Social media is part of today’s businesses. Excluding the personal and personnel aspect of social media in the workplace, most companies now have a sprawling public infrastructure of hundreds of social accounts including Facebook pages, Twittter Accounts, YoutTube Channels, and more all being run on behalf of the brand.
What most companies haven’t come to grips with is the corresponding compliance risks of brand owned social infrastructure. That infrastructure is susceptible to everything from being hacked to being the source of company compliance violations and liabilities from poor content handling.
Here are the top five things that will cause a company to fail a compliance check and how to address them.
1. Lack of updated training, guidelines, and automated guideline enforcement:
With the waves of coverage on social risks and compromises there has been a corresponding push to for companies to create guidelines and training. Companies absolutely need these guidelines and technology for policy enforcement around 3 distinct areas of social touch points.
With focus and, if needed,expert help, these policies and the technology to enforce them can be implemented.
2. Lack of experience with regulated data, liability, and compliance requirements by the primary operators of social accounts and programs:
The employees that typically manage social are usually new to compliance related acronyms like IAM, DLP, PII, FINRA, SOX, HIPAA, etc. At the same time, the compliance and security teams focused on those issues probably aren’t doing social community manage mentor running campaigns on social accounts. That gap is where best intentions result in misaligned access control, improper handling of content, and lack of proof of actual policy enforcement. This can be addressed by basic collaboration and technology where, instead of being ignored for saying ‘no’, compliance teams can add guardrails and process to safely enable social.
3. Not knowing how many accounts the company owns across which social networks being run by which regions, departments, and groups:
If a company doesn’t know what accounts are being run by which groups, departments, and regions, then it has little chance of making sure that the right controls, logs, and archives are in place. This should be self-evident, and many companies are taking steps to have inventories of their social accounts, but the approach of having a staff member or an agency doing one-off searches with spreadsheet tracking is not efficient, effective, or consistently reliable. Just like network and desktop inventory and tracking systems, companies should use a technology system that allows them to create an asset map with persistent tracking and discovery.
4. Not knowing which applications and what users have access to the company’s social accounts.
The failure to understand that each account is its own operating environment that always has multiple applications installed on it is a massive compliance gap (e.g. Facebook alone has millions of apps). Apps include everything publishing systems like Hootsuite, Marketing Cloud, Spredfast, and This Moment as well as mobile apps like Twitter for iPhone, Facebook for iPad, Google+ for Android, and more. For example, if compliance relies primarily on publishing application with a pre-publishing check and workflow, but it can’t be reliably proven that only that app is used to publish, then compliance has automatically been failed. The same goes for proving account control and defense against hacks. If the company has more than one app installed on account as all companies do, each app and each user of each app is a potential backdoor to the account being hacked and a failing compliance
To deal with the app and user compliance gap, companies should use technology that persistently audits accounts for applications and users, enforces policies around which apps can publish on which accounts, and produces reports for compliance audits proving application policies and policy enforcement.
5. Little understanding and usage of security and compliance technology for social infrastructure:
Most social and compliance teams aren’t aware of the different technologies required for security and compliance. Additionally, it is easy to be confused between the capabilities of an app for itself vs. the security capabilities of an app for the social account. Referring to point 4, just because an app has a great workflow and good role-based controls in no way means that app has solved access and app controls for the company’s social account. A better way to approach compliance is to focus on 3 key technology layers.
Risks and incidents will only increase as the primacy of social as a business channel increases. Companies will only be able to take full advantage of social by acknowledging that and taking the appropriate policy and technology steps to enable compliance and mitigate risk.
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here
About the Author
Devin Redmond is a seasoned marketing executive and product planner with over 16 years of experience in public and private companies. Devin is passionate about leveraging technology to address the security, measurement, and management challenges organizations face in today’s cloud, mobile, and social environments. Devin’s career includes executive and leadership roles in product management, marketing, business development, and sales.