Social media and its associated risks


Published on

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Social media and its associated risks

  1. 1. Social media and its associated risksSponsored by Grant Thornton LLP
  2. 2. Contents 1 Executive summary 2 Research methodology 3 Interviewee profiles 4 The corporate value of social media 6 Social media risks 13 Social media policies 15 Conclusion 16 Appendix I: Respondent demographics 18 Appendix II: Sample social media policy 9 About the authors 1Authors Local contactThomas Thompson Jr. David Florio, CA, CA.IT, PCI QSASenior Associate, Research Partner, Business Risk Services – Governance, Risk &Financial Executives Research Foundation Compliance Grant Thornton LLPJan Hertzberg, CISA, CISSP, PCI QSA T +1 416 369 6415Managing Director, Business Advisory Services – IT E Thornton LLPMark Sullivan, CFE, CFI, CPPPrincipal and Practice Leader, Forensic and Litigation ServicesGrant Thornton LLP
  3. 3. Executive summaryHow many tweets have you sent in the last month and how Some of the key survey findings include the following:many friends or likes do you have? These are questions you • Almost half (48%) of the senior financial executives whowould not expect most senior financial executives to concern responded to the survey feel that social media will be anthemselves with. However, with the increasing prevalence important component of corporate marketing effortsof social media in business and the rapid, fluid nature of going forward.these “sexy” new technologies, perhaps executives should be • More than half (53%) of respondents see corporate use ofconcerned. In an article titled “Users of the World, Unite! social media increasing significantly over the next 12 months.The challenges and opportunities of social media,”1 Andreas • More than three-quarters (76%) of respondent companiesKaplan and Michael Haenlein define social media as “a group do not have a clearly defined social media policy.of Internet-based applications that build on the ideological and • More than half (61%) of respondents indicated theirtechnological information of Web 2.0 . . . and . . . allow the organizations do not have an incident managementcreation and exchange of user-generated content.” plan to help them deal with instances of fraud and/or For many companies, social media is the proverbial double- privacy breaches.edged sword. It offers both opportunities and risks. Social mediacuts across many areas of a company (including HR, marketing, Key interview findings include:communications and legal, among others,); therefore any • The speed with which social media has grown in the lastpolicy surrounding it should be the result of a multidisciplinary five years caught many executives by surprise.approach. Financial Executives Research Foundation, Inc. • Executives are allocating more funds to IT security overall,(FERF), working in partnership with Grant Thornton LLP, though not necessarily to address specific risks associateddeveloped a 23-question online survey and conducted in-depth with social media.interviews to produce this report, Social media and its associated • While many companies do have e-mail communication andrisks. The survey was conducted during August and September technology usage policies, very few companies have policies2011 and was completed by 141 executives from public and that specifically address social media governance and risks.private companies. The interviews involved eight open-endedquestions and were conducted during September 2011. Thisreport is based on the findings of both the online survey and thein-depth interviews.For many companies, social media is the proverbialdouble-edged sword. It offers both opportunities and risks.1 Kaplan, Andreas M., and Haenlein, Michael. “Users of the world, unite! The challenges and opportunities of social media,” Business Horizons, pp. 59–68, Volume 53, Issue 1, 2010. Social media and its associated risks 1
  4. 4. Research methodologyThe Social media and its associated risks report is based on a A total of 12 in-depth interviews were conducted during23-question online survey. In-depth follow-up interviews were September 2011 and consisted of eight open-ended questions.conducted with senior financial executives from both public The interviews were meant as a follow-up to the survey toand private companies, and others. The online survey was uncover deeper insights into the corporate use of social media.conducted during August and September 2011 and questioned Interviewees came from a variety of industries, includingparticipants about the following areas: manufacturing, wholesale/retail, advertising, health care/life sciences, academia and financial services. Further, one of the• opinions regarding social media interviewees was an attorney and certified information privacy• use of social media professional and another was an independent, international• concerns about the risks surrounding social media marketing consultant. All interviewees were given the• social media policies opportunity to review the notes from their interviews and• concerns about identity theft, and data security could opt to be quoted directly or remain anonymous. To minimize bias, the interviews were randomly arranged. The survey generated a total of 141 complete