This is the second installment in a three-part series on how to organize the enterprise for social media risk management by Dave Meizlik, the Vice President of Marketing at Nexgate. To learn how your enterprise can integrate social media risk management across every department, download the white paper from HootSuite Enterprise and Nexgate, Mapping Roles and Responsibilities for Social Media Risk.
Your business goes where its customers are, and there’s no better place to look than social media. Facebook alone now accounts for about 16% of the total time spent on the internet.
Whether your brand is using social media to shape your messaging, engage with prospects, support existing customers, or advertise your products, more and more companies are recognizing social as a communications channel they simply can’t afford to ignore. But the flipside to these benefits is risk: reputation damage, sensitive information leaks, brand abuse, and regulatory and compliance violations are just some of the potential disasters brands face.
In the first part of this series we covered the reasons why successful social media governance stretches across departments, titles, and other divisions within an organization to create a cohesive whole. The complex nature of social media means that there is no one person or group solely in charge of handling risk—personnel from IT, communications, legal, audit, risk, and human resources must all share responsibility.
Yet coordinating this teamwork is anything but easy, which explains why many organizations’ social media security and compliance is haphazard, uncoordinated, and lacks the necessary integration across departments. So what steps can your team take to create a cohesive plan of action to mitigate social media risk?
To start, all team members should agree on the corporate purposes and strategy for adopting social media channels and platforms from the outset. While this might first seem like just another function of Marketing or Corporate Communications, social media is used for a wide variety of purposes other than marketing. Both the Customer Service and HR teams need to be involved from a platform and tool selection perspective, as does IT from a security point-of-view.
Similarly, multiple parts of your organization should work together to do the following:
- Claim the corporate geography on the different social media channels;
- Define policy for brand protection and compliance;
- Monitor access, content, and applications across the social landscape;
- Execute an implementation plan for the strategy, including a crisis communications and response plan; and
- Measure against the execution of your plan, including success metrics.
Your organization should also identify risk scenarios and create clear lines of responsibility for each case. Below are three common risk scenarios, along with suggested processes for addressing them.
Scenario 1: Tracking and reporting approved and fraudulent accounts
Your team has determined that someone external to your organization has set up one or more unauthorized social media accounts that purport to represent your organization. Shell famously faced this problem a few years ago when a fake website and fake Twitter account were created to drum up negative publicity about the company’s drilling practices in the Arctic. Much of the public was duped into thinking that Shell had had a social media “meltdown” when, in reality, the content in question was being churned out by a third party masquerading as Shell.
Fraudulent accounts can damage your brand image and negatively impact your social ROI. Here are some actions your team can take:
- Marketing and IT monitor the social web for any new and fraudulent accounts.
- Legal notifies the social network with a request to remove the account. Once complete, legal reports back to Marketing for verification.
Scenario 2: Social media account(s) hacked
Your social media accounts have been compromised and someone outside your organization is posting malicious content. This happened just this year to Microsoft/Skype, when the Syrian Electronic Army (SEA) published messages protesting the NSA’s surveillance practices via official Skype accounts.
Responding effectively to a hack requires swift action and a predefined process for your employees to follow during such an emergency. Working together, your team can help mitigate the risk of this type of threat. Here are the steps your brand might take:
- Corporate Communications defines and tests an internal/external crisis communications plan that includes agency support.
- Social Media with agency support monitors all social channels for takeovers.
- Marketing gets advice from Legal.
- IT uses technology to monitor social accounts with Marketing.
- IT Security investigates and responds to any breach and takes the necessary actions to mitigate future risk.
- Marketing and Security report to the broader Social Media Committee and Board with regard to outcome and risk mitigation.
Scenario 3: Compliance violations or release of sensitive company data
Your company recognizes the potential for violations of compliance regulations and may be susceptible to unauthorized release of company data. This is especially pertinent if you’re in financial services, healthcare, or any other heavily regulated industries where compliance issues often surface.
Oftentimes compliance violations or the release of sensitive data comes from a simple lack of knowledge about what is considered a “violation” or what kinds of information shouldn’t be released to the public. For example, a few years ago a case arose of a doctor in Rhode Island who inadvertently identified a patient through a Facebook post—a disclosure of confidential information that resulted in a fine and her losing her right to practice at her hospital.
Clarity here is key, as is the incorporation of components handled by different parts of your organization. The following are some steps your company may take:
- Legal and/or Compliance defines a policy and plan for addressing this issue based on state, regional, and industry requirements.
- Legal and/or Compliance works with the Social Media team to understand application and with IT to map technology against enforcement capabilities.
- Compliance reviews incidents and handling of regulated dates and adjusts policy and rules for communication on a regular basis.
- IT Security implements the policy via technology controls.
- Social Media team follows defined process and is audited regularly. It also reports back on progress and any irregularities or challenges with the workflow.
Creating specific and clear agreements across departments and processes for your employees to follow enables your team members to work together effectively. This integration protects your company and customers and is a critical piece in handling social media risk. But putting the right team and the right processes in place doesn’t work without the right technology.
Don’t miss the final installment in this series, in which we’ll discuss the tools and technologies you’ll need to round out your risk program, and who’s responsible for procurement.
To learn more about creating a successful, integrated social media marketing program, check out HootSuite and Nexgate’s Mapping Roles and Responsibilities for Social Media Risk, or contact your HootSuite representative.
Dave Meizlik is the Vice President of Marketing at Nexgate, a HootSuite partner that provides cloud-based brand protection and compliance for enterprise social media accounts. Nexgate’s patent-pending technology is used by some of the world’s largest financial services, pharmaceutical, Internet security, manufacturing, media, and retail organizations to find and audit brand affiliated accounts, control connected applications, detect and remediate compliance risks, archive communications, and detect fraud and account hacking.