Social media doesn’t really count does it? It’s just lots of D-rate celebs trying to get attention. People with nothing better to do sharing pictures of their lunch. Oh, and a certain global leader. It never has any real effect on anything, especially business.
If only that were true. In fact, social media is one of the big “digital risks” that businesses should (but often don’t) manage carefully.
What can go wrong?
Social media can cause damage across organisations. The most obvious risk is reputational damage caused by badly managed social media marketing or a poor customer that becomes exposed on social media.
Linked to that is regulatory and compliance risk. Employees who post endorsements of products they are responsible for (known as astroturfing) may find that they have broken Fair Trading rules. Junior marketers who post images or claims on social media may unknowingly break Advertising Standards Authority guidelines. Marketers in regulated industries can easily fail to comply with required communications standards. Finance executives or directors who deliver hints about company performance via Twitter can offend against financial disclosure rules.
Then there are HR risks around online bullying in offices where one employee posts disparaging “jokes” about another colleague on Facebook. Or perhaps where a senior employee makes inappropriate posts (again, often a “joke”) that leaves their employer with no choice other than to fire them.
Perhaps though information leaks are the most important risks to manage. And these risks are extensive.
“Loose tweets sink fleets”. That’s the US military’s social media campaign launched to warn military personnel and their families about inadvertently giving secret information away on social media. But it’s not just the military. Corporate secrets can be uncovered by people monitoring social media. Here are a few examples:
• Asking for advice about new software/hardware could make it easier for hackers
• Giving away office hierarchies and close colleagues can help social engineers gain the confidence of their victims
• Publishing travel plans of senior executives can give hints about strategic plans
• Personal information published on social media (pets names, football clubs, birthdays …) can help hackers guess passwords
• Weak passwords on social media accounts can enable hackers to take over accounts and impersonate someone, say the PA of a senior executive.
Why do these things happen?
Why are there so many risks associated with social media? One problem is that it simply isn’t taken seriously. People think that anything you post is ephemeral (it isn’t) and doesn’t count legally (it does).
This attitude has been reflected in research that indicates only 18 per cent of employees realise that social media posts can be the cause of corporate information leaks. The vast majority of employees can’t see the problem.
Another problem is that is “social”. And people being social are not always at their most aware. Showing off to friends, too much alcohol or simply being in a place with people you trust completely all can play a part.
What can you do about it?
It is always going to be difficult to protect an organisation against cyber risks that originate with employees. That’s just as true of social media risks.
But there are some protections you can put in place.
The first thing is to define acceptable behaviour. This needs to be detailed and for instance cover off whether you allow people to mention your company or its clients or to say they are employees of your organisation on social media (you may choose to limit this to professional networks such as LinkedIn). You will also need a section defining the rights and responsibilities of people who officially post on your behalf.
Once you have agreed on and codified acceptable behaviour, you need to circulate the rules to your staff, and to ensure they understand them. This means giving people face to face instruction and giving them the chance to ask you questions. You also need to explain the potential penalties for non-compliance.
There are two things to remember when writing your policy document. It doesn’t require a change in employee contracts as it is simply a management instruction that they must follow. And it should be designed to change people’s behaviour rather than cover off all eventualities, so it should be short and written in simple language. (If it’s longer than one page scrap it and start again.)
You need to make sure, as you should do with all desirable behaviour around cyber security, that people are kept aware of the guidelines they should be following and, perhaps more importantly, that they are motivated to follow them.
Finally, you need to monitor what people are doing on social media. This definitely does not mean spying on them, at home or at work. (It’s generally a bad idea for senior managers to be “friends” with juniors on social media). But it does mean keeping an eye open for problems. This could be encouraging people to report issues to you privately. Or it could involve monitoring social media for mentions of your company, senior executives or clients.
There are no simple answers to the problems of social media risk. But if you are aware of what can go wrong and put simple steps in place to guard against dangers then it is unlikely that you will face significant damage. And after all social media can be a hugely beneficial channel for most organisations. It just needs to be used wisely.
Jeremy Swinfen Green is a consultant specialising in employee cyber-risks and a director of Mosoco Ltd. He is the author of The Weakest Link (Bloomsbury, 2016). This article was originally published in the IISP’s (now the Chartered Institute of Information Security, ciisec.org) Pulse magazine.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Proin ante sem, placerat a sollicitudin eget, condimentum nec diam. Curabitur congue elit ac feugiat blandit. Proin ante dolor, tempor ut diam et, accumsan hendrerit enim. Nam nec tincidunt magna. Vestibulum tristique risus bibendum, tempor sem non, molestie turpis. Vivamus accumsan enim eget dictum imperdiet. Vestibulum non commodo justo. Donec a cursus risus. Donec et arcu quis erat placerat egestas et eget mauris. Sed eu faucibus eros, vel rutrum justo. Vestibulum lacinia maximus maximus. Integer non nulla lacinia, faucibus felis accumsan, convallis justo. Cras nisi velit, blandit id elementum a, commodo vitae erat. Cras condimentum vulputate felis, sit amet iaculis erat euismod quis.
