The Facebook data management and privacy accusation that implicated and ultimately led to the insolvency of the data analytical firm Cambridge Analytica in 2018 (The Guardian, 2018) highlighted yet another aspect of the cyber risk phenomenon that has become part of everyday life for most people: the need to protect privacy in an age which personal information is a tradeable commodity.
The magnitude of the rise of social media can be easily demonstrated if we consider two of the major companies involved. Twitter, the global messaging platform, witnessed an increase in user numbers from approximately 30 million in 2010 to around 330 million in 2019 (Statista, 2019). Facebook, the social network company, experienced an increase in users from approximately 100 million in 2008 to over 2.6 billion in 2019 (Statista, 2020).
The benefits of social media are obvious to many. One particular example is Donald Trump, 45th President of the United States of America, who recognised the power of the medium, he frequently uses the Twitter platform to communicate his thoughts and views to a following of over 79.7 million registered users, many of whom may like and share those messages with others. His unprecedented use of the social media platform as one of his primary means of presidential communication appears to be effective from a big-picture perspective as over three-quarters of Americans say they see, read or hear about Trump’s tweets a lot or a fair amount (Gallup, 2018). He has gone on record to admit that he doubts he would have become the American President without the use of Twitter (The Independent, 2017).
Of course, many organisations recognise the benefits of social media and use it as a marketing tool to provide essential information to stakeholders or to improve customer relationships through real-time engagement.
The advantages include greater efficiencies, enhanced brand reputation, real-time interaction and feedback, and reduced costs when compared to more traditional marketing and engagement methods.
Most technological advances introduce new risks which need to be managed, and social media is no exception.
For example, in April 2018 an EasyJet pilot was sacked after he and his co-pilot were caught using the social media tool Snapchat (Eloise Craven-Todd, 2018). Innocent enough you may think, but in this instance they were in control of a passenger plane flying at 30,000 feet at the time.
The pilot was using his own personal account, however, he was doing so during the course of his employment and potentially endangering the aircraft through such a distraction. Had EasyJet not acted quickly to resolve this issue, the consequences to the company may have been significant such as intervention by the Civil Aviation Authority and reputational damage possibly leading to reduced passenger numbers and profits.
It’s not just the private sector that has to deal with the risks posed by use of social media with recent history providing examples reported where police officers have been disciplined for social media posts (The Washington Times, 2020) and council workers suffering similar consequences for similarly inappropriate behaviours which may bring the reputation of the respective organisations into disrepute (The Independent, 2016).
In the Higher Education sector, the University of Essex was criticised in 2018 for its response to a tweet from another university who were attempting to use new technology in the clearing process (Inside Higher Ed, August 2018).
Social media platforms in themselves are not the risk in the events cited above – it is the way employees interact with others within these platforms that can potentially create harm to an organisation. Employees’ must be educated to the risks that the use of social media platforms may create so that their behaviours may be positively influenced. Consider the following:
(a) Your business
Understand the type of organisation you are and your objectives. Are you an organisation that embraces social media for gain / brand / reputational enhancement? Do you rely on it to communicate and gauge the views of your stakeholders? Failures in managing social media risk can potentially impact upon these objectives.
Consider the legal implications including, but not limited to, the Human Rights Act 1998, the Regulation of Investigatory Powers Act 2000, the Computer Misuse Act 1990, and the General Data Protection Act 2018. Failures in managing social media risk, such as the sharing of personal or sensitive information, may potentially expose the organisation to regulatory action and significant fines from prosecution.
(c) Risk Management
Organisations should exercise good governance and risk management practices through the process of risk assessment. This process will create focus upon the threats to your social media / communications strategies and reputation through unauthorised or inappropriate messaging by your employees. This will help you to identify where the most likely risks will occur, what the magnitude of impact may be, and how you should control these risks and mitigate any damage that may occur.
(d) Your employees, which type are they:
Official authorised – Employees with responsibility for managing, monitoring, and responding to Council social media sites.
Personal occasional – Those who use it occasionally as a personal communication tool.
Personal habitual – Those who use it habitually for personal purposes during their free time, which may include break times during the working day.
Personal refrainer – Those that do not have an account and refuse to interact with any social media.
Employees at all levels of the organisational hierarchy can potentially create an adverse event which may impact upon the organisation. Consider which groups of employees would pose the highest threat. Understand how this may come about and then develop your social media policy and control system:
Provide awareness training, guidance and information for all levels of the organisational hierarchy.
Implement the social media policy and issue associated guidance and ensure all employees understand them and the consequences of failure to adhere to them, including the potential for disciplinary action.
Continually monitor the use of social media platforms to ensure standards are being adhered to. Where behaviours fall below expectations and defined standards, learn lessons and seek improvements through corrective actions.
Management should conduct regular reviews of the social media policy, including adherence, to ensure that it continues to be fit for purpose. Social media platforms are evolving and so is the methods of interaction by users – your policy must evolve over time to reflect changes in platforms and behaviours.
Social media provides easy access platforms for organisations to access potentially large numbers of people quickly and efficiently in order to improve brand awareness, real-time stakeholder interactions and relationships, customer services, and communications. The benefits can be gained across all industries and sectors.
Many large organisations use social media successfully, recognising employees as brand ambassadors and encouraging them to use social media platforms. Balancing the potential upsides against the potential downsides is essential in these circumstances.
As an example, Coca Cola (The Coca-Cola Company, 2009) once set out a social media policy in which it detailed 5 key principles to be adhered to by its employees. It encouraged all of its associates to explore and engage in social media communities, emphasising the need to have fun, but be smart, through the application of sound judgement and common sense.
Common sense and sound judgement may not always be fully relied upon. People do not always behave as they may be expected to. Behaviours are often influenced by contextual issues. Like Coca Cola, you may wish to encourage social media use, but a balance must be struck as you also have to ensure that social responsibility is respected and adhered to through compliance with your social media policy. All levels of the organisational hierarchy need to understand their responsibilities when using social media platforms and the potential consequences that they and the organisation are exposed to during their use.
Risk Management Partners Limited is the data controller of any personal information you provide to us or personal information that has been provided to us by a third party. We collect and process information about you in order to arrange insurance policies and to process claims. Your information is also used for business purposes such as fraud prevention and detection and financial management. This may involve sharing your information with third parties such as insurers, reinsurers, other brokers, claims handlers, loss adjusters, credit reference agencies, service providers, professional advisors, our regulators, police and government agencies or fraud prevention agencies.
We may record telephone calls to help us monitor and improve the service we provide. For further information on how your information is used and your rights in relation to your information please see our privacy notice at https://rmpartners.co.uk/privacy-policy. If you are providing personal data of another individual to us, you must tell them you are providing their information to us and show them a copy of this notice.