responses The research is not intended to cover a statisticallyfrom a variety of senior executives, the majority of whom significant sample of the corporate population. However thecame from small to midsized companies, although nearly qualitative findings from both the survey and the interviewsall revenue ranges were represented. Almost all of the provide a valuable look at current social media opinions andrespondent companies were located in the United States (the trends. These findings offer indispensable insights into bothremainder were headquartered in Europe). Excluding the the benefits and the risks associated with the rapidly growing“other” category (which included responses from companies use of social the aerospace/defense, business services, construction, To review the graphs related to the survey demographics,consulting, consumer marketing and products, consulting, please refer to Appendix I.and private equity industries among others), financial services(15%), manufacturing (14%), and professional, scientific, ortechnical services (10%) were the best-represented industries. 2 Social media and its associated risks
  5. 5. Interviewee profilesThe in-depth, follow-up interviews provided a much better Morris McInnes, professor and associate dean for academicfeel for where companies currently are in their adoption of affairs, Suffolk University’s Sawyer Business Schoolsocial media as a legitimate business tool. They also provided Dr. Morris McInnes is a professor of accounting and thereal-world examples of how executives can benefit from the associate dean for academic affairs at Suffolk University’suse of social media and how they should plan to mitigate the Sawyer Business School, where he has taught for the past 25risks associated with these new technologies. The following years. In addition, Dr. McInnes has taught at the MIT Sloanindividuals were interviewed: School of Management, the University of Maastricht in the Netherlands, the Harvard Business School, the ManchesterMark Ferguson, CFO, Bench Tree Group LLC Business School in the UK and has been a lecturer for theMark Ferguson has more than 20 years of finance and Greater Boston Executive Program. His expertise is in corporateaccounting experience. He worked at companies such as Texas financial strategy and control.Instruments, Honeywell and various venture capital-backedstartups before becoming the CFO at Bench Tree Group, a Mark Scovera, president, Access Florida Finance Corporationmanufacturer of equipment for the oil and gas drilling industry. Mark Scovera is the president of Access Florida Finance Corporation. In addition, he serves on the board of the FloridaMelissa Krasnow, corporate partner and certified Asset Building Coalition. Previously, he was the senior viceinformation privacy professional, Dorsey & Whitney LLP president/CFO of the Florida Black Business Investment Board,Melissa Krasnow is a partner in the corporate group in the Inc., a public-private partner with the state. Scovera has 20 yearsMinneapolis office of Dorsey & Whitney LLP. Krasnow is of experience in accounting and finance. He began his career ata corporate, governance, compliance and M&A partner with Arthur Andersen LLP in the audit division and has served as thea privacy and social media practice. She is also a certified controller and CFO for various companies in the Detroit area.information privacy professional and serves on the publications He is licensed as a CPA and is a member of the AICPA.advisory board of the International Association of PrivacyProfessionals. She is a frequent speaker on privacy and social In addition to the aforementioned interviewees, eightmedia, often quoted in national media. other executives from the retail, advertising, life sciences, manufacturing, recycling, financial services and consulting industries were interviewed. For privacy reasons these individuals did not wish to be quoted directly and requested to remain anonymous. Their roles included CFO, COO, CRO, EVP, VP of finance, controller and consultant. Social media and its associated risks 3
  6. 6. The corporate value of social mediaTweeting, blogging and friending are common terms used in Corporate value of social mediathe world of social media, and they are becoming a part ofbusiness vocabulary as well. Still, these terms are barely the tip Will be critical for all corporate 20%of the social media iceberg. Companies like Facebook, Twitter, marketing efforts going forwardLinkedIn and YouTube are helping to rewrite the rules for Will be an important component of 48%how companies are doing business in the 21st century. Social corporate marketing effortsmedia is changing our working lives, giving employees — and going forwardemployers — more flexibility and the ability to respond more May have some value but will most 28%quickly and, in some instances, in real time. But is all this social likely only have a peripheral value to corporate marketing effortsmedia technology good for business? Many companies arejust now starting to take a serious look at the benefits of social Fine for personal use, but little to no 4% value in the corporate worldmedia in business, and they are looking even more closely atthe risks involved, such as fraud, theft, defamation, cyber- Complete waste of time 1%bullying