Ut elementum, felis ut dapibus fermentum, libero purus imperdiet sem, ac vehicula dolor risus sit amet neque. Morbi erat metus, vehicula id nisi vitae, sodales tristique massa. Nunc rutrum dolor vel quam vulputate rhoncus. Phasellus nec augue quam. Vestibulum vestibulum nunc vel mollis rutrum. Ut commodo laoreet venenatis. Suspendisse potenti.
Nam non accumsan justo. Nam congue sagittis ipsum condimentum condimentum. Maecenas consectetur diam quis lectus placerat commodo. Quisque vestibulum nisl ac velit suscipit hendrerit. Quisque egestas sapien arcu, vel dapibus est laoreet non. Sed eget elit risus. Quisque pharetra sem eget mattis finibus.
Aliquam sem eros, dignissim ac nulla in, interdum mollis turpis. Fusce vel eros turpis. Sed tincidunt metus sit amet arcu consectetur tempus. Nam vel tempus ante. Sed vitae blandit mauris, sed convallis velit. Aenean orci quam, varius in eros id, auctor congue velit. Donec erat augue, placerat quis eros ut, bibendum iaculis nisi. Nullam lobortis vehicula ipsum, quis luctus felis blandit eget. Nulla at fermentum eros. Nulla sollicitudin urna ut justo fringilla rutrum.
Cras quis euismod dolor, sit amet tempor arcu. Aenean sed ante magna. Proin luctus ligula at justo gravida cursus. Duis vel vulputate odio. Praesent a consectetur eros, quis condimentum nisl. Integer consequat maximus odio dapibus iaculis. Duis laoreet convallis ipsum vel pharetra. Vivamus condimentum ipsum risus, ac sodales ante commodo vel.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Proin ante sem, placerat a sollicitudin eget, condimentum nec diam. Curabitur congue elit ac feugiat blandit. Proin ante dolor, tempor ut diam et, accumsan hendrerit enim. Nam nec tincidunt magna. Vestibulum tristique risus bibendum, tempor sem non, molestie turpis. Vivamus accumsan enim eget dictum imperdiet. Vestibulum non commodo justo. Donec a cursus risus. Donec et arcu quis erat placerat egestas et eget mauris. Sed eu faucibus eros, vel rutrum justo. Vestibulum lacinia maximus maximus. Integer non nulla lacinia, faucibus felis accumsan, convallis justo. Cras nisi velit, blandit id elementum a, commodo vitae erat. Cras condimentum vulputate felis, sit amet iaculis erat euismod quis.
Ut elementum, felis ut dapibus fermentum, libero purus imperdiet sem, ac vehicula dolor risus sit amet neque. Morbi erat metus, vehicula id nisi vitae, sodales tristique massa. Nunc rutrum dolor vel quam vulputate rhoncus. Phasellus nec augue quam. Vestibulum vestibulum nunc vel mollis rutrum. Ut commodo laoreet venenatis. Suspendisse potenti.
Nam non accumsan justo. Nam congue sagittis ipsum condimentum condimentum. Maecenas consectetur diam quis lectus placerat commodo. Quisque vestibulum nisl ac velit suscipit hendrerit. Quisque egestas sapien arcu, vel dapibus est laoreet non. Sed eget elit risus. Quisque pharetra sem eget mattis finibus.
Aliquam sem eros, dignissim ac nulla in, interdum mollis turpis. Fusce vel eros turpis. Sed tincidunt metus sit amet arcu consectetur tempus. Nam vel tempus ante. Sed vitae blandit mauris, sed convallis velit. Aenean orci quam, varius in eros id, auctor congue velit. Donec erat augue, placerat quis eros ut, bibendum iaculis nisi. Nullam lobortis vehicula ipsum, quis luctus felis blandit eget. Nulla at fermentum eros. Nulla sollicitudin urna ut justo fringilla rutrum.
Cras quis euismod dolor, sit amet tempor arcu. Aenean sed ante magna. Proin luctus ligula at justo gravida cursus. Duis vel vulputate odio. Praesent a consectetur eros, quis condimentum nisl. Integer consequat maximus odio dapibus iaculis. Duis laoreet convallis ipsum vel pharetra. Vivamus condimentum ipsum risus, ac sodales ante commodo vel.
sdgrdjtrjtj