Managing the business impact of social networking Managing and leveraging the business impact of social networking sites Presented by: Micheal Axelsen Director Applied Insight Pty Ltd

INTRODUCTION

About this presentation Objectives This seminar identifies and discusses social networking websites and how businesses should respond to this business challenge. Agenda Social networking overview What can go wrong for individuals? What can go wrong for businesses? Protecting personal privacy How should the business respond? What powers do you have? Developing policies and procedures Leverage business opportunities through OSN Conclusion

Objectives

This seminar identifies and discusses social networking websites and how businesses should respond to this business challenge.

Agenda

Social networking overview

What can go wrong for individuals?

What can go wrong for businesses?

Protecting personal privacy

How should the business respond?

What powers do you have?

Developing policies and procedures

Leverage business opportunities through OSN

Conclusion

Meeting the challenges of IT Information Technology & Management Centre of Excellence Forthcoming: Social networking policies & procedures Online social networking etiquette

Your expectations Housekeeping Exits, breaks, etc Expectations Audience demographics What are your expectations from this session? Strawpoll: Who uses social networking websites? MySpace, FaceBook, Friendster, MyYahoo, Twitter, Flickr, Photobucket, SchoolFriends, Blogger, LiveJournal, Tumblr, Microsoft Live... Blogs/Vlogs? Others? Strawpoll: Who didn’t know about these websites? Strawpoll: Anybody here ‘Vlog Naked’? (sorry, just wondering)

Housekeeping

Exits, breaks, etc

Expectations

Audience demographics

What are your expectations from this session?

Strawpoll: Who uses social networking websites?

MySpace, FaceBook, Friendster, MyYahoo, Twitter, Flickr, Photobucket, SchoolFriends, Blogger, LiveJournal, Tumblr, Microsoft Live...

Blogs/Vlogs? Others?

Strawpoll: Who didn’t know about these websites?

Strawpoll: Anybody here ‘Vlog Naked’?

(sorry, just wondering)

SOCIAL NETWORKING OVERVIEW

What is social networking? Definition Online social networking sites are web-based services that allow individuals to construct a public (or semi-public) profile within a bounded system, identify other users with whom they share a connection, and view and traverse their list of connections and those made by others within the system. They are simply websites that allow you to maintain relationships with friends online, sharing and talking about common interests Some social networking websites are internal (private) and some are external (public)

Definition

Online social networking sites are web-based services that allow individuals to construct a public (or semi-public) profile within a bounded system, identify other users with whom they share a connection, and view and traverse their list of connections and those made by others within the system.

They are simply websites that allow you to maintain relationships with friends online, sharing and talking about common interests

Some social networking websites are internal (private) and some are external (public)

Popular online social networking sites Websites Facebook and MySpace are the most well-known examples. Blogs such as wordpress.com and livejournal.com YouTube, Flickr, PhotoBucket, Yahoo, Twitter The CPA Congress 2008 website at cpacongress.ning.com is an example of a private social network.

Websites

Facebook and MySpace are the most well-known examples.

Blogs such as wordpress.com and livejournal.com

YouTube, Flickr, PhotoBucket, Yahoo, Twitter

The CPA Congress 2008 website at cpacongress.ning.com is an example of a private social network.

What can go wrong for individuals?

Some “funny” examples From: Nugent, Katrina Sent: Thursday, 1 September 2005 10:21 AM To: Bird, Melinda Subject: RE: Let's not get person "Miss Can't Keep A Boyfriend". I am in a happy relationship, have a beautiful apartment, brand new car, high pay job...say no more!!

Some “funny” examples Censored Ex-boyfriend site

Some “less funny” examples MOSSSSSSSSYYYYYYYYYY!!!!!!!! I'm gonna knock you out one of these days if you keep putting up stuiped photos when I'm drunk - ban you from tasking a fricken camera anywhere!!!!!!!!!!!!

Some “less funny” examples

Other examples Exercise: Audience member examples? Exercise: Reasons for participating in online social networking?

Exercise: Audience member examples?

Exercise: Reasons for participating in online social networking?

What can go wrong for business?

What can happen?

What can happen? Alritey. The names Ryan workin at #### #### At the moment to get the money to go out and enjoy my much appreciated young life. As far as i know i enjoy life to the max, i love to get wrecked, mwi and be around mates and loud music. No better way to spend a weekend than gettin out my #### in one way or another and be surrounded by loud music and knowing that i have a stunning girlfriend when i go home.

Business risks of social networking Productivity losses Addictive and time-consuming Over-use during work time is a genuine issue Can actually increase the productivity and effectiveness for some roles Legal risks Generally employers can monitor their employees’ web use and email, but notice is needed. Can result in legal liability Potential for legal liability due to customer actions Reputation risk A risk to the business’s reputation Many examples of gaffes & negative comments Difficult to remove these comments

Productivity losses

Addictive and time-consuming

Over-use during work time is a genuine issue

Can actually increase the productivity and effectiveness for some roles

Legal risks

Generally employers can monitor their employees’ web use and email, but notice is needed. Can result in legal liability

Potential for legal liability due to customer actions

Reputation risk

A risk to the business’s reputation

Many examples of gaffes & negative comments

Difficult to remove these comments

Business risks of social networking Viruses and spyware Frequently a platform for malicious attacks using viruses and spyware Privacy breaches and identity theft Can promote identity theft, even where ‘private’ Third party applications usually get access to data Social engineering Use online information to commit targeted acts of fraud Could profess to be the assistant to a high-level staff member, and know enough ‘internal’ information to convince a staff member to provide cheques or goods Convincing identity cards/business cards used to gain access to the business or its customers Grandparent fraud

Viruses and spyware

Frequently a platform for malicious attacks using viruses and spyware

Privacy breaches and identity theft

Can promote identity theft, even where ‘private’

Third party applications usually get access to data

Social engineering

Use online information to commit targeted acts of fraud

Could profess to be the assistant to a high-level staff member, and know enough ‘internal’ information to convince a staff member to provide cheques or goods

Convincing identity cards/business cards used to gain access to the business or its customers

Grandparent fraud

Business risks of social networking Inadvertent release of information Windows into the lives of users Unintentional release LinkedIn shows your network your recent connections – who are probably prospective clients Using an online wiki to collaborate with a client (or even to track tasks and manage projects) may result in the release of confidential client information

Inadvertent release of information

Windows into the lives of users

Unintentional release

LinkedIn shows your network your recent connections – who are probably prospective clients

Using an online wiki to collaborate with a client (or even to track tasks and manage projects) may result in the release of confidential client information

Other examples Exercise: Audience member examples of potential business impact? Exercise: What role do CPA’s play here?

Exercise: Audience member examples of potential business impact?

Exercise: What role do CPA’s play here?

Protecting personal privacy

How to keep an online world sane Simple things Common sense! Don’t post in your real name – set up three email addresses: Personal, anonymous email address that forwards to your main email (for blogging comments & mail lists) – but expect that this is not fail-safe Personal (for all your personal email) Work (for work email – no personal email!) Only post online what you’d be happy for Mum (or a potential recruiter/client) to see

Simple things

Common sense!

Don’t post in your real name – set up three email addresses:

Personal, anonymous email address that forwards to your main email (for blogging comments & mail lists) – but expect that this is not fail-safe

Personal (for all your personal email)

Work (for work email – no personal email!)

Only post online what you’d be happy for Mum (or a potential recruiter/client) to see

How to keep an online world sane Simple things Wall posts are wall posts on someone else’s wall, and a tweet is forever Get permission before you post a photo of someone online Only ‘friend’ friends! Be coy about your age Never post photos of official identification documents... Just so you know Be responsible when writing messages on other people’s sites.

Simple things

Wall posts are wall posts on someone else’s wall, and a tweet is forever

Get permission before you post a photo of someone online

Only ‘friend’ friends!

Be coy about your age

Never post photos of official identification documents... Just so you know

Be responsible when writing messages on other people’s sites.

How to keep an online world sane For the more paranoid If you have a social networking website (e.g. MySpace, Facebook), use the privacy options – so many people don’t Limit the sites you participate in – perhaps FaceBook for friends, LinkedIn for work colleagues? Do not accept a flung zombie, which Hero are you?, Blackjack or other application on Facebook Set up Google Alerts to monitor your name and email address

For the more paranoid

If you have a social networking website (e.g. MySpace, Facebook), use the privacy options – so many people don’t

Limit the sites you participate in – perhaps FaceBook for friends, LinkedIn for work colleagues?

Do not accept a flung zombie, which Hero are you?, Blackjack or other application on Facebook

Set up Google Alerts to monitor your name and email address

Privacy settings Privacy settings Facebook MySpace YouTube LinkedIn Flickr Twitter Traps for young players Your network is still visible; until recently, employer search showed up even with privacy MySpace – owned by News corporation YouTube – lose control over ‘derivative works’ Flickr – creative commons licence Twitter – stability?

Privacy settings

Facebook

MySpace

YouTube

LinkedIn

Flickr

Twitter

Traps for young players

Your network is still visible; until recently, employer search showed up even with privacy

MySpace – owned by News corporation

YouTube – lose control over ‘derivative works’

Flickr – creative commons licence

Twitter – stability?

Google Alerts www.google.com/alerts

How should the business respond?

Dealing with it Strawpoll: who knows whether their business searches for these discussions? Good talk is good, right? The only good way to respond is to give good service and hope that people blog about it At least show an interest and respond to address a grievance, and be transparent about it Professional monitoring services Reputation Hawk Reputation Defender Cymfony There are many others of course

Strawpoll: who knows whether their business searches for these discussions?

Good talk is good, right?

The only good way to respond is to give good service and hope that people blog about it

At least show an interest and respond to address a grievance, and be transparent about it

Professional monitoring services

Reputation Hawk

Reputation Defender

Cymfony

There are many others of course

Dealing with it Simple (and cheap) Google Alerts/Yahoo Alerts/MonitorThis Customer representatives join online, private, forums and lurk there while watching for issues Set clear expectations as to what staff can do with your brand name on the internet Etiquette Ensure that potential recruits know if you are researching them online Avoid a search engine optimisation solution to ‘drown’ a negative comment Never lie and pretend to be a customer – you will be found out eventually, and the price will be high!

Simple (and cheap)

Google Alerts/Yahoo Alerts/MonitorThis

Customer representatives join online, private, forums and lurk there while watching for issues

Set clear expectations as to what staff can do with your brand name on the internet

Etiquette

Ensure that potential recruits know if you are researching them online

Avoid a search engine optimisation solution to ‘drown’ a negative comment

Never lie and pretend to be a customer – you will be found out eventually, and the price will be high!

Dealing with it Responding to online comments Demonstrate an interest and respond online to address a grievance, and be transparent about it Don’t post a hot and angry response Don’t exercise legal muscle unless you really have to Respond with transparency and honesty, but take up discussions off-line at a senior level, after research! Engage with the author of the post is most effective Encourage discussions to flourish by providing and promoting the use of online forums. Invite genuine customers to respond in a forum

Responding to online comments

Demonstrate an interest and respond online to address a grievance, and be transparent about it

Don’t post a hot and angry response

Don’t exercise legal muscle unless you really have to

Respond with transparency and honesty, but take up discussions off-line at a senior level, after research!

Engage with the author of the post is most effective

Encourage discussions to flourish by providing and promoting the use of online forums.

Invite genuine customers to respond in a forum

Know your digital footprint

What powers do you have? Disclaimer: the following is not legal advice and merely attempts to present an overview of the law from the layman’s perspective

Employees - what can you do? Employer controls over private life Can the employer control what you do in your off hours? Professional/Staff employee vs a ‘standard’ employee three core duties of an employee to their employer that may affect your online social networking activities: to work with care and diligence to obey all lawful and reasonable orders to act with good faith and fidelity An employee can be dismissed if these duties are breached by actions in their private lives

Employer controls over private life

Can the employer control what you do in your off hours?

Professional/Staff employee vs a ‘standard’ employee

three core duties of an employee to their employer that may affect your online social networking activities:

to work with care and diligence

to obey all lawful and reasonable orders

to act with good faith and fidelity

An employee can be dismissed if these duties are breached by actions in their private lives

Employees - what can you do? Due care and diligence Fairly clearly, in work hours we need to work for our employers. ‘ Cyber-slacking’ in work hours Using social networking tools inappropriately in work hours and at home Obey lawful and reasonable orders An act in your private life would need to demonstrate an intention to ‘no longer be bound’ by the contract Acts in private life may prevent you from carrying out your duties – higher standards for professional/staff employees (for example, a police officer or teacher)

Due care and diligence

Fairly clearly, in work hours we need to work for our employers.

‘ Cyber-slacking’ in work hours

Using social networking tools inappropriately in work hours and at home

Obey lawful and reasonable orders

An act in your private life would need to demonstrate an intention to ‘no longer be bound’ by the contract

Acts in private life may prevent you from carrying out your duties – higher standards for professional/staff employees (for example, a police officer or teacher)

Employees - what can you do? Good faith and diligence Courts reluctant to intrude on private life Cannot act in conflict with your employer’s interests (e.g. commence a competing business) Must not disclose private information Entitled to ‘blow the whistle’ in the public interest Acts in private can be governed by the employer if there is a relevant link to the employer (e.g. uniform) and depending on the employee’s role (senior, client-facing would face a higher standard) Should not ‘tarnish the employer’s image’

Good faith and diligence

Courts reluctant to intrude on private life

Cannot act in conflict with your employer’s interests (e.g. commence a competing business)

Must not disclose private information

Entitled to ‘blow the whistle’ in the public interest

Acts in private can be governed by the employer if there is a relevant link to the employer (e.g. uniform) and depending on the employee’s role (senior, client-facing would face a higher standard)

Should not ‘tarnish the employer’s image’

Employees - what can you do? Codes of conduct Set out expectations clearly Ensure consent is given for contractual terms – that the employee has accepted these terms Legally enforceable? This will depend – see speculation that a mining company employer could prevent its employee joining a group that is protesting the mining company’s actions. Process for managing the issue once it is discovered?

Codes of conduct

Set out expectations clearly

Ensure consent is given for contractual terms – that the employee has accepted these terms

Legally enforceable? This will depend – see speculation that a mining company employer could prevent its employee joining a group that is protesting the mining company’s actions.

Process for managing the issue once it is discovered?

Former employees - what can you do? Former employees Very limited control - doctrine of restraint of trade May only legitimately use a post-employment restraint to protect trade secrets or established customer connections Can draw upon what you learn at a job, but not allowed to take physical (or electronic) documents Duty of Confidentiality exists even for former employees to keep ‘secret’ information confidential (of a high standard of confidentiality). Difficult to rely on this though

Former employees

Very limited control - doctrine of restraint of trade

May only legitimately use a post-employment restraint to protect trade secrets or established customer connections

Can draw upon what you learn at a job, but not allowed to take physical (or electronic) documents

Duty of Confidentiality exists even for former employees to keep ‘secret’ information confidential (of a high standard of confidentiality).

Difficult to rely on this though

Former employees - what can you do? Can have express confidentiality provisions in the contract of employment Can prohibit the disclosure of information to competitors or third parties Much easier to identify and enforce with an express provision. Without it, it is difficult for a business to have recourse against former employees should information be disclosed on social networking websites. The actions available to a business are otherwise generally limited to the same actions available should a comment be made by a current customer (for example, defamation).

