The Challenges Ahead
A secure social media environment is one in which you are ready to respond to, report on, and remediate situations quickly and effectively. To do so, however, corresponding systems and policies must be implemented in advance. As your company’s social media presences grows, you’ll be faced with increasing security challenges. Your strategy and policies have to evolve over time as the tools and business processes change, and in social media these changes will be frequent.
Determine the Implementation Processes
When assessing your company’s social media usage using the H.U.M.O.R. Matrix, some vulnerable areas will be immediately apparent and the priorities for implementation clear. For example, no policy allows employees to post whatever they want and open the company to attacks. If you have no policy and no monitoring tools in place, the risk is greater that employees can send out confidential information over social media channels and you would not know about it. As you identify the weaknesses in your environment, the steps you need to take to reduce your risk of confidential exposure and reputation damage will become clear.
Social media is evolving at a rapid pace with corresponding innovation in the tools available for participating online. This means that employees are most certainly using unauthorized social media tools during work hours, which can place the company at risk of data loss or reputation damage. Inventorying the universe of applications being used to understand the risk exposure in the work place and monitoring information being posted outside of the work place are key. In addition, you need to implement social media policies that outline not only expected behavior when representing the company, but also which applications are safe to use and how to use them. Employees also need to understand when it is appropriate to respond to queries about the company, and when such responses should be handled by spokespersons assigned to community management.
Make inventorying the company’s intellectual property, trademarks, and copyrights a priority in order to prevent information leaks and wrongful use of logos and brands. Part of this process may actually entail creating digital versions of logos and brands for use by employees and the public.
Finally, it is important to implement monitoring tools to measure social media activity online—by employees, customers, and competitors. Listening and learning from online mentions both informs future implementations and provides a daily check on how well your company is performing.
Security Is a Moving Target
Any current implementation of social media security is a temporary panacea at best. This is because there are a plethora of social networks, each one with their own security holes and privacy risks. The social networks themselves are continuously changing and updating their privacy protections, often reducing privacy for commercial reasons, as is the case with Facebook. Nonvigilant users may wake up to find their once-protected information is no longer safe. You cannot rely solely on the social media networks to provide you with warning and security. Also, new types of social sharing websites are being invented that redefine how people interact with other. Currently, question and answer websites and mobile photo–sharing services are gaining quick adoption. Generally, new social media websites and mobile services are well integrated into existing social networks with millions of users. The ability to instantly geotag, share photos, and then distribute those photos through accounts on multiple websites poses new security challenges, such as the loss of confidential data through mobile phone uploads. These challenges are difficult to foresee, other than to know that the social web is akin to dunes in a desert with ever-shifting sands. The only way to protect yourself from future risk is to draw lessons from your current security implementation, keep up to date with new services and changes to existing services, and regularly reassess the environment.
Continuous Changes in Management and Policy
Considering how quickly social media changes, it is important to also note how quickly services are adopted and how quickly people learn to use those new services. There is a learning curve to using social media in general, and society as a whole seems to be progressing along this learning curve by participating more and sharing more openly. Furthermore, each new platform has its own quirks that users must learn and master.
This means that any company’s customers will become more active online over time and will be present on more social networks. Employees will follow this trend, adopting new social networks and participating more openly.
Because of these dynamics, social media policies, procedures, controls, and monitoring must be updated regularly to keep up with changes in use and behavior. Outdated systems and policies pose the greatest threat by promoting a false sense of security.
Check Your Sources
As we get more and more information through social networks and blogs, we risk losing what institutional media provided in the 20th century: credibility through a recognized media brand name that anointed each article with the authority of the media outlet. When we read the New York Times, we know that certain standards are maintained with respect to professionalism, editorial process, quality of research, and ethics (and, even there, debates over accuracy of reporting arise occasionally). When we read any particular blog, however, how can we be sure it’s trustworthy? How can we know that what is written has been researched and represents the truth? Does your policy require validation of sources of information before any story can be referenced or re-tweeted?