and invasion of privacy among others. Responses do not total 100% due to rounding. Almost half (48%) of the senior financial executiveswho responded to the survey feel social media will be animportant component of corporate marketing efforts goingforward and only a small percentage (5%) think social media How will corporate use of social media develop over thewas a complete waste of time or had little to no value in the next 12 months?corporate world. The chart at the right illustrates the opinions Increase significantly 53%of executives regarding the corporate value of social media. Increase slightly 34% While many senior financial executives see at least some Remain fairly constant 11%value in social media, they were also asked for their opinion Decrease slightly 2%on how corporate usage of social media would develop overthe next 12 months. The chart at right reveals that 87% expectcorporate use of social media to slightly or significantlyincrease next year.4 Social media and its associated risks
  7. 7. Across the board, senior financial executives think the A CFO and COO from a manufacturing companyspeed with which social media has grown over the last five commented, “We are not using social media at this time,years has caught many of them by surprise. An anonymous although it is under consideration.”international marketing consultant wasn’t surprised by the A vice president of finance for a recycling company said,lag because, “social media hasn’t been the No. 1 priority for “We are not using it at the moment, although we are looking tocompanies and it emerged at a time of great economic turmoil.” use social media [to] manage information and get the message The CFO of a life sciences company pointed out, “For [out] about our quality of service. We’d also like to monitormost of us the explosion in growth outpaced our ability to our corporate image.”comprehend the new technology and adjust our strategies.” Meanwhile, some companies have already launched their Mark Scovera, president of Access Florida Finance social media efforts. The CFO of an advertising agency declared,Corporation, echoed that sentiment: “It’s still a relatively new “We use it as part of our industry. It’s part of our DNA.”phenomenon especially for business. Business needs to figure McInnes commented on social media as part of theout what [social media] can be and what we want to do with it.” communication process. “We are using it to get our values Dr. Morris McInnes, professor and associate dean of out there — the education we stand for and the idea ofacademic affairs at Suffolk University’s Sawyer Business transparency. Social media gives us another avenue ofSchool, expanded on the theme, saying, “It’s still so new that communication.”people who make policy don’t fully understand social media. And Scovera said, “We use Facebook, Twitter andThere are generational issues.” YouTube. We use Facebook for detailed article analysis, A controller from a wholesale company commented, Twitter for quick ‘what’s happening’ alerts and updates, and“I think the idea of social media is growing but there was YouTube for video commercials.”resistance at first because it was the ‘new thing.’ Some peoplequestioned whether it was a fad.” For the interviewees, corporate use of social media ran thefull gamut. Mark Ferguson, CFO of Bench Tree Group LLC,said, “Some of us do use LinkedIn but the company is notspecifically pushing social media.” A vice president of finance at a manufacturer said, “I use itprofessionally; I’m on LinkedIn. Our company uses social mediain two areas: HR and customer service/product support.” Social media and its associated risks 5
  8. 8. Social media risksThe majority of senior financial executives surveyed believe How concerned is the company about potential risks of social media?there are potential risks involved in the use of social media;however, many respondents think that the risks can be We are very concerned 11%mitigated or are outweighed by the benefits. The chart at rightillustrates the varying levels of concern. We are concerned but believe risks 38% can be mitigated or avoided There are a number of risks to be considered when usingsocial media. However, respondents were asked to prioritize We are aware of the risks but believe 25% benefits far outweigh themonly five of them: negative comments about the company, out-of-date information, disclosure of proprietary information, We don’t believe there are appreciable 22% risksexposure of personally identifiable information (PII), and fraud.The chart at right depicts their risk priorities, with Other 4%1 representing the most important risk and 5 the least important. While most executives have acknowledged the risksassociated with data security and social media, many have yet What is the most important social media risk?to translate that acknowledgement into spending on securityprotections related to social media. This observation has been Ranked 1st Ranked 2nd Ranked 3rd Ranked 4th Ranked 5thmade in several previous documents, including the FERFreport CFO Quarterly Outlook Report: August 2011. The Disclosure of proprietary informationreport was created in the wake of several high-profile security Negative comments about thebreaches at major multinational companies. It noted that 61% companyof U.S. CFOs allocated more funds to data security, or at least Exposure of Personally Identifiableare considering doing so. An executive vice president and chief Information (PII)risk officer at a financial services company pointed out, “We Fraudhave not allocated anything more for the specifically definedpurpose of social media security.” Out-of-date information Responses may not total 100% due to rounding.6 Social media and its associated risks
  9. 9. The CFO of a life sciences company commented, “We haveallocated more funds but that has not been driven by socialmedia. It was driven more . . . by the proliferation of hackingand third-party data breaches. Intellectual property (IP) is oneof the most important assets we have. We’re looking at buyinga separate insurance policy for ‘cyber’ risks.” Regarding cyber insurance, Melissa Krasnow, corporatepartner and certified information privacy professional atDorsey & Whitney LLP, said, “In considering cyber insurance,a company should comprehensively review the insurancecoverage, company policies and information security practicesthat the company has and consider the risks and regulationsit faces as well as understand the different types of cyberinsurance available to make sure that cyber insurance wouldcover the exposures sought.” Krasnow also observed, “Breaches and incidents are[occurring] frequently and people are receiving breach orincident notifications. The media is covering these, and [they]are being made public through the Internet. Breaches areoccurring through social media and the Internet is publicizing. . . social media incidents. Breaches and data security … are[also] the subject of existing regulation, enforcement actions,litigation and legislative proposals. In addition, cyber attacksare happening frequently. As a result, there is more awarenessof the need for data security. Policies, practices and technologycan be used to help prevent or lessen the impact of breachesand incidents.” Social media and its associated risks 7
  10. 10. As the use of social media continues to grow, so too Estimated cost of frauddoes the risk of fraud involving social media. Most of oursurvey respondents had not directly experienced social media Under $50,000 75%fraud. However, for those that had, it can be a costly and a $50,000–$100,000 25%time consuming process to undo the damage. The followingthree charts illustrate the percentages of respondents that hadexperienced social media fraud, the nature of the fraud and theestimated costs (including legal and investigative fees, and publicrelations costs, among others). Of the 43% who experienced a fraud other than identity theftor a scam, only one respondent specified the nature of the fraud— an HR issue.Nature of fraud Has company experienced fraud involving social media? Identity theft 29% No 79% Scam 29% Don’t know 18% Other 43% Yes 3%Responses do not total 100% due to rounding.8 Social media and its associated risks
  11. 11. None of the companies interviewed had experienced an Many interviewees said they had not directly experiencedincident of fraud involving social media. Here again, Krasnow’s any confirmed data breaches, though a few have had to dealexperience provided great food for thought. “Social media with hacking attempts. Scovera observed, “We did have an emailexposures are new and varied. One risk in social media hacking incident back in the spring. While no PII was lost, it didexposures is that there is a loss of control — one person’s or lead to some pharmaceutical advertisement e-blasts being sent.”company’s information is transmitted to a social media website A CFO from a life sciences company stated, “We’ve notof another (i.e., third-party) company. The confidentiality had any breaches that we are aware of. I did hear that a majoror privacy of that information could be breached, even university hospital just had 20,000 names and [other] informationunintentionally, by submitting it to or posting it on a third- posted to a website through a third-party vendor. Every timeparty social media website.” I hear things like this I shudder and go to speak with our vice She continued, “While no company can [foresee] every risk, president of IT to make sure we are covered.”they need to anticipate and address significant known risks.For example, how do you go about shutting down an impostoraccount at a third-party social media website? This is somethingcompanies need to plan for and be prepared to do should theneed arise. Time will be of the essence once an impostor accountis disseminating false information. Be ready, and be prepared.”“Social media exposures are new and varied. One risk in social media exposures is thatthere is a loss of control — one person’s or company’s information is transmitted to asocial media website of another (i.e., third-party) company. The confidentiality or privacyof that information could be breached, even unintentionally, by submitting it to or postingit on a third-party social media website.” Social media and its associated risks 9