Can have express confidentiality provisions in the contract of employment

Can prohibit the disclosure of information to competitors or third parties

Much easier to identify and enforce with an express provision. Without it, it is difficult for a business to have recourse against former employees should information be disclosed on social networking websites.

The actions available to a business are otherwise generally limited to the same actions available should a comment be made by a current customer (for example, defamation).

Third parties - what can you do? Defamation Law was reformed in 2005 Corporations (other than non-for-profit organisations or small businesses) cannot sue for defamation Defence of "truth" rather than “truth and public benefit" One year to bring an action rather than six abolishing the awarding of exemplary and punitive damages in civil defamation proceedings; and Juries now determine whether a person has been defamed; Judges now award damages

Defamation

Law was reformed in 2005

Corporations (other than non-for-profit organisations or small businesses) cannot sue for defamation

Defence of "truth" rather than “truth and public benefit"

One year to bring an action rather than six

abolishing the awarding of exemplary and punitive damages in civil defamation proceedings; and

Juries now determine whether a person has been defamed; Judges now award damages

Third parties - what can you do? See Gutnick v Dow Jones 2002 Gutnick contended that an article in the online Dow Jones newsletter defamed him Only five physical copies ever sent to Australia Location of defamation held to be Australia, even though it was published and uploaded in New Jersey No matter what happens, legal action is going to be commercially expensive and would likely be associated with reputation risk

See Gutnick v Dow Jones 2002

Gutnick contended that an article in the online Dow Jones newsletter defamed him

Only five physical copies ever sent to Australia

Location of defamation held to be Australia, even though it was published and uploaded in New Jersey

No matter what happens, legal action is going to be commercially expensive and would likely be associated with reputation risk

Develop policies & procedures

AS/NZS 4360:2004 Risk Management

Tailoring your response

Elements of policy & procedure Standard Title Purpose Revision History Effective Date Persons affected Definitions Responsibilities Change to suit risk appetite Policy Procedures

Standard

Title

Purpose

Revision History

Effective Date

Persons affected

Definitions

Responsibilities

Change to suit risk appetite

Policy

Procedures

Draft Policy – Very Low For a very low risk appetite In recognition of the very high impact that online social networking activities have upon the business activities of XYZ Pty Ltd, XYZ Pty Ltd implements very strict restrictions on the use of online social networking activities by employees using XYZ Pty Ltd equipment, and/or making reference to the business of XYZ Pty Ltd. XYZ Pty Ltd emphasises procedural controls, regular and intense monitoring to online social networking activities referring to the business of XYZ Pty Ltd, and provides explicit guidelines to follow in responding to such activities.

For a very low risk appetite

In recognition of the very high impact that online social networking activities have upon the business activities of XYZ Pty Ltd, XYZ Pty Ltd implements very strict restrictions on the use of online social networking activities by employees using XYZ Pty Ltd equipment, and/or making reference to the business of XYZ Pty Ltd.

XYZ Pty Ltd emphasises procedural controls, regular and intense monitoring to online social networking activities referring to the business of XYZ Pty Ltd, and provides explicit guidelines to follow in responding to such activities.

Draft Policy – Very High For a very high risk appetite As online social networking activities have minimal impact upon the business activities of XYZ Pty Ltd, XYZ Pty Ltd provides some guidance in the use of online social networking activities by employees. Responses to online social networking activities that refer to the business of XYZ Pty Ltd are made on a case by case basis as XYZ Pty Ltd becomes aware of them.

For a very high risk appetite

As online social networking activities have minimal impact upon the business activities of XYZ Pty Ltd, XYZ Pty Ltd provides some guidance in the use of online social networking activities by employees.

Responses to online social networking activities that refer to the business of XYZ Pty Ltd are made on a case by case basis as XYZ Pty Ltd becomes aware of them.

Tailoring your procedures Tailored procedures Refer to appendices for a process to tailor your response in line with the business’s risk appetite Workshop exercise Are there other possible actions a business could include in the procedure? Identify pros and cons for each suggested action

Tailored procedures

Refer to appendices for a process to tailor your response in line with the business’s risk appetite

Workshop exercise

Are there other possible actions a business could include in the procedure?

Identify pros and cons for each suggested action

Acceptable online social networking activities Possibilities Could ban all mentions by employees Could ask for pre-approval of a comment Could allow employees to publish, but have marketing manager subscribe to RSS feeds and have employees agree to make changes if requested Only have authorised representatives respond online Could block online social networking websites in work hours (but please be realistic)

Possibilities

Could ban all mentions by employees

Could ask for pre-approval of a comment

Could allow employees to publish, but have marketing manager subscribe to RSS feeds and have employees agree to make changes if requested

Only have authorised representatives respond online

Could block online social networking websites in work hours (but please be realistic)

Staff training and awareness program Possibilities Content Awareness of acceptable online social networking activities Core principles in ensuring the privacy of personal information in an online environment Specific training on the use of major identified online social networking websites to ensure privacy. Practical advice in the use and etiquette of online social networking tools, including the use of email Make your requirements part of induction program, perhaps with an exam Require existing staff to attend annually, and perhaps pass an exam

Possibilities

Content

Awareness of acceptable online social networking activities

Core principles in ensuring the privacy of personal information in an online environment

Specific training on the use of major identified online social networking websites to ensure privacy.

Practical advice in the use and etiquette of online social networking tools, including the use of email

Make your requirements part of induction program, perhaps with an exam

Require existing staff to attend annually, and perhaps pass an exam

Online reputation monitoring Possibilities Engage online reputation monitoring service provider At least set up Google Alerts! Document risky mentions in monthly, quarterly, or annual online social networking references report Subscribe to likely private online forums Ensure that applicants for positions are aware that the candidate’s online profile may be examined in the course of assessing the candidate’s suitability for the position.

Possibilities

Engage online reputation monitoring service provider

At least set up Google Alerts!

Document risky mentions in monthly, quarterly, or annual online social networking references report

Subscribe to likely private online forums

Ensure that applicants for positions are aware that the candidate’s online profile may be examined in the course of assessing the candidate’s suitability for the position.

Responding Possibilities May need to have lawyers involved For an employee, the HR manager would deal with it Core principles: Demonstrate an interest and respond online to address a grievance, and be transparent about it Never post an immediate, negative, response to an online reference. Have a conversation in person at a senior level Legal action considered Making no response may be the least harmful All responses conducted professionally and honestly Monitor and document responses in social networking references report

Possibilities

May need to have lawyers involved

For an employee, the HR manager would deal with it

Core principles:

Demonstrate an interest and respond online to address a grievance, and be transparent about it

Never post an immediate, negative, response to an online reference. Have a conversation in person at a senior level

Legal action considered

Making no response may be the least harmful

All responses conducted professionally and honestly

Monitor and document responses in social networking references report

CONCLUSION Business opportunities and OSN

Are there opportunities? Workshop exercise Identify other opportunities presented by online social networking

Workshop exercise

Identify other opportunities presented by online social networking

Research and development Brand monitoring Understand the reach and impact of your brand Know what is being said in the ‘hearts and minds’ and be more reactive Research communities Share and build ideas within internal and external communities to test their value Innovation communities Users can provide recommendations for new features Communities of users can vote on new features to guide product or feature development

Brand monitoring

Understand the reach and impact of your brand

Know what is being said in the ‘hearts and minds’ and be more reactive

Research communities

Share and build ideas within internal and external communities to test their value

Innovation communities

Users can provide recommendations for new features

Communities of users can vote on new features to guide product or feature development

Marketing Blogs Promote and discuss on your own blogs Get a groundswell of discussion amongst your customers Communities Build relationships between users and the company products Video on user-generated sites Viral marketing promotion Audience gives more weight to genuine user experiences than paid TV spots

Blogs

Promote and discuss on your own blogs

Get a groundswell of discussion amongst your customers

Communities

Build relationships between users and the company products

Video on user-generated sites

Viral marketing promotion

Audience gives more weight to genuine user experiences than paid TV spots

Sales Social networking sites Can target sales (but need to be careful!) Create groups & events e.g. Friends of Ford Brand ambassador programs Identify loyal customers who bring others into your community Communities Understand and target sales Embeddable widgets Users can prove brand loyalty Points of presence for sales

Social networking sites

Can target sales (but need to be careful!)

Create groups & events e.g. Friends of Ford

Brand ambassador programs

Identify loyal customers who bring others into your community

Communities

Understand and target sales

Embeddable widgets

Users can prove brand loyalty

Points of presence for sales

Customer support Support forums Customers can answer their own problems online Customers can help each other Become aware of issues much sooner Proactive support e.g. Direct2Dell Wikis Customers can answer their own problems online Self-documenting Save on publishing costs and corrections

Support forums

Customers can answer their own problems online

Customers can help each other

Become aware of issues much sooner

Proactive support e.g. Direct2Dell

Wikis

Customers can answer their own problems online

Self-documenting

Save on publishing costs and corrections

Operations Internal social networks Cross-fertilisation of ideas From front line to back office – e.g. Blue Shirt Nation (Best Buy Inc) Promote the sense of culture and can bring together widely dispersed/loosely coupled workforces Wikis Provides a platform to develop self-organising teams Take on responsibility and change External social networks Leverage employees’ networks to hire new staff

Internal social networks

Cross-fertilisation of ideas

From front line to back office – e.g. Blue Shirt Nation (Best Buy Inc)

Promote the sense of culture and can bring together widely dispersed/loosely coupled workforces

Wikis

Provides a platform to develop self-organising teams

Take on responsibility and change

External social networks

Leverage employees’ networks to hire new staff

Cultural change Recommendations for implementing Accept the loss of control Expect pushback from managers Line up executive backing Start small and focus on measurable objectives Expand beyond projects Stay focussed on culture, not technology

Recommendations for implementing

Accept the loss of control

Expect pushback from managers

Line up executive backing

Start small and focus on measurable objectives

Expand beyond projects

Stay focussed on culture, not technology

Conclusion

Conclusion Review the expectations wall How did we go? Obtaining a copy of the presentation See www.michealaxelsen.com for a copy of this presentation See CPA Congress community: ( http://cpacongress.ning.com Applied Insight Pty Ltd Services Social networking training for staff Social networking review for your business Social networking policies & procedures

Review the expectations wall

How did we go?

