to doing one thing to reduce your organization’s Social Media risk level. And while you’re at it, check your own Social Media profiles and remove any information that might be used by a fraudster to impersonate you at the bank. Note: The Make It Happen Tipsheet is also available by email. Go to to register. Randall Craig  

Previous post:

Next post: