(A guest blog by Catapult Chicago Corporate Sponsor, Marsh, originally posted on Catapult's website at www.catapultchicago.com)
Social Media Strategy Should Include Risk Evaluation
by Bob Parisi, network security and privacy practice leader at Marsh
Virtually all companies today rely to some degree on technology, and most are aware of the inherent information security risks. But the risks arising from social media and social networking are less clear to many. This may be especially true — and concerning — for startup companies that rely on social media for their marketing but, of course, don’t have a dedicated risk management position.
The ever-increasing business use of social media — and the blurring lines with its personal use — makes it imperative for businesses to fully understand, evaluate, and mitigate these risks.
Social Media Risk
Social media relates to content such as blogs, online video sharing, comments about others posts, and so on. And like any technology, social media brings risks, including:
The loss of intellectual property through sharing of copyrighted and trademarked information.
Personal injury — libel or defamation risks — stemming from an individual’s defamatory remarks on a social media network for which the employer is held responsible.
The spread of inaccurate or intentionally false information about a company’s operations, particularly during critical periods — for example, ahead of a corporate earnings announcement or following a natural disaster.
Negative and quick-spreading commentary from social media users about a company’s business practices — such as its customer service or charitable donations.
Without savvy management of social media risks, organizations could see sudden and material impacts to their brands and market values. Just consider that one video that “went viral” about an airline’s poor customer service was accompanied by a 10% drop in that company’s stock price.
Social media also allows hackers to find new ways to infiltrate corporate networks. For example, social media users regularly share seemingly harmless personal data (dates/places of birth, names of relatives/pets, education history, etc.). Is this the same type of information beings used to create corporate passwords, or as answers to security questions? A hacker may only need to have access to an individual’s public social media profile and know the employer’s email naming convention (e.g. [email protected]) to access a corporate email system, intranet, and, potentially, its most valued corporate and customer information.
Establishing Social Media Policies
The easy ways to eliminate social media risks … don’t exist. A company can’t simply stop conversing on social network — others are only too happy to keep the conversation going without you. Blocking employees’ access at work will not prevent them from using social networks elsewhere.
But there are steps you can take to reduce exposures, starting with a firm-wide social media policy and procedure. A corporate policy should, among other things:
Identify those with the authority to post, what information they can post, which social media they can post to.
Ensure that any postings to social media are coordinated with necessary disclosures through traditional means of communication (e.g., press releases or earnings statements).
Consider all legal requirements, including employment and intellectual property law.
Ensure appropriate training for all employees.
Be reviewed and updated on a regular basis.
Address differences between professional and personal use of social media.
Provide for training on such issues as maintaining secure passwords and identifying phishing attacks.
Assessing the Risk
Beyond establishing social media use policies, companies should consider social media as part of their broader approach to managing cyber risks, including insurance. Risk assessments, for example, may demonstrate how social media might contribute to network security exposures, such as theft of intellectual property.
Privacy and computer security insurance can provide direct loss and liability protection for risks created by the use of technology and data in day-to-day operations — including social media. Among other things, such policies are able to address:
Protection for claims arising from a failure of computer security to prevent or mitigate a computer attack.
Protection for claims arising from a disclosure or mishandling of confidential information — whether electronic or hard copy.
Protection for the intentional acts of rogue employees and vicarious liability for a privacy breach by third-party vendors or business process outsourcing firms.
Coverage for defense of regulatory actions including affirmative coverage for assessed fines and penalties.
Managing Social Media’s Risks and Rewards
It’s hard to imagine a startup not having a social media presence. But like any powerful new tool, social media comes with unforeseen, emerging, and evolving risks. Protecting against those risks requires a mix of sound policy, awareness of regulations, risk mitigation, and insurance.
Marsh is a global leader in insurance broking and risk management. You can learn more by visiting Marsh’s Communication, Media & Technology (CMT) website or their Cyber toolkit.