Obtaining a copy of the presentation

See www.michealaxelsen.com for a copy of this presentation

See CPA Congress community: ( http://cpacongress.ning.com

Applied Insight Pty Ltd Services

Social networking training for staff

Social networking review for your business

Social networking policies & procedures

Contact details Micheal Axelsen Director, Applied Insight Pty Ltd m: 0412 526 375 t: +61 7 3139 0325 e: [email_address] blog: www.michealaxelsen.com Applied Insight Pty Ltd PO Box 603 Toowong DC 4066 AUSTRALIA

About the speaker Services Micheal Axelsen provides consulting services in the enterprise governance of information technology, and the development and implementation of strategy to deal with the business challenges of information technology. Position and qualifications Director of Applied Insight Pty Ltd Chair of CPA Australia Information Technology & Management Centre of Excellence Qualifications Bachelor of Commerce (Hons) Masters of Information Systems FCPA

Services

Micheal Axelsen provides consulting services in the enterprise governance of information technology, and the development and implementation of strategy to deal with the business challenges of information technology.

Position and qualifications

Director of Applied Insight Pty Ltd

Chair of CPA Australia Information Technology & Management Centre of Excellence

Qualifications

Bachelor of Commerce (Hons)

Masters of Information Systems

FCPA

Appendix: For further reference

References AS/NZS 4360:2004 Risk Management Boyd, D., and Ellison, N. "Social Network Sites: Definition, History, and Scholarship," Journal of Computer-Mediated Communication (13:1), March 2007, pp 210-230. Brandenburg, C. ‘The Newest Way to Screen Job Applicants: A Social Networker's Nightmare’. Federal Communications Law Journal. Los Angeles: Jun 2008. Vol. 60, Iss. 3; p. 597 (30 pages). Emerald Insights. ‘MySpace or yours? Advertising and social networks’. Strategic Direction. Bradford. 2008. Vol. 24, Iss. 8; p. 15 Engdahl, S (Editor). “Online social networking”. Greenhaven Press. Farmington Hills, MI, USA. c2007.

AS/NZS 4360:2004 Risk Management

Boyd, D., and Ellison, N. "Social Network Sites: Definition, History, and Scholarship," Journal of Computer-Mediated Communication (13:1), March 2007, pp 210-230.

Brandenburg, C. ‘The Newest Way to Screen Job Applicants: A Social Networker's Nightmare’. Federal Communications Law Journal. Los Angeles: Jun 2008. Vol. 60, Iss. 3; p. 597 (30 pages).

Emerald Insights. ‘MySpace or yours? Advertising and social networks’. Strategic Direction. Bradford. 2008. Vol. 24, Iss. 8; p. 15

Engdahl, S (Editor). “Online social networking”. Greenhaven Press. Farmington Hills, MI, USA. c2007.

References Espejo, R (Editor). ‘Should social networking web sites be banned?’. Greenhaven Press. Detroit, MI, USA. 2008. Johnson, R A, and Middleton, J M. ‘Accounting for Second Life’. Journal of Accountancy. New York: Jun 2008. Vol. 205, Iss. 6; p. 54 (5 pages) Lavenda, D. ‘Does 'blogging' have a place in the workplace?’. The British Journal of Administrative Management. Orpington: Jul 2008. p. 27 (3 pages) Mac Sithigh, D. ‘The mass age of internet law’. Information & Communications Technology Law. Abingdon: Jun 2008. Vol. 17, Iss. 2; pg. 79 McCallum, R. “Employer Controls over Private Life”. New South Wales University Press Ltd. Sydney, NSW, Australia. 1999.

Espejo, R (Editor). ‘Should social networking web sites be banned?’. Greenhaven Press. Detroit, MI, USA. 2008.

Johnson, R A, and Middleton, J M. ‘Accounting for Second Life’. Journal of Accountancy. New York: Jun 2008. Vol. 205, Iss. 6; p. 54 (5 pages)

Lavenda, D. ‘Does 'blogging' have a place in the workplace?’. The British Journal of Administrative Management. Orpington: Jul 2008. p. 27 (3 pages)

Mac Sithigh, D. ‘The mass age of internet law’. Information & Communications Technology Law. Abingdon: Jun 2008. Vol. 17, Iss. 2; pg. 79

McCallum, R. “Employer Controls over Private Life”. New South Wales University Press Ltd. Sydney, NSW, Australia. 1999.

References Stewart, A. ‘Drafting and enforcing post-employment restraints’. Australian Journal of Labour Law. Vol 10 pp181-221. 1997. Willard, N E. ‘Cyber-safe kids, cyber-savvy teens : helping young people learn to use the Internet safely and responsibly. Jossey-Bass. San Francisco , CA, USA. 2007.

Stewart, A. ‘Drafting and enforcing post-employment restraints’. Australian Journal of Labour Law. Vol 10 pp181-221. 1997.

Willard, N E. ‘Cyber-safe kids, cyber-savvy teens : helping young people learn to use the Internet safely and responsibly. Jossey-Bass. San Francisco , CA, USA. 2007.