  12. 12. A timely response to any fraud or breach is essential, but As social media continues to grow, so too will the need forprevention and early detection are perhaps even more critical. The adequate anti-fraud training. It is critical for management andsurvey asked executives whether their companies regularly review employees to learn how to use social media appropriately, howsocial media content to isolate potentially fraudulent activities and to identify and respond to fraudulent activities, and how towho is responsible for identifying these activities. The pie charts address the legal issues surrounding social media. The chart belowbelow illustrate their responses to these two questions. demonstrates that many companies have yet to provide anti-fraud training that is pertinent to social media.Does the company regularly review social media content? Does the company train employees to identify and report fraudulent activity? Don’t know 44% No 58% No 29% Yes 21% Yes 27% Don’t know 21%Who is responsible for identifying and addressing fraud? IT 24% Office of general counsel 24% Corporate security 7% Human resources 7% Other 37%Responses do not total 100% due to rounding.10 Social media and its associated risks
  13. 13. The vice president and chief risk officer of a financial Having a plan in place for dealing with instances of fraudservices company noted, “We have employee training around and/or privacy breaches related to social media is crucialsecurity and recently did a company-wide phishing test. should the company ever find itself a victim of either. Sadly,Unfortunately, the results were not stellar. More of the upper more than half (61%) of respondent companies do not havemanagement failed the test compared to lower level employees.” such a plan. For those that do, we asked who within the The executive added, “I’ve asked that social media be put company is responsible for managing the fraud or breachon the agenda for our next risk committee meeting. I want to event. The charts below show their responses.bring social media and its risks to management’s attention.”Does the company have a fraud management plan? What department is responsible for managing fraud/privacy breaches? No 61% Office of general counsel 24% Yes 22% Corporate security 19% I don’t know/Unsure 18% Human resources 14% IT 14% Other 30%Responses do not total 100% due to rounding. Responses do not total 100% due to rounding. Social media and its associated risks 11
  14. 14. So how confident are senior executives that sensitive, The controller of a wholesale company noted, “The mainconfidential information is adequately protected in their social [concern] is internal productivity. We are looking to flesh thismedia platform? The verdict seems to be split: Based on the out now in our strategy moving forward. We operate very leansurvey results, 51% of respondents are confident or extremely so it is important for everyone on our team to be clicking onconfident, while 49% are either unsure or not confident. The all cylinders.”chart below depicts these findings. “We do worry from a productivity point of view; similar to With many risks to be considered, several of the interviewees [the] Internet and email, there is always concern about abuse,”expressed some concern that the use of social media on the said the vice president of finance for a manufacturer.job may negatively impact productivity. As in the early days Ferguson agrees that social media can be a drain onof the adoption of the Internet, many companies wrestle with productivity: “The expectation is that people will only usethe tradeoff between the added benefit of social media and the social media at work if it’s business-related. As a general rule,potential for lost productivity due to abuse by employees. I’ve found that if people are using Facebook at work they are goofing off; if they are using LinkedIn it’s more work-related.”How confident are you that sensitive or confidential information isadequately protected on social media platforms? Extremely confident 9% Confident 41% Not confident 23% Don’t know 26%Responses do not total 100% due to rounding.12 Social media and its associated risks
  15. 15. Social media policiesSo how should employers approach social media and social While many companies do have policies regarding e-mailnetworking tools in the workplace? A good place to start communication and technology use, very few companies haveis with a social media policy. However, as was discovered policies that specifically address social media governance andthrough the survey and follow-up interviews, many companies risks. Krasnow pointed out, “Many companies’ e-mail orsimply do not have a social media policy in place, even electronic communications policies do not specifically coverthough the use of social media has grown considerably over social media.”the last few years. The survey asked executives whether She went on to say, “Increasingly, companies are adoptingthey had clearly defined policies regarding social media at or at least considering social media policies. A companytheir companies. The chart below shows that only 23% of might not need a social media policy where another policycompanies had social media policies. covers aspects of social media and that policy could be amended and updated instead of preparing a stand-alone social media policy. For example, many companies have an electronic communications policy to address appropriate uses of the company’s computer system and to reduce employee expectations of privacy and a company’s risk. Often, an electronic communications policy is amended to address the use of social media. Regardless of which approach is taken, a policy covering social media should be drafted to be consistent and integrated with other company policies (e.g., electronicDoes your company have a social media policy? communications policy, employee handbook, insider trading policy and disclosure policy) . . . . If there is any inconsistency No, and no plan to develop one 41% between the policy covering social media and another company No, but one is being developed 35% policy, the one that will govern should be noted.” Yes 23%Responses do not total 100% due to rounding. Social media and its associated risks 13
