Reducing Social Media Risks

With Facebook membership now past the half-billion mark and Americans spending nearly a quarter of their time online, business has gotten into the act. Companies plan to spend nearly double the percentage of their current marketing budget on social media over the next year, according to a 2010 study by the American Marketing Association and Duke University. In just a few years, social media networking has gone from something employees did on the sly to an official communications medium championed by marketing and human resources departments.

It’s easy to see why everyone is “friending” social media. Organizations are seeing increased brand recognition, customer satisfaction and sales revenues. It is now easy to get customer feedback—often within minutes of a news announcement or product launch. And monitoring what your competition and customers are doing and saying has never been easier. Another benefit of sites such as LinkedIn and Plaxo is the ability to reach potential and former employees.

But in the mad dash to acquire tens of thousands of online friends for their brands, many companies are not pausing to consider the potential risks. Since social media tools are new to many organizations and do not require additional IT infrastructure, they may be introduced to the enterprise by a business unit, marketing team or individual employees, bypassing the normal safeguards and risk assessment provided by the IT, HR and legal departments.

Need for Social Media Governance

For these reasons, it’s important to create a social media governance strategy and a plan to address the risks that come with these new communication tools. There are three scenarios that companies should consider when evaluating risk:

1. the use of social media as a business tool to communicate with customers, employees or other stakeholders;

2. access to social media sites while employees are on the corporate network; and

3. employees’ use of social media tools from their corporate-issued mobile devices, which are often not subject to the same controls and monitoring as corporate computers.

To effectively manage social media use, organizations should develop a documented strategy—with associated policies and procedures—that involves all relevant stakeholders. This includes leaders from the business units, sales and marketing, risk management, HR and legal departments. This holistic approach helps ensure that risks are being viewed through the lens of broader business goals and objectives.

Five Business RisksM

Here are five primary business risks associated with the use of social media:

• introduction of viruses/malware to the corporate network;

• brand hijacking, such as a brand being impersonated on Twitter;

• unclear or undefined content rights to information posted on social media sites;

• unrealistic customer expectations of service through the ability to communicate with companies online 24/7; and

• noncompliance with record management regulations because of mismanagement of electronic communications.

The introduction of social media can produce significant shifts in both culture and process—particularly in the areas of communications, marketing, customer service and business development. As companies consider setting up a Facebook fan page or a blog—or signing up their CEO for a Twitter account—they should look to established frameworks such as Risk IT and COBIT for clear processes and controls to help them form sound social media governance policies.

Some questions to consider are: What is the strategic benefit to leveraging this technology? What are the risks, and do the benefits outweigh the costs? What new legal issues does it raise? How will customer privacy issues be addressed? How will awareness training be delivered to employees? Does the enterprise have enough resources to sustain this type of initiative?

Clearly, the use of social media provides new entry points for technology risks such as malware and viruses. But what magnifies these risks is the lack of employee understanding of the potential threats. A social media governance strategy should focus first on user behavior by developing policies for personal use in the workplace, personal use involving business information outside the workplace, and business use. These policies should be reinforced through ongoing training and awareness programs.

As social media sites continue to grow in popularity, organizations should embrace them, not block them. But companies that want to succeed at social media governance need to look beyond technology controls and empower employees to reduce risk by getting smart about threats.

Robert Stroud, CGEIT, is international vice president of ISACA, a nonprofit, global association engaged in the development, adoption and use of globally accepted knowledge and practices for information systems.