Social media risk exists across entire organizations and can impact areas like leadership, marketing, operations, and human resources. The document discusses how a lack of control over private social media accounts and use of personal devices increases risks. It provides examples of how risks have impacted companies through regulatory fines, loss of employees or market value. The document recommends organizations audit social media use, listen for potential issues, manage social media guidelines and content, prepare crisis responses, and archive social media conversations to manage growing online risks.
1. Managing social media risk
across the whole organisation
Jeremy Swinfen Green MA MBA CMC FIC, Managing Partner
Social Media Risk Consulting Ltd
2. Social media risk
• Damaging content on social media platforms
– Employees, ex-employees, customers and detractors
• A big opportunity for marketers - but also a big risk
for business
• Reputational risk is generally acknowledged, but risks
exist across the organisation
4. Why is it such a problem?
• Culture
– Unofficial communications (It’s private, isn’t it?...)
– Ephemeral communications (Did we really say that?)
– Anonymous communications (Catch me if you can!)
• The web
– Speed of online communications with multiple
connections globally
– Potential for viral growth and amplification by the media
• Lack of control
– Private vs corporate social media accounts
– Bring your own device
5. Size of the risk
• April 2013: Syrian Electronic Army hack into AP’s
Twitter feed
– They plant rumours of bombs at the White House
• Result: the Dow Jones drops 143 points
– $136 bn is erased from the market
6. Why are social media threats growing?
• Continued monetisation of cyberspace
• Growth of mass market mobile technology
• Growing dependency on the web and the IoT
• Increasing corporate use of big data
• Rise in social media use by consumers
7. The result of risk events
• Legal suits and compliance breaches
• Reduced operational efficiency
• Loss of value or assets
• Damage to brand and reputation
8. Compliance
• Data protection
• Financial reporting information
• Advertising standards
• Regulated industries e.g. financial services
9. Example: Misleading endorsements
• Allergy Pathway (Australia) fined $15000 for failing
to remove misleading endorsements on its website
11. Example: Non-compliant marketing
• WKD Facebook ads banned for linking alcohol with
confidence
• You can’t ignore the rules on social media
12. Efficiency risks
• Reduced productivity
– Privacy actions: monitoring employee activity
• HR issues
– Damage to “company as employer” brand
– Discrimination actions: searching candidate profiles
– Bullying and harassment at work
– Duty of care: Abuse when replying to posts; privacy,
personal security and identity theft
• Information leakage
• IT security: viruses and malware
13. Example: Unhappy ex-employees
• Recruiting the best talent
is essential
• But ex-employees can
damage “employer brand”
• Monitoring posts and
rebutting claims in the
right way is a key skill
14. Keeping key staff
• PayPal’s Director of Strategy was fired after a series
of very inappropriate 1 a.m. tweets
• Justine Sacco, communications director of
InterActive, sent a racist tweet before boarding a
flight, and was fired before she had landed
16. Value risks
• Lower revenues
– Inadvertent contracts
– Employee comments that affect sales
• Higher costs
– Wasted campaign investments (e.g. Likes)
– Libel actions (e.g. tagged party photos)
– Legal actions for breach of NDA
• Lost value
– Loss of social media assets
– Loss of IP and trademark/patent protection
– ID theft (e.g. CEO) that affects share price
17. Example: share price movement
• Social media can cause rapid share price movements
– Tweets about a train crash in Maryland resulted in a
$500m market capitalisation in 90 minutes
– Quindell lost £950m after Gotham City, who stood to gain
if the shares fell, tweeted a link to a highly critical report
• (in the USA, Ebix, Tile Shop & Blucora also suffered from GC)
18. Example: Loss of social media assets
• Social media assets e.g. Facebook pages not owned
by the business
• Set up by employee who then leaves
• Appropriate protocols are needed for setting up and
maintaining social media assets
vs
19. Reputational risks
• Inappropriate and accidental comments by
employees
• Marketing
– Low-grade marketing activity
– Obsolete marketing campaigns
• Points of presence
– Brand-jacking and hate sites
– Fan sites and the lawyers
– Phishing and pharming
21. Example: opening doors to criticism
• Why would a “low emotion” brand like NYPD expect
people not to share criticism
What they wanted What they got
22. Example: Brand-jacking
• Organisation pages being taken over
– “123456” and “password” are most common passwords
– Social media management systems can impose protocols
– But problems like Heartbleed will always occur
• Yahoo, Pinterest, Facebook and Wordpress possibly affected
“Burger King just got sold to
McDonalds…”
DCMS Twitter feed gets hacked
23. Example: Pharming
• Any site where users can download text is at risk
– Social media are particularly at risk
• 100+ fraudulent eBay product links found recently
– Visitors accounts hijacked to enable fraudulent sales
24. Social PR crisis
• Things that happen…
– Product problems cause unhappy customers to complain
– Unhappy ex-employees post defamatory comments
– Unacceptable executive behaviour is uncovered
– Rumours of takeovers, financial troubles are circulated
• Consumer disquiet gets “amplified” by media
25. Social media losses
• 90% of organisations who experienced a social media
incident suffered negative consequences, including:
– reduced stock price (average cost: $1,038,401)
– litigation costs (average cost: $650,361)
– direct financial costs (average cost: $641,993)
– damaged brand reputation/loss of customer trust (average
cost: $638,496)
– lost revenue (average cost: $619,360)
Symantec, 2011, reported by CBR
27. Audit
• Identify risks: history, scenario development
– Evaluate current mitigations and develop improved
processes for reduced risk
• Evaluate organisation
– Board preparedness
– Individual business operations
– Company culture
• Develop Social Media Protocol
– Train all staff in social media guidelines & sanctions
28. Listen
• Listen to identify potential problems
– Where are you listening?
– Who is doing the listening?
– How is data collected and analysis conducted?
• React to social media appropriately
– Triage social media activity (ignore, respond, escalate)
– Direct to appropriate business functions
29. Manage
• Develop and customised social media guidelines and
train employees
• Manage content: moderate inbound and outbound
posts
• Ensure appropriate tools are used:
– Listening, PoP monitoring, Moderation, Archiving
30. Prepare
• Prepare for potential crisis
– Identify possible “worst case” problems
– Develop tone of voice guidelines
– Prepare holding and position statements
– Develop escalation process
• Practice: Set up artificial crisis and enable response
team to practice
– Handling stress
– Testing processes
31. Archive
• All businesses can benefit from archiving
conversations with the public
– Regulated industries are likely to be required to archive
static AND interactive content
• Choosing the right tool is essential
– What is being archived (e.g. web vs API)
– How easy is it to find content and resurrect conversations
– How far back can you go
32. Conclusions
• Constantly changing landscape
• Impossible to anticipate all risks
• But structured analysis of business process can
deliver an effective risk register that demonstrates a
“reasonable” level of care
BBC discovered that 49% of the reviews left on the Nottinghamshire Healthcare Trust profile were submitted from staff computers. In the commercial world this would have been a criminal offence!
Employees need training so they know what is appropriate
A google dork is someone who accidentally or irresponsibly posts strategic information online so that it can be found by Google.
A special constable with Dorset Police resigned after posting a video of himself walking around Poole police station on YouTube. The Video contained information on station layout - a potential serious security issue
More seriously, 4 US army helicopters were destroyed in Iraq after geo-tagged photos were posted on the internet
It is very easy to post personal content on a corporate account – which is why technologies that deny access to certain sites/accounts are important