Managing Social Media Risks

At one time, some organizations addressed social media risks by prohibiting its employees from participating on social media websites when at work. However, most organization now realize how social media can boost their marketing and advertising strategies and they are embracing that media as part of their business strategy. However, when doing so, organizations would benefit greatly from properly understanding and managing the risks of social media.

The  thought paper, “Social Media Uncovered:  Mitigating Risks in an Era of Social Networking”, by Crowe Horwath, classifies social media risks under three main categories:  reputational risks, legal and employment risks, and information security risks.

Organizations need to understand and mitigate reputational risks that come from the following sources:

1. The public. The public may interact among one another or provide feedback or comments that can negatively impact the organization’s brand and image.
2. Employees. Employees can disseminate proprietary information that harms the reputation of the organizations.
3. Organizations. Each organization should manage its social media presence to avoid public relations disasters.

Regulators are evaluating issues related to social media. Organizations need to be aware of legal and employment risks that could arise from:

1. Candidate screening. Using social media to screen job candidates may expose employers to information that could be used in discrimination litigation cases against the employer. Social media sites may have information on the candidate’s race, religion, gender, or age.
2. Decreased employee productivity. Organizations may decide to block social media sites based on research that employees’ productivity decreases when they use social media during work hours. However, some employees need social media for their jobs and others also have access to the sites on their mobile devices.
3. Termination decisions. An employer needs to carefully evaluate making a termination based on information derived from social media sites. This information may be false or may be protected by privacy rights.
4. A hostile workplace. When employees connect with one another on social media, this can create hostile work relationships especially when some of the employees get offended by information they find on their colleagues profiles.

The last grouping of risks, information security risks, can originate from:

1. Over-sharing by employees. A number of social media users post information or tweet about their work. Therefore, organizations become exposed to losing confidential information. Additional leakages can come from “contractors, vendors, partners, and affiliates.
2. Social engineering attacks. Identity validation questions used to authenticate the organizations’ Web applications are often based on personal information of the users that they tend to also use on their personal social network pages. An attack on an employee’s social media account may provide attackers with information to breach an organization’s security.
3. Viruses and other malware. Hackers and attackers are attracted social network sites and they attempt to take advantages of weaknesses in those sites to attack trusting social media users.

The thought paper outlines six steps that an organization can follow to develop an effective social media risk management strategy.

1. Engage a multidisciplinary team. Social media risks can affect more areas than a company’s IT department. Therefore, the company needs to bring together a team comprising of senior members from various departments to mitigate the risks.
2. Document intended social media use. Each department in the organizations should articulate its intended use of social media and make sure these uses align with the company’s objectives.
3. Perform a risk assessment. The company should do a risk assessment of inherent risks to pinpoint the likelihood and potential impact of the risks. After that, the company should consider the controls necessary to mitigate the risks.
4. Expand current policy to encompass social media and implement safeguards. The company’s current policy should be evaluated to include safeguards against social media risks. The policies should address areas such as employee use of social media at work, social media use during employee hiring or termination, and vendor management policies.
5. Employees should be properly and regularly informed and trained on the company’s social media policy. The company should highlight acceptable and unacceptable social media uses.
6. Monitor social media channels. The company’s social media mitigation strategy would be incomplete without the company actively monitoring potential social media activities that may expose it to risks. The organization can keep track of social media issues related to it using social customer relationship management (CRM) tools.

Original Article Source: “Social Media Uncovered:  Mitigating Risks in an Era of Social Networking”, Crowe LLP, July 2011