Digital literacy is a vital competence for dealing with the social web, a skill that must be mastered by companies participating online. Knowing what information to pay attention to and when and how to respond requires a fair amount of judgment, sophistication, and research. Before acting on social media mentions, it is important to know whether it comes from a familiar and trusted source and, if not, how to qualify the authority, credibility, and influence of the mention.
Multiple solutions to this problem can be combined. The first solution is to build a social layer into existing customer relationship management (CRM) systems to identify where your main customers participate online. Which blogs do they read and which social media platforms are they participating in? Knowing this both allows for more precise monitoring of mentions, as well as informs marketing about where promotional initiatives should be conducted and targeted.
The second solution is to cross-check the author of any social media mentions with the other social networks he or she may participate in. For example, does the author have a LinkedIn profile, and if so, does the author include third-party testimonials? While there is no centrally trusted identification mechanism on the Internet, some social networks like LinkedIn and Facebook can serve as proxies precisely because people “vouch” for each other through connections and testimonials. Mentions by anonymous people should be researched more thoroughly, as anonymity by definition destroys credibility, however.
The third and most important solution is to research mentions by verifying the facts. This may include contacting the employee at the point of customer interaction, if a service problem occurred, or contacting the customer directly, if he or she is complaining about a product defect.
Authentication Systems Are Changing
There has been a sea change online in the way that users register as website members. People used to fill out forms with their name, e-mail, password, and other details, depending on the website. More and more, however, we are seeing third-party authentication systems and, in particular, Facebook Connect. People who are members of Facebook can join a new website just by using the Facebook Connect button, which loads the users’ details from their Facebook account. Other websites may use competing authentication mechanisms, generally provided by Twitter, Google, or some other services.
As these systems become more widely adopted, people come to expect them more on websites. This also means that information is being shared more quickly and more easily, sometimes automatically, between websites and social networks. By making it simple for people to share across networks, the speed of information sharing has increased, as has the need to monitor social media activity around brand mentions on multiple sites.
Whether people authenticate through a social network or by using e-mail, identifying individuals using fake social network profiles that nevertheless look real, or using webmail addresses under new pseudonyms, can be difficult. To a certain extent, it’s relatively easy to remain anonymous on the Internet, and authenticating individuals and verifying their identity can sometimes be a challenging. Competitors may pose as customers, and employees may pose as anonymous individuals. Such activity may be problematic in that identities may eventually be discussed by tracking IP addresses, with sometimes embarrassing and expensive consequences for companies or individuals. In a landmark case in 2009, New York State Attorney General Andrew M. Cuomo secured a $300,000 settlement from cosmetic surgery firm Lifestyle Lift, over the publishing of false positive consumer reviews on Internet message boards and websites.1
1Attorney General Cuomo Secures Settlement with Plastic Surgery Franchise That Flooded Internet with False Positive Reviews, Office of the Attorney General (July 14 2009), http://www.ag.ny.gov/media_center/2009/july/july14b_09.html.
Brand Attacks Are Hard to Track
Anonymizing technologies are prevalent and anonymous attackers can go to great lengths to hide their tracks. With potential attacks emanating from foreign countries and being organized in foreign languages, it can be hard to foresee and track attacks against your brand.
The online forum, 4chan, and members who use the moniker “Anonymous,” have become famous for their ability to generate popular Internet memes (a concept that spreads via the Internet) as well as for carrying out coordinated denial of service and other types of attacks against companies, government agencies, and other websites. 4chan’s users have carried out some of the highest-profile collective actions online, particularly against the Motion Picture Association of America (MPAA), the Recording Industry Association of America (RIAA), and MasterCard. Anonymous members, recruited through posts on 4chan boards, subsequently initiated their own attacks in defense of WikiLeaks, as we covered in Chapter 3. Tracking the sentiment of hacktivist (hacker activist) groups such as those present on 4chan can go a long way toward preparing your brand for attacks, as well as helping you understand the likely timing of such attacks.