  16. 16. Given the rapid growth of social media, we inquired why Many organizations are unclear on how they shouldso many companies do not have social media policies. Two key measure the effectiveness of their social media strategy andpoints were repeated by nearly all interviewees: the innovation efforts. The controller with a wholesale company said, “Weand speed of social media growth, and a generational gap. For are still in the infancy stage at this point with . . . social mediathose companies surveyed that do have a social media policy, usage in our business. We monitor Facebook joins and likes.we asked who monitors compliance. The chart below shows We also run promos through our Facebook page. I thinkthe responses. there needs to be a cross-pollination of our e-mail files with Responsibility for monitoring compliance against our Facebook and Twitter followers in order to gauge thepolicy within the organization appears generally diffuse and productivity of [our relationship with] those followers.”distributed. Forty-two percent of the respondents stated that Scovera mentioned, “The most important measure for ustheir organizations had not identified anyone for this role. now is friends and followers. We want to start engaging themSeventeen percent identified “other,” and only 8% stated that in a two-way conversation although we don’t really have anythe compliance department was responsible. There has not yet metrics for this yet.”emerged a coherent governance strategy in most organizations Another respondent noted that, “friends and followers werearound social media compliance and risk management. a crude measure.” He went on to say that the key performanceWithout a specific individual or group taking responsibility indicators depend on what industry the company is in and howfor risk management, it is unclear how effective compliance the company plans to use social media. “I know of companiesmonitoring efforts can be. that use LinkedIn to qualify candidates and Facebook to So which department has overall responsibility for driving disqualify candidates.”social media strategy and implementation in the organization?More than one-half (54%) of survey respondents cited themarketing/public relations department, as shown in thechart below.Who monitors compliance with social media policy? Responsibility for social media No one 42% Marketing/Public relations 54% Marketing/Public relations 21% Company does not use social media 19% Compliance department 8% No specific group takes the lead 11% IT 7% Business development/Sales 7% Chief risk officer 3% Other 9% Business development/Sales 1% Other 17%Responses do not total 100% due to rounding.14 Social media and its associated risks
  17. 17. ConclusionIn addition to the key survey and interview findings that were Second, research showed that governance regardingpresented above, noticeable themes emerged from the research. social media remains very fragmented. Each company has its First, social media is a growing market and will continue to own opinions about social media and its potential uses, riskgrow for the foreseeable future. While some companies have management strategies, etc. As social media use continues toalready established a strong social media presence, the reality grow in the business world, we may see a more uniform andof social media is that the next Facebook or Twitter is likely standard the development stage right now, and further change in this Finally, the awareness of the risks around social mediaspace is inevitable. is fairly low. Many executives do acknowledge there is risk involved in social media; yet this risk has not been well-defined for them. Governance structures to monitor compliance and manage risk are still very nascent. As the risks associated with social media begin to receive more public attention, organizations may respond more forcefully to perceived risks. Social media and its associated risks 15
  18. 18. Appendix I:Respondent demographicsThe 23-question online survey generated a total of 141 complete While the majority (86%) of responses came from companiesresponses from a variety of senior financial executives, the with less than $1 billion in annual revenue, nearly all revenuemajority (46%) of whom were CFOs. Ninety-seven percent ranges were represented in the survey responses. Additionally,of respondents’ companies were headquartered in the United the majority of respondents were from private companies.States (those not located in the United States were headquartered Company annual revenue and company type are shown in thein Europe). Below are the graphs depicting the respondents’ charts below.current title and company headquarters location.Title Annual revenue Chief financial officer 46% Less than $25M 27% Vice president of finance 12% $25M–$99M 30% Corporate controller 11% $100M–$499M 20% Business owner, principal or partner 7% $500M–$999M 9% Director 6% $1B–$4B 6% Management consultant 3% $5B–$9B 4% Managing director 2% $10B–$24B 2% Other 14% More than $25B 2%Responses do not total 100% due to rounding.Company headquarters Company type United States 97% Private 67% Other 3% Public 22% Not-for-profit 10% Government 1%16 Social media and its associated risks
