Manage Learn to apply best practices and optimize your operations.

Set social media risk management policies by preparing for the worst

With social media, mistakes can (and do) happen. When developing a social media risk management strategy, it's best to prepare for worst-case scenarios. Here are four of them.

Social media can be used as a tool or a weapon, and it’s important to be aware of the powers and the dangers inherent to it. I will probably let my young son tweet before I let him use my chainsaw, but the warning lecture will be no less graphic.

Adrian Bowles
Adrian Bowles

We may have just seen the first -- but far from the last -- high-profile case of professional suicide by Twitter. Rep. Anthony Weiner (D-N.Y.), made several technical and tactical errors with social media that contributed to his resignation after lewd photos were displayed to the world via Twitter.

In a similar case receiving less coverage in the United States, Canadian political candidate George Lepp tried to explain a questionable photograph by claiming it was taken inadvertently when his BlackBerry was in camera mode in his front pocket, and sent out by an unknown person. This impossible account led to a very public and embarrassing search for plausible alternative explanations.

Both are cases of easily avoidable injury, so perhaps it’s time to consider a few social media risk management guidelines to stem the tide of such needless incidents.

Social media provides a set of tools. Results will largely depend on understanding how the technology works, and how others may exploit it. It is easy to go too far in constraining the use of social media, which deprives users of many of the benefits. For example, in my town the board of education recently enacted a social media risk management policy for teachers and administrators. It sparked a backlash, as the policy explicitly forbade a variety of generally innocuous activities in an attempt to prevent some serious problems. However, those were already covered by existing policies and common sense. In other words, it ruled out the possibility of positive interaction between teachers and students to avoid potentially damaging ones.

A balance between draconian measures and anarchy surrounding social media risk management is required. With that in mind, here are four assumptions to provide a starting point for social media risk policies for individuals and enterprises.

Assume that you will make mistakes. Forgetting to put a “d” at the beginning of a DM (direct message in Twitter -- one that can be seen by only an individual recipient) is basic, but everyone I know has a personal story of (t)error on this one. In my own experience, it has been known to happen when I use TweetDeck on my iPhone from a train without bothering to put on my glasses. Committing this common error started the public unraveling of Anthony Weiner.

Policy implication: Nothing that could conceivably damage the safety, security or reputation of you or your enterprise should be transmitted by DM. This means that messages must be classified according to the potential risk of unrestricted distribution. Any item that has a high risk should be transmitted using encryption, or at the very least to only individuals known to follow these policies themselves.

Assume that others will make mistakes. Countless cases of individuals sending emails inadvertently using “Reply All” should have taught us that nobody can be counted on to be error-free. The analogs with social media include responding to someone on their (public) Facebook wall instead of sending a private message, or having the recipient of a DM respond with a public message. It happens. Plan for it.

Policy implication: Make it difficult for others to expose your secrets through carelessness. Do not use social media for antisocial messages.

Assume that someone is out to get you. Paranoid? Perhaps, but who in business or politics has nobody who would delight in their downfall? Weiner may have sent pictures to individuals who appeared willing to receive them, but his enemies soon convinced recipients to share the pictures for political purposes.

Policy implication: Recipients of sensitive material must be vetted and classified. In Facebook, start by limiting access to friends rather than friends of friends (or limit Facebook use to purely personal topics). For Twitter, use the same criteria you would use for a nonsecure telephone line.

Assume that your phone or laptop will fall into the wrong hands. While the Lepp situation is unresolved, it is clear that personal mobile devices do fall into the wrong hands. I recently received a text from a colleague I know well, and the content was inappropriate. The next day I learned that her phone had been “borrowed” by a prankster.

Policy implication: For most of us, the value of our reputation and data far outweighs the replacement value of a device. Always use password protection, selectively use encryption, and have a remote wipe contingency plan for all digital devices that could be used to send out messages “from” you. Passwords for social media accounts should be as strong and as secret as those for financial accounts.

Adrian Bowles has more than 25 years of experience as an analyst, practitioner and academic in IT, with a focus on IT strategy and management. He is the founder of SIG411 LLC, an advisory services firm in Westport, Conn., and director of the Sustainability Leadership Council.

Dig Deeper on Risk management and compliance

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Good suggestions/cautions. There was far more room for inadvertent errors or omissions when social media was in its infancy. Now it's a public arena under near-constant scrutiny where errors are virtually irretrievable. I warn my clients to avoid the ENTER key and - when using outlets like Twitter - to use delaying tactics (like HootSuite) so there's time to reconsider and edit before mistakes (of the fingers or the mind) go public. Despite recent attempts, "I was just kidding" or "that's not what I meant" are useless non-responses that do more harm than good.