The Facebook data management and privacy accusation that implicated and ultimately led to the insolvency of the data analytical firm Cambridge Analytica earlier in 2018 (The Guardian, 2018) highlighted yet another aspect of the cyber risk phenomenon that has become part of everyday life for most people: the need to protect privacy in an age which personal information is a tradeable commodity.
The magnitude of the rise of social media can be easily demonstrated if we consider two of the major companies involved. Twitter, the global messaging platform, witnessed an increase in user numbers from approximately 30 million in 2010 to over 336 million in 2018 (Statista, 2018a). Facebook, the social network company, experienced an increase in users from approximately 100 million in 2008 to over 2.19 billion in 2018 (Statista, 2018b).
The benefits of social media are obvious to many. One particular example is Donald Trump, 45th President of the United States of America, who has authored over 38,000 tweets (messages) since 2009, and averages 11 tweets per day (twitter counter, 2018). Recognising the power of the medium, he frequently uses the Twitter platform to communicate his thoughts and views to a following of over 53 million registered users, many of whom may forward those messages on to others. He has gone on record to admit that he doubts he would have become the American President without the use of Twitter (The Independent, 2017).
Of course, many organisations also recognise the benefits of social media and use it as a marketing tool, to provide essential information to stakeholders or to improve customer relationships through real-time engagement.
The advantages include greater efficiencies, enhanced brand reputation, real-time interaction and feedback, and reduced costs when compared to more traditional delivery methods.
Most technological advances introduce new risks which need to be managed, and social media is not excluded from this.
For example, in April 2018 an EasyJet pilot was sacked after he and his co-pilot were caught using the social media tool Snapchat (Eloise Craven-Todd, 2018). Innocent enough you may think, but in this instance they were in control of a passenger plane at 30,000 feet at the time. The pilot was using his own personal account, however, he was doing so during the course of his employment and potentially endangering the aircraft through such a distraction. Had EasyJet not acted quickly to resolve this issue, the consequences to the company may have been significant such as intervention by the Civil Aviation Authority and reputational damage leading to reduced passenger numbers and profits.
Public Sector organisations are not immune from the risks posed by use of social media with recent history providing examples reported where police officers have been disciplined (BelfastTelegraph.co.uk, 2017) or sacked (Telegraph.co.uk, 2014) and council workers suffering similar consequences for similarly inappropriate behaviours which may bring the reputation of the respective organisations into disrepute (The Independent, 2016)
As we have seen, social media platforms themselves are not the risk in the events cited above – it is the way employees utilise these platforms that can potentially create harm to an organisation. Employees’ must be educated to the risks that the use of social media platforms may create so that their behaviours may be positively influenced. Consider the following:
(a) Your business
Understand the type of organisation you are and your objectives. Are you a company that embraces social media for gain / brand / reputational enhancement? Do you rely on it to communicate and gauge the views of your stakeholders? Failures in managing social media risk can potentially impact upon these objectives.
Consider the legal implications including, but not limited to, the Human Rights Act 1998, the Regulation of Investigatory Powers Act 2000, the Computer Misuse Act 1990, and the General Data Protection Act 2018. Failures in managing social media risk, such as the sharing of personal or sensitive information, may potentially expose the organisation to regulatory action and fines from prosecution.
(c) Risk Management
Organisations should exercise good governance and risk management practices through the process of risk assessment. This process will create focus upon the threats to your social media / communications strategies and reputation through unauthorised or inappropriate messaging by your employees. This will help you to identify where the most likely risks will occur, what the magnitude of impact may be, and how you should control these risks and mitigate any damage.
(d) Your employees, which type are they:
Official authorised – Employees with responsibility for managing, monitoring, and responding to Council social media sites.
Personal occasional – Those who use it occasionally as a personal communication tool.
Personal habitual – Those who use it habitually for personal purposes during their free time, which may include break times during the working day.
Personal refrainer – Those that do not have an account and refuse to interact with any social media.
Employees at all levels of the organisational hierarchy can potentially create an adverse event which may impact upon the organisation. Consider which groups of employees would pose the highest threat. Understand how this may come about and then develop your social media policy and control system:
Provide awareness training, guidance and information for all levels of the organisational hierarchy.
Implement the social media policy and issue associated guidance and ensure all employees understand them and the consequences of failure to adhere to them, including the potential for disciplinary action.
Continually monitor the use of social media platforms to ensure standards are being adhered to. Where behaviours fall below expectations and defined standards, learn lessons and seek improvements through corrective actions.
Management should conduct regular reviews of the social media policy, including adherence, to ensure that it continues to be fit for purpose. Social media platforms are evolving and so is the methods of interaction by users – your policy must evolve over time to reflect changes in platforms and behaviours.
Social media provides easy access platforms for organisations to access potentially large numbers of people quickly and efficiently in order to improve brand awareness, real-time stakeholder interactions and relationships, customer services, and communications. The benefits can be gained across all industries and sectors.
Many large organisations use social media successfully, recognising employees as brand ambassadors and encouraging them to use social media platforms. Balancing the potential upsides against the potential downsides is essential in these circumstances. As an example, Coca Cola (The Coca-Cola Company 2016) have set 5 key principles to be adhered to by its employees. One principle states ‘You are responsible for your actions. We encourage you to get online and have fun, but use sound judgment and common sense’.
Common sense and sound judgement may not always be fully relied upon. People do not always behave as they may be expected to. Behaviours are often influenced by contextual issues. Like Coca Cola, you may wish to encourage social media use, but a balance must be struck as you also have to ensure that social responsibility is respected and adhered to through compliance with your social media policy. All levels of the organisational hierarchy need to appreciate their responsibilities when using social media platforms and the potential consequences that they and the organisation are exposed to in the information age.
Risk Management Partners Limited is the data controller of any personal information you provide to us or personal information that has been provided to us by a third party. We collect and process information about you in order to arrange insurance policies and to process claims. Your information is also used for business purposes such as fraud prevention and detection and financial management. This may involve sharing your information with third parties such as insurers, reinsurers, other brokers, claims handlers, loss adjusters, credit reference agencies, service providers, professional advisors, our regulators, police and government agencies or fraud prevention agencies.
We may record telephone calls to help us monitor and improve the service we provide. For further information on how your information is used and your rights in relation to your information please see our privacy notice at https://rmpartners.co.uk/privacy-policy. If you are providing personal data of another individual to us, you must tell them you are providing their information to us and show them a copy of this notice.