Appendix: Developing your policy

Tailoring your response

Identify the risks Identify business strategy and market position Identify organisational focus Identify organisational strategy and context Assessment of online presence Online search for mentions of business name, key products, and senior management team. Social networking search for current and past employees. Search of relative subscriber-only forums not indexed by search engines.

Identify business strategy and market position

Identify organisational focus

Identify organisational strategy and context

Assessment of online presence

Online search for mentions of business name, key products, and senior management team.

Social networking search for current and past employees.

Search of relative subscriber-only forums not indexed by search engines.

Identify the risks Stakeholder survey A broad survey of stakeholders (including customers, business owners and staff) to identify the extent of participation in online social networking. Request suggestions on appropriate online behaviour from stakeholders Stakeholder interviews Identify current activities, expectations of appropriate behaviour, and general attitude towards OSN

Stakeholder survey

A broad survey of stakeholders (including customers, business owners and staff) to identify the extent of participation in online social networking.

Request suggestions on appropriate online behaviour from stakeholders

Stakeholder interviews

Identify current activities, expectations of appropriate behaviour, and general attitude towards OSN

Identify the risks Document risks Review the information recorded above, and identify current and potential online social networking activities, and consider the potential risks that arise as a result of these actions. Consider the seven potential risks Document the risks, identifying online social networking activities that contribute to this risk.

Document risks

Review the information recorded above, and identify current and potential online social networking activities, and consider the potential risks that arise as a result of these actions.

Consider the seven potential risks

Document the risks, identifying online social networking activities that contribute to this risk.

Understand the risks Identify likelihood Have stakeholders rate the likelihood of each risk Identify consequences Understand the risk and its impact Define levels of economic loss What is the consequence of each risk? Have stakeholders rate the consequences of each risk

Identify likelihood

Have stakeholders rate the likelihood of each risk

Identify consequences

Understand the risk and its impact

Define levels of economic loss

What is the consequence of each risk?

Have stakeholders rate the consequences of each risk

Understand the risks Risk evaluation workshop Use a workshop to agree on an estimated risk level Aggregate consequence assessment. Confirm in workshop. Map each risk to the matrix below Document the estimated risk level

Risk evaluation workshop

Use a workshop to agree on an estimated risk level

Aggregate consequence assessment. Confirm in workshop.

Map each risk to the matrix below

Document the estimated risk level

Understand the risks

Evaluate the risks Evaluate risks and risk level Identify the acceptable estimated risk level Assign each identified risk to the below matrix Identify non-policy activities or changes to work practices to: avoid the risk reduce the likelihood of its occurrence to reduce its consequences to transfer the risk to a third party. What remains is the residual risk that must be reduced through an online social networking policy

Evaluate risks and risk level

Identify the acceptable estimated risk level

Assign each identified risk to the below matrix

Identify non-policy activities or changes to work practices to:

avoid the risk

reduce the likelihood of its occurrence

to reduce its consequences

to transfer the risk to a third party.

What remains is the residual risk that must be reduced through an online social networking policy

Evaluate the risks

Evaluate the risks Match risks to policy and procedure template Five core procedure responses, matched to your risk appetite: Acceptable online social networking activities Staff awareness program Staff training program Online reputation monitoring Responding to online social networking activities Provides a draft online social networking policy that can be developed further Validation Check Refinement will be needed Circulate, discuss, and confirmed

Match risks to policy and procedure template

Five core procedure responses, matched to your risk appetite:

Acceptable online social networking activities

Staff awareness program

Staff training program

Online reputation monitoring

Responding to online social networking activities

Provides a draft online social networking policy that can be developed further

Validation Check

Refinement will be needed

Circulate, discuss, and confirmed

Treat and monitor Develop program of activities from procedures Steady and sure approach is usually best Three crucial factors: Be realistic (and then halve it!) Prioritise the identified risk mitigation controls with separate actions Identify a program of work over the planning horizon period

Develop program of activities from procedures

Steady and sure approach is usually best

Three crucial factors:

Be realistic (and then halve it!)

Prioritise the identified risk mitigation controls with separate actions

Identify a program of work over the planning horizon period

Treat and monitor

Treat and monitor Establish monitoring program Review actions each delivery period Plan the actions for delivery in the next Focus on the development of an active strategy Regularly monitor & review in a group Monitor effectiveness Review policy & procedures annually

Establish monitoring program

Review actions each delivery period

Plan the actions for delivery in the next

Focus on the development of an active strategy

Regularly monitor & review in a group

Monitor effectiveness

Review policy & procedures annually

Appendix: OSN Risk Examples

Scenarios Productivity Losses Employees use social networking websites during work time to the detriment of business performance. Legal risks As no policy explicitly states that email use is monitored by the employer, the employee brings an action for wrongful dismissal when dismissed for posting inappropriate content to an email forum. As no policy explicitly states that web use is actively monitored, it is difficult for a business to further investigate an employee who is suspected of posting details of an upcoming marketing program and product price list onto Wikipedia.

Productivity Losses

Employees use social networking websites during work time to the detriment of business performance.

Legal risks

As no policy explicitly states that email use is monitored by the employer, the employee brings an action for wrongful dismissal when dismissed for posting inappropriate content to an email forum.

As no policy explicitly states that web use is actively monitored, it is difficult for a business to further investigate an employee who is suspected of posting details of an upcoming marketing program and product price list onto Wikipedia.

