“The public Web is full of anonymous users and fake identities. Most common on social networks are identities that are presumably true (look legitimate) but have not been verified.” – Information Week
Everyone is talking about the use of social media applications in business, in fact it’s “all the rage!” While there’s no doubt it has incredible value and potential in a variety of business applications, something that most governance, risk and compliance (GRC) professionals don’t seem to be talking about is how the technology and usage of it applies in a corporate environment, where misinformation, competitive business