Social Media Risks and Controls

For many, the use of social media is second nature, but care should always be taken. This is particularly true in the case of the use of corporate Twitter accounts, and how your organization is represented to the outside world. It’s not a case of acceptable use policies (AUP), but more about common sense.This list is not exhaustive and additions can be made. Risks

• People may post derogatory or inappropriate comments about the organization or staff on social media website walls.
• Username and passwords may be shared between staff who update information.
• Information entered could contain inappropriate content, confidential information, personal information or whereabouts.
• Photos or video of events may contain images of other people. Data/identity protection - no consent.
• The company does not have control on the duration social media sites hold information, videos and photos.
• Email accounts used to register on social media are prone to scams, spams and malicious emails.
• Usernames and passwords may get compromised, if the account is accessed from non-work computer (Home, Internet café, etc.) or auto logon was enabled.
• Many people can't separate business and personal use of social media sites during work time.
• The organization has little control over configuration and functionality of social media websites.
• Weak passwords may not be changed regularly.
• Social media sites can be compromised or axed.
• When authorized social media users leave the organization or change jobs, social media details (username, password and password hint) aren't usually changed.
• Users may download apps or click on links containing malware.
• Some part of social media may be blocked (like web email features). Yet, these parts may have to be unblocked, bringing additional risks.
• Companies may have no control of who's posting company information (if the username and password are shared).
• Information is not kept up to date and in line with other websites/channels.
• Sometimes, copies of company copyrighted material may be made by external users or the company breaches copyright of others by not seeking permission.

 Controls

• Periodical spot checks can be performed directly on respective channels and with channel owners / facilitators to ensure robust monitoring is being conducted.
• Companies may restrict syndication where necessary via user accounts. Also, they may monitor other sites for copies of content.
• Use of robust passwords and controlled distribution of user account information can mitigate risks.
• Regular monitoring and moderating of comments can ensure few personal details or dangerous information is released.
• Ensure staff reads and understands company policies on employee protocols for business use of social media.
• All essential information should be published on the organization's website. Channels should always signpost back to the organization's website - as far as possible.
• Use anti-spam facilities available to reduce impact.
• Ensure staff understands roles and responsibilities around user account management.
• As part of user account management, ensure passwords are changed whenever staffing changes occur.
• When any functionality changes, additional risks should be be identified and necessary additional controls put in place.
• Clear indications of company copyrighted material should be made by use of either a watermark or Creative Commons Attribute.
• If a generic logon is required, a log can be maintained to show login statues. If there's a breach, the log can be useful.
• Restrict open-ended posting of items on social media walls.

 - Thanks -Image by @infosectdk