Social Media Policy: Assess RisksOrganizations Must Gauge Various Sources to Learn Risks
"To perform an effective risk assessment you have to gather data from various sources," says Del Giudice, senior manager of IT risk services at Crowe Horwath.
Organizations need to engage their employees' awareness of social media, as well as the public's view of the organization. Using the information they obtained, organizations can analyze the elements that may be presenting increased risks in order to prevent privacy violations.
Once data is gathered, a workshop should be conducted with upper management and key stakeholders, Del Giudice says, to discuss the risks that were discovered and develop ways to mitigate them.
"A few key ways to [mitigate risks] are to develop strong policies and documentation around your social media strategy and acceptable use of social media, and then to do some various training methods to reinforce those ideas to your employees," says Del Giudice in an interview with HealthcareInfoSecurity's Howard Anderson [transcript below].
Because organizations can use social media for many purposes, Crowe Horwath recommends creating a multi-disciplinary team to develop policies. The team should include representatives of the human resources, legal, information technology, marketing, risk management, public relations and compliance departments.
In an interview, Del Giudice explains other recommended steps, including:
- Document current and intended social media use. For example, if a human resources department intends to use social media for recruiting and hiring purposes, that will require the creation of policies about allowable uses of information gathered.
- Perform a risk assessment. A key component of this effort, Del Giudice says, is to conduct a workshop with upper management and key stakeholders to discuss all risks identified so they can be mitigated.
- Expand current policies to include social media and implement safeguards. For example, organizations may want to expand their information security policy to explain the potential for downloading malware by clicking on a malicious Facebook page, she says. In addition to adding new details to existing policies, organizations may also want to create a freestanding social media policy to highlight key issues, she adds.
- Provide social media training. It's important to provide frequent updates with reminders about security incidents in the news, she says.
- Monitor social media channels. By tracking mentions of their organization on social media, Del Giudice says, executives can use the information to adjust their marketing message, offer personalized replies to negative comments and capitalize on positive comments.
HOWARD ANDERSON: Why don't you tell us a little a bit about your role at Crowe Horwath?
ERIKA DEL GIUDICE: I am the senior manager at Crowe Horwath and I'm in IT audit practice, which is part of our risk consultant business unit, and I've been with the firm for 11 years, and I've been the leader in developing our social media service offering and reaching out to our clients in the social media space.
Multi-Disciplinary TeamANDERSON: As organizations make broader use of social media for marketing and other purposes, they must develop a social media policy that addresses all the risks involved. I understand your firm recommends a six-step approach, so let's walk through that approach. The first step is to engage a multi-disciplinary team to develop the policy. You say it's important to document all current and intended social media use before developing a policy. Why is that?
DEL GIUDICE: You need to understand how you are currently using social media in your organization, and how you intend to use it, before you can define policies around social media. One of the key points and parts of developing a policy is to understand how the social media use aligns with the organizational objective. How a company is using social media may dictate how they want their employees to use social media and what they may want them to do on different social media sites or on their own Facebook page or Twitter handles. For example, if you decide to use social media for recruiting purposes, you may have specific policies on how to use information that you get from social media sites without violating any protective class information or violating any laws in hiring those potential candidates. Just having those intended uses really drives what policies you are going to develop, and how you may modify any existing policies for your employees.
Risk AssessmentsANDERSON: Performing a risk assessment specific to social media is a vital step. Explain how that formal review of risks should be conducted, and what action can be taken to mitigate risk identified, such as risk to patient privacy in healthcare or to reputational harm for any organization.
DEL GIUDICE: The risk assessment is a key aspect of this as you mentioned, and to perform an effective risk assessment you have to gather data from various sources. You want to engage not only your employees' awareness of social media, but also the public's view of your organization and see how those elements may be presenting increased risks to your organization. Once you gather the data from your employees and from the public, it's helpful to conduct a workshop with upper management and the key stakeholders of the organization to discuss risks that you've come up with along with other risks in the industry. There may be things not only from the employee data that you gather, or the public monitoring data that you gather, but there may be other risks specific to your industry that you want to consider, talking though those with the key stakeholders. And the likelihood of impact of those affecting your organization, the potential damage that those risks can present to your organization, is really key in conducting your risk assessment.
