Training

One of the better training strategy implementations is employed at Intel. Bryan Rhoads, Senior Digital Strategist at Intel, has implemented a strategy that is based on the Intel Social Media Guidelines (http://www.intel.com/sites/sitewide/en_US/social-media.htm). He also provides training in how to use social media for business results and employees’ responsible use of social media. Intel created the Social Media Center of Excellence, which is a diverse team of Legal, Marketing, PR, and Web Communications experts who together create training across social media platforms.

As opposed to employees who are specifically assigned community management responsibilities, other employees must follow another set of guidelines. Although similar in nature, standard employee guidelines differ with respect to how employees identify themselves when posting or responding to posts involving industry issues, how they report relevant social media mentions, and what they should do when social media mentions begin to escalate.

Generally, the company’s Community Managers are an instrumental part of the cross-functional team that determines security policies, guidelines, processes, and training. Other members of the team determining training objectives would include the IT, Human Resources, Marketing, PR, Legal, and Customer Service departments, since most enterprise social media activity occurs within these areas.

It is important to note that social media platforms are subject to national jurisdiction regarding employment laws, even when dealing with large transnational platforms such as Facebook. For instance, in certain countries, Human Resources and company employees may not use a prospective candidate’s social network profile as a reason to deny employment. In other countries, social network platforms are treated as public forums and employees have the same equal rights to free speech as they enjoy in offline physical spaces. In these cases, any company mentions made by employees to their friends during nonworking hours may not be admitted in a chain of custody case for termination.

Training Community Managers

Most likely, employees or community members identified and promoted or recruited for Community Manager–type positions will already possess the required interpersonal, technical, and business skills we discussed previously. More specific training and guidance is required, however, in the following areas:

Defining communication principles, tone of voice, and personality, to fit with the online communities’ changing moods, while simultaneously reflecting the company’s overall marketing and communications objectives as well as with the company’s brand values and culture

Defining technologies to be used and associated security practices specific to each platform and application

Determining reporting lines in case of emergencies or technical issues

Defining business objectives and opening communication lines to key stakeholders in the company in each department for quick resolution to identified problems

Creating business processes to remediate new problems and to seize new opportunities

Codeveloping and refining security practices on an ongoing basis in coordination with the company’s IT and Human Resources departments

Although the role of Community Manager is essentially the same across small, medium, and large companies, the way it is implemented varies widely, as discussed previously. For one, larger companies may have more at stake, particularly when they are publicly quoted and have corporate brands and reputations to maintain. Also, larger companies generally have greater resources to allocate to social media human and technology resources. Even though larger companies naturally have bigger budgets for social media community management, they can learn from the more hands-on approaches of small and medium companies, particularly with respect to community development at the local level.

The Community Manager has to interface with the IT department. The tools used by the Community Manager are implemented and maintained by IT. If these tools allow information to be sent out of the company, then data loss prevention technologies have to be in place to monitor what the Community Manager is actually doing with the information, what is being sent, and determining if it compromises confidential information. As we discussed, it’s easy to break regulations if you do not understand what the restrictions are and most Community Managers are not as educated as IT security teams or Human Resources as to what data can be shared with the public and what might lead to a fine or investigation if a regulation is broken.

Training Employees

In contrast to Community Managers dedicated to advancing the company’s objectives through social media platforms, employees generally use these same platforms for a mix of personal and professional reasons. Regardless of the purpose, they most likely connect personally and professionally with others online several times a week, if not several times a day.

On the personal side, most of your employees have probably joined Facebook, Twitter, Flickr, and other massive social networks to keep in touch with friends, family, and like-minded acquaintances. These interactions are generally meant for updating others about their daily life and may include the sharing of photos and articles of interest. Previously, some of this activity occurred through e-mail, but it has now migrated toward social networks. On the professional side, employees may be developing their own brand, so to speak, for enhancing their current jobs through new professional and sales contacts, developing new options for future advancement and employment, or staying abreast of industry trends in real-time. They may have joined LinkedIn with a summary of their professional history, both for identification by future employers, as well as to establish presence for current sales prospects and vendors. If they are in sales and marketing roles, they may be using the social aspects and applications included in business platforms such as Salesforce.com or on the sites of dedicated trade industry associations or networks.

Regardless of their personal or professional use of social media, noncommunity management employees must understand how their social media activity differs from that of the Community Manager and the process to follow after identifying issues that require the attention of the company’s Community Manager. Particularly in cases in which an employee takes it upon her- or himself to respond directly to an issue on a social media site, the employee must understand what behavior is expected, how to identify her- or himself, and what not to do. As we stated in the policy template discussed in Chapter 6, employees should be educated about any restrictions on using the company name in posts, what can and cannot be disclosed, and what the consequences are for breaking that policy.