  19. 19. Excluding the “other” category (which included responsesfrom companies in the aerospace/defense, business services,construction, consulting, consumer marketing and products,consulting, and private equity industries), financial services(15%), manufacturing (14%), and professional, scientific,or technical services (10%) were the most representativeindustries. The chart below shows all the industries representedin the survey responses.IndustryFinancial services 15%Manufacturing 14%Professional, scientific or technical 10%Insurance 6%Health care 5%Wholesale distribution 5%Higher education 4%Retail 4%Telecommunications 4%Energy 3%Software 3%Transportation 3%Life sciences 2%Agriculture, mining and construction 1%Government 1%IT services 1%Media 1%Utilities 1%Other 17% Social media and its associated risks 17
  20. 20. Appendix II:Sample social media policy2Be smart. Be respectful. Be human. Just in case you are forgetful or ignore the guidelines below, here’s what could happen. You could:Guidelines for functioning in an electronic world are the same • be fired (and it’s embarrassing to lose your job foras the values, ethics and confidentiality policies employees are something that’s so easily avoided);expected to live every day, whether you’re Twittering, talking • get the company in legal trouble with customers orwith customers or chatting over the neighbor’s fence. investors; or • cost the company the ability to get and keep customers. What you should do What you should never disclose Disclose your affiliation: If you talk about work-related matters that are within The numbers: Non-public financial or operational information. This includes your area of job responsibility, you must disclose your affiliation with the company. strategies, forecasts and most anything with a dollar figure attached to it. If it’s not already public information, it’s not your job to make it so. State that it’s YOUR opinion when commenting on the business. Unless authorized to speak on behalf of the company, you must state that the views Promotions: Internal communication regarding drive times, promotional expressed are your own. Hourly employees should not speak on behalf of the activities or inventory allocations, including: advance ads, drive time playbooks, company when they are off the clock. holiday strategies and Retail Insider editions. Protect yourself: Be careful about what personal information you share online. Personal information: Never share personal information regarding other employees or customers. See the Customer Information Policies for more information. Act responsibly and ethically: When participating in online communities, do not misrepresent yourself. If you are not a vice president, don’t say you are. Legal information: Anything to do with a legal issue, legal case or attorneys. Honor our differences: Live the values. The company will not tolerate Anything that belongs to someone else: Let them post their own stuff; discrimination (including age, sex, race, color, creed, religion, ethnicity, sexual you stick to posting your own creations. This includes illegal music sharing, orientation, gender identity, national origin, citizenship, disability, or marital status copyrighted publications, and all logos or other images that are trademarked by or any other legally recognized protected basis under federal, state, or local the company. laws, regulations or ordinances). Confidential information: Do not publish, post or release information that is Offers and contests: Follow the normal legal review process. If you are in the considered confidential or top secret. store, offers must be approved through the retail marketing toolkit. Basically, if you find yourself wondering if you can talk about something you learned at work — don’t. Follow the company’s policies and live the company’s values and philosophies. They’re there for a reason.Remember: Protect the brand, protect yourself.2 This social media policy has been adapted, with permission, from Best Buy Co., Inc.18 Social media and its associated risks