One of the other pieces is identifying the mitigating controls that are in place so you know where to focus your effort. Once you conclude with a risk assessment in strengthening and enhancing controls, and depending on what your risk assessment tells you, there are certainly many ways to mitigate risk. A few key ways to do that are to develop strong policies and documentation around your social media strategy and acceptable use of social media, and then to do some various training methods to reinforce those ideas to your employees, and make sure you conduct that training frequently. A third way to mitigate risk is to do monitoring of your organization with a social CRM [customer relationship management] tool to understand what the public is really saying about your organization and how that may effect your reputation, whether that is positively or negatively.
Expanding Current PoliciesANDERSON: You recommend expanding current policies including information security policies to cover the use of social media. Can you explain that please? And in addition, should organizations develop a separate social media policy to highlight and consolidate guidelines?
DEL GIUDICE: We've seen several different ways of developing policies and either combining them or creating one standalone policy. What we try to convey is that social media is really just another form of communication, and in many cases the existing acceptable use policy in code of conduct and employee handbooks may already cover social media from a general communications perspective, what not to say whether you are talking at the water cooler, in the parking lot, your e-mailing, your texting, your tweeting; all of that is just a form of communication. However, there are some risks that employees need to be aware of, so expanding various policies like information security policies to help explain the potential for viruses or malware from clicking on a malicious Facebook link or expanding your current HR policies to explain the risks of Facebook, of using Facebook to hire candidates, will further help employees understand the various areas that affect an organization and how to mitigate some of those risks.
There also may be guidance from the FTC or Section 7 of the National Labor Relations Act that you want to emphasize to your employees, or on the flip side make sure that you're not violating those regulations by telling employees that they can't do something. Then of course, depending on the industry, there are regulations from FINRA [Financial Industry Regulatory Authority] and others that may affect organizations and they'll certainly want to pull that information and put that into their policies. It's certainly up to an organization if they want to create a standalone social media policy or work that into existing policies. I think the social media specific things they may want to have in a standalone or a specific section of a policy so that it's easy to update going forward, but as I mentioned social media being just another form of communication, I think that just needs to be reemphasized to employees so they understand posting on Facebook is really no different than talking at the water cooler or sending an e-mail.
Social Media Training ProgramANDERSON: You recommend initiation of a social media training program. Please describe what that should include?
DEL GIUDICE: Training on social media is really key and frequent communication is going to be more important with social media than any other topic area that we've seen. Giving people real-world examples, bringing new stories and current events that have happened will really help reinforce what you should and should not do and give examples of things that have happened to other organizations that may be similar to yours.
I think in-person training is really key and is the easiest way to get that point across and make sure that you've got people's attention, also giving them examples of appropriate and inappropriate things that they should be posting or tweeting or putting out on YouTube, so that they understand the difference between saying something like, "Going to Miami for a week of training," or saying they are going to Miami for a week of training for something very specific that may impact their organization or give a competitor an edge on what they are doing and so forth. Having that in-person training, real world examples and keeping it fresh and constant will really help get the message across to employees, and doing that on a periodic basis or giving periodic reminders, e-mails, notes in the break room or sending out frequent memos will help reinforce that as well.
Monitoring ChannelsANDERSON: Finally, you call for monitoring social media channels. Why is that important and describe how it should be done?
DEL GIUDICE: There are many tools that you can look into for social monitoring or CRM tools, and there are definitely some free tools that are out there. Many of the tools that I have seen have the capability to review positive and negative or neutral sentiment of comments, geographic location of individuals who have posted the comments, and various other pieces of analysis and data that you can review from a monitoring perspective. The tools pull of course only the comments that are public comments. Anything that is behind a password is typically not able to be pulled from these tools, but it's important for organizations to monitor what people are saying, what is the public chatter about their organization, and what they are offering to consumers.
Organizations can use this data to adjust their message. Many of these tools have the capability to redirect any negative comments or reply to negative comments if you so choose to, and you can certainly use this data to potentially capitalize on positive comments that can help an organization's reputation and customer loyalty.