Employees should also be encouraged when positive results occur so you develop a culture of positive reinforcement versus negative reinforcement (which, in social media, poses far more of a long-term threat). Negative reinforcement begs rebellion in the enterprise social media space. How to handle positive versus negative posts is a critical area of social media security, as mishandled responses may escalate into larger security issues, even when done genuinely, authentically, and with the utmost sincerity. Often, unhappy customers should be dealt with individually by top-level management, while also keeping the larger community abreast of the issue and the company’s response. A good example of a bad outcome was how Southwest Airlines treated actor/director Kevin Smith on a flight in 2010.³ Mr. Smith was thrown off a plane for being too fat! He then proceeded to launch a Twitter “attack,” or conversation, on the Southwest brand. His first Twitter message was simple enough but escalated quickly, as shown in his Tweets over the next day.

³ Chris Lee, “Kevin Smith’s Southwest Airlines Incident Sets Web all a-Twitter,” Los Angeles Times (February 16, 2010), http://articles.latimes.com/2010/feb/16/entertainment/la-et-kevin-smith16-2010feb16; and Foster Kamer, “Update: The Kevin Smith Southwest Airlines Fat-Fight Tweakout of Epic Proportion,” Gawker, http://gawker.com/5471463/update-the-kevin-smith-southwest-airlines-fat+flight-tweakout-of-epic-proportion.

Dear @SouthwestAir - I know I’m fat, but was Captain Leysath really justified in throwing me off a flight for which I was already seated?

Dear @SouthwestAir, I flew out in one seat, but right after issuing me a standby ticket, Oakland Southwest attendant Suzanne (wouldn’t give..last name) told me Captain Leysath deemed me a “safety risk”. Again: I’m way fat… But I’m not THERE just yet. But if I am, why wait til my..bag is up, and I’m seated WITH ARM RESTS DOWN. In front of a packed plane with a bunch of folks who’d already I.d.ed me as “Silent Bob.”

Wanna tell me I’m too wide for the sky? Totally cool. But fair warning, folks: IF YOU LOOK LIKE ME, YOU MAY BE EJECTED FROM @SOUTHWESTAIR.

Hey @SouthwestAir! I’ve just recorded a Very Special Episode of SModcast - all for you. It goes live tomorrow night. http://www.smodcast.com.

So how did Southwest handle this “brand attack”? Southwest did respond with the following:

“I’ve read the Tweets all night from @thatkevinsmith–He’ll be getting a call at home from our Customer Relations VP tonight.

@thatkevinsmith Again, I am very sorry for the experience you had tonight. Please let me know if there is anything else I can do.

“Mr. Smith originally purchased two Southwest seats on a flight from Oakland to Burbank—as he’s been known to do when traveling on Southwest. He decided to change his plans and board an earlier flight to Burbank, which technically means flying standby. As you may know, airlines are not able to clear standby passengers until all Customers are boarded. When the time came to board Mr. Smith, we had only a single seat available for him to occupy. Our pilots are responsible for the Safety and comfort of all Customers on the aircraft and therefore, made the determination that Mr. Smith needed more than one seat to complete his flight. Our Employees explained why the decision was made, accommodated Mr. Smith on a later flight, and issued him a $100 Southwest travel voucher for his inconvenience.”

But the damage had already been done. How would a $100 voucher actually make this alright? How was the employee who was handling the Southwest Twitter feed supposed to handle this without guidance? The employee who kicked Kevin Smith off the plane certainly didn’t consider the social media storm that would follow, and not having a response in place shows a lack of social media policy development by the Human Resources department. They were following company guidelines. Employee education has to be a major part of human resource policies going forward, but the case can be made that, at a corporate level, the policy to remove people from the plane will always result in someone being offended. Changing that policy goes beyond the scope of what we are discussing here.

Because each company is different and employees jump between companies, a standard security training regimen should be in place. Many employees are not security inclined and are not aware of what a true risk is to the organization. With the rapid change in the security landscape with each new social media platform being launched, almost on a daily basis, no employee can keep up without help. All employees must assist the organization in protecting the security of information they disseminate in the social media space and know when there is a potential problem with how they’re communicating, and be cognizant that they are part of the overall solution. Training can be done through web-based portals, webinars, posters, and reminders, monthly e-mails and more. But it has to be consistent and ongoing. Key aspects of employee training should include:

Detecting and avoiding social engineering attacks

Recognizing competitive intelligence probes from unknown “friends”

Choosing strong passwords and changing them regularly

Protecting sensitive information

Implementing basic PC security

Basic understanding of encrypted access to web sites

Employing E-mail safeguards

Recognizing and dealing with viruses, malware, and Trojans

Reporting suspected security violations

Reporting security vulnerabilities

Recognizing the dangers of working on unsecure computers when visiting new social media sites

Recognizing phishing and identity theft

Understanding safe web surfing practices

Understanding the risks of data leakage

Understanding when they can get the company in trouble for regulatory noncompliance

Understanding the dangers of sharing too much information over social networks

Knowing software and copyright laws when posting information

Understanding privacy concerns with their own data and customer data

Encrypting data and data destruction

Training on all aspects of the social media policy

Knowing when and how to use the company name

Knowing when to disclose information about themselves or the company

Once the social media policy has been developed and disseminated and employees have been trained, human resources has to work with IT Security to track violations and have a proper response ready when violations occur. Employees have to understand the ramifications of violating the policy and damaging the company brand or compromising customer data. The tools need to be in place for monitoring and reporting and knowing when to involve the Human Resources department for reprimand, termination, or prosecution.