  21. 21. About the authorsThomas Thompson Jr. Jan Hertzberg Mark SullivanThomas Thompson Jr. is a senior associate, Jan Hertzberg, CISA, CISSP, PCI QSA, leads Mark Sullivan, CFE, CFI, CPP leads Grant Thornton’sresearch, at Financial Executives Research Foundation Grant Thornton’s Business Advisory Services IT Audit, Forensic Accounting, Investigations and Litigationand the author of more than 20 published research Security and Privacy practice located in the Chicago Support Services for the Midwest Region. He isreports. Thompson received a BA in economics office. He has more than 25 years of experience also the firm’s National Service Line Leader forfrom Rutgers University and a BA in psychology from and has held leadership positions with Fortune 100 Investigations. Sullivan specializes in corporateMontclair State University. Prior to joining FERF, companies, including IBM, Abbott and Ernst & Young. investigations, fraud prevention and detection, andThompson held positions in business operations As an audit and security consulting practice leader in litigation support. For more than 25 years, he hasand client relations at NCG Energy Solutions, AXA- the United States and Latin America, he has managed worked with companies and their counsel worldwideEquitable and Morgan Stanley Dean Witter. teams that provided guidance and support to to investigate frauds, develop and implement clients that are integrating IT controls into advanced anti-fraud programs, and identify organizationalThompson can be reached at tthompson@ technology solutions. Hertzberg has led numerous vulnerabilities. His advanced interviewing skills or 973.765.1007. information security and privacy risk assessments, his experienced team of forensic accountants and external and internal vulnerability scans, social e-discovery and computer forensics professionals engineering and war-dialing engagements, and provide an unparalleled response to data breaches, HIPAA/GLBA privacy reviews. Hertzberg is a frequent complex investigations and litigation matters. speaker and moderator on information security and privacy topics and has written and lectured Sullivan can be reached at extensively on information security assessments, or 312.602.8110. IT, staff development, and convergence between information and physical security. He received his MS in computer science and his MA in history from Northern Illinois University. Hertzberg can be reached at jan.hertzberg@ or 312.602.8312. Social media and its associated risks 19
  22. 22. About Grant Thornton LLP About Financial Executives Research Foundation, Inc.The people in the independent firms of Grant Thornton International Ltd provide Financial Executives Research Foundation (FERF) is the non-profit 501(c)(3) researchpersonalized attention and the highest quality service to public and private clients affiliate of Financial Executives International (FEI). FERF researchers identify keyin more than 100 countries. Grant Thornton LLP is the U.S. member firm of financial issues and develop impartial, timely research reports for FEI membersGrant Thornton International Ltd, one of the six global audit, tax and advisory and nonmembers alike, in a variety of publication formats. FERF relies primarilyorganizations. Grant Thornton International Ltd and its member firms are not a on voluntary tax-deductible contributions from corporations and individuals, andworldwide partnership, as each member firm is a separate and distinct legal entity. publications can be ordered by logging onto the U.S., visit Grant Thornton LLP at Social media and its associated risks
  23. 23. Acknowledgements Platinum Major Gift | $50,000 + Silver President’s Circle | $5,000 – $9,999 Exxon Mobil Corporation Apple, Inc. Microsoft Corporation Comcast Corporation Corning Incorporated Gold President’s Circle | $10,000 – $14,999 Credit Suisse Abbott Laboratories, Inc. Cummins Inc. Cisco Systems, Inc. Dell Inc. Dow Chemical Company Duke Energy Corporation General Electric Company E. I. du Pont de Nemours & Company The Boeing Company El Paso Corporation Eli Lilly and Company GM Foundation Halliburton Company Hewlett-Packard Company IBM Corporation Johnson & Johnson Lockheed Martin Corporation Maple Leaf Foods, Inc Medtronic, Inc. Motorola Solutions, Inc. Pfizer Inc. Procter & Gamble Co. Safeway Inc. Sony Corporation of America Tenneco The Hershey Company Tyco International Management Co. Wells Fargo & Company23 Social media and its associated risks
  24. 24. The views set forth in this publication are those of the authors and do not necessarily represent those of the FERF Board as a whole, individual trustees, employees or the members of the Advisory Committee. FERF shall be held harmless against any claims, demands, suits, damages, injuries, costs or expenses of any kind or nature whatsoever except such liabilities as may result solely from misconduct or improper performance by FERF or any of its representatives. International Standard Book Number 978-1-61509-080-8Content in this publication is not intended to answerspecific questions or suggest suitability of action in Authorization to photocopy items for internal or personal use, or for the internal or personal use of specifica particular case. For additional information on clients, is granted by FERF provided that an appropriate fee is paid to the Copyright Clearance Center, 222the issues discussed, consult a Grant Thornton Rosewood Drive, Danvers, MA 01923. Fee inquiries can be directed to Copyright Clearance Center at 978-750-client service partner. 8400. For further information please visit the Copyright Clearance Center online at© 2011 Grant Thornton LLP © 2011 by Financial Executives Research Foundation, Inc.All rights reserved All rights reserved. No part of this publication may be reproduced in any formU.S. member firm of Grant Thornton International Ltd or by any means without written permission from the publisher.