Social media is part of today’s businesses. Excluding the personal and personnel aspect of social media in the workplace, most companies now have a sprawling public infrastructure of hundreds of social accounts including Facebook pages, Twittter Accounts, YoutTube Channels, and more all being run on behalf of the brand.
What most companies haven’t come to grips with is the corresponding compliance risks of brand owned social infrastructure. That infrastructure is susceptible to everything from being hacked to being the source of company compliance violations and liabilities from poor content handling.
Here are the top five things that will cause a company to fail a compliance check and how to address them.
1. Lack of updated training, guidelines, and automated guideline enforcement:
With the waves of coverage on social risks and compromises there has been a corresponding push to for companies to create guidelines and training. Companies absolutely need these guidelines and technology for policy enforcement around 3 distinct areas of social touch points.
- First, guidelines are needed for employee personal use of social networks and their responsibility to the company during and after work hours.
- Second, guidelines are needed for employee use of social networks on behalf of the company and on company owned social accounts.
- Third, guidelines are needed for 3rd party content and participation on the company’s owned social accounts.
With focus and, if needed,expert help, these policies and the technology to enforce them can be implemented.
2. Lack of experience with regulated data, liability, and compliance requirements by the primary operators of social accounts and programs:
The employees that typically manage social are usually new to compliance related acronyms like IAM, DLP, PII, FINRA, SOX, HIPAA, etc. At the same time, the compliance and security teams focused on those issues probably aren’t doing social community manage mentor running campaigns on social accounts. That gap is where best intentions result in misaligned access control, improper handling of content, and lack of proof of actual policy enforcement. This can be addressed by basic collaboration and technology where, instead of being ignored for saying ‘no’, compliance teams can add guardrails and process to safely enable social.
3. Not knowing how many accounts the company owns across which social networks being run by which regions, departments, and groups:
If a company doesn’t know what accounts are being run by which groups, departments, and regions, then it has little chance of making sure that the right controls, logs, and archives are in place. This should be self-evident, and many companies are taking steps to have inventories of their social accounts, but the approach of having a staff member or an agency doing one-off searches with spreadsheet tracking is not efficient, effective, or consistently reliable. Just like network and desktop inventory and tracking systems, companies should use a technology system that allows them to create an asset map with persistent tracking and discovery.
4. Not knowing which applications and what users have access to the company’s social accounts.
The failure to understand that each account is its own operating environment that always has multiple applications installed on it is a massive compliance gap (e.g. Facebook alone has millions of apps). Apps include everything publishing systems like Hootsuite, Marketing Cloud, Spredfast, and This Moment as well as mobile apps like Twitter for iPhone, Facebook for iPad, Google+ for Android, and more. For example, if compliance relies primarily on publishing application with a pre-publishing check and workflow, but it can’t be reliably proven that only that app is used to publish, then compliance has automatically been failed. The same goes for proving account control and defense against hacks. If the company has more than one app installed on account as all companies do, each app and each user of each app is a potential backdoor to the account being hacked and a failing compliance
To deal with the app and user compliance gap, companies should use technology that persistently audits accounts for applications and users, enforces policies around which apps can publish on which accounts, and produces reports for compliance audits proving application policies and policy enforcement.
5. Little understanding and usage of security and compliance technology for social infrastructure:
Most social and compliance teams aren’t aware of the different technologies required for security and compliance. Additionally, it is easy to be confused between the capabilities of an app for itself vs. the security capabilities of an app for the social account. Referring to point 4, just because an app has a great workflow and good role-based controls in no way means that app has solved access and app controls for the company’s social account. A better way to approach compliance is to focus on 3 key technology layers.
- First, any regulated company should, and often must, use archiving on their social accounts. The best approach is to leverage the established archive that is already in place for email combined with intelligent content tagging and forwarding to that archive.
- Next, selecting and approving a specific set of publishing apps, preferably with roles and a workflow for pre-publishing scanning and checks. As noted, it is improbable and impractical to use only one app to interact with social accounts, but the company should select a primary marketing suite and a short list of other approved apps vs. just claiming ignorance.
- Last, to actually deal with compliance, companies need technology that tracks and audits its accounts, enforces intelligent archiving, enforces usage of only approved apps, removes content that violates policies, handles account tampering, and provides incident logs and reports. This final layer is what protects the infrastructure while providing the proof of actual controls and process to deal with issues that internal and external compliance auditors require.
Risks and incidents will only increase as the primacy of social as a business channel increases. Companies will only be able to take full advantage of social by acknowledging that and taking the appropriate policy and technology steps to enable compliance and mitigate risk.