Scenarios A junior financial planner with an accounting firm provides taxation advice in a public forum using the firm’s email address and with a signature including the firm’s name. The advice is posted publicly, is relied upon by some readers who suffer a loss and subsequently bring an action against the accounting firm. Reputation Risk A customer writes a blog post or video that is negative towards your product, service or staff. An employee writes a blog post or posts a video that is negative towards the company’s product, service or staff.

A junior financial planner with an accounting firm provides taxation advice in a public forum using the firm’s email address and with a signature including the firm’s name. The advice is posted publicly, is relied upon by some readers who suffer a loss and subsequently bring an action against the accounting firm.

Reputation Risk

A customer writes a blog post or video that is negative towards your product, service or staff.

An employee writes a blog post or posts a video that is negative towards the company’s product, service or staff.

Scenarios An employee writes a blog post or status update that places company secrets in the public domain using the business’s equipment. An employee posts lewd photographs online in a public forum. A friend of an employee posts lewd material on the employee’s public website or social networking page. Photographs of office functions depicting inappropriate behaviour are posted online by staff. Photographs of office functions depicting inappropriate behaviour are posted online by staff employed by the venue.

An employee writes a blog post or status update that places company secrets in the public domain using the business’s equipment.

An employee posts lewd photographs online in a public forum.

A friend of an employee posts lewd material on the employee’s public website or social networking page.

Photographs of office functions depicting inappropriate behaviour are posted online by staff.

Photographs of office functions depicting inappropriate behaviour are posted online by staff employed by the venue.

Scenarios An employee writes a blog post or posts a video that is derogatory to his or her colleagues or the firm’s customers. An ex-employee writes a blog post or posts a video that is derogatory to his or her colleagues or the firm’s customers. A supplier writes a blog post that is derogatory about the company’s ability to pay its suppliers. Viruses & spyware A staff member’s computer infects all networked computers with a virus that was launched from a website that advertised on MySpace.

An employee writes a blog post or posts a video that is derogatory to his or her colleagues or the firm’s customers.

An ex-employee writes a blog post or posts a video that is derogatory to his or her colleagues or the firm’s customers.

A supplier writes a blog post that is derogatory about the company’s ability to pay its suppliers.

Viruses & spyware

A staff member’s computer infects all networked computers with a virus that was launched from a website that advertised on MySpace.

Scenarios The accountant’s username and password for the business’s online banking is stolen by a Trojan key-logging program that was downloaded to the accountant’s laptop from an advertisement on a niche social networking website while her teenaged son was using the computer at home. Privacy breaches/identity theft Using an edited copy of a signed letter and a business-card posted on Flickr, a fraudster creates a fake letter of employment as supporting documentation for a bank loan in an employee’s name that is subsequently defaulted upon and causes personal bankruptcy for the employee.

The accountant’s username and password for the business’s online banking is stolen by a Trojan key-logging program that was downloaded to the accountant’s laptop from an advertisement on a niche social networking website while her teenaged son was using the computer at home.

Privacy breaches/identity theft

Using an edited copy of a signed letter and a business-card posted on Flickr, a fraudster creates a fake letter of employment as supporting documentation for a bank loan in an employee’s name that is subsequently defaulted upon and causes personal bankruptcy for the employee.

Scenarios The employee subsequently brings an action against the business for not taking reasonable precautions to prevent this from happening. Although the resulting court case is unsuccessful, it is a serious distraction and expense for the business. An employee posts a photograph of a colleague and her children on her blog at the annual Christmas function. The colleague’s estranged husband is able to identify the children’s school from the uniform they are wearing, and subsequently collects the children from the school. The children are never seen again.

The employee subsequently brings an action against the business for not taking reasonable precautions to prevent this from happening. Although the resulting court case is unsuccessful, it is a serious distraction and expense for the business.

An employee posts a photograph of a colleague and her children on her blog at the annual Christmas function. The colleague’s estranged husband is able to identify the children’s school from the uniform they are wearing, and subsequently collects the children from the school. The children are never seen again.

Scenarios Social engineering Using names, email address, and positions gleaned from Facebook, position titles and references from LinkedIn, and faked letterhead or invoices from a site such as Flickr or Photobucket, a conman is able to extract payment for non-existent products or services. Using photos from Flickr of a business card and letterhead, and information gleaned from Facebook, a fraudster poses as a contract cleaner who then uses an unattended and logged-in computer to steal clients’ taxation information on a 4gb USB memory stick.

Social engineering

Using names, email address, and positions gleaned from Facebook, position titles and references from LinkedIn, and faked letterhead or invoices from a site such as Flickr or Photobucket, a conman is able to extract payment for non-existent products or services.

Using photos from Flickr of a business card and letterhead, and information gleaned from Facebook, a fraudster poses as a contract cleaner who then uses an unattended and logged-in computer to steal clients’ taxation information on a 4gb USB memory stick.

Scenarios Inadvertent release of information The company’s proprietary approach to the bidding process for government work is submitted to Wikipedia by the business development assistant and is not able to be withdrawn in time.

Inadvertent release of information

The company’s proprietary approach to the bidding process for government work is submitted to Wikipedia by the business development assistant and is not able to be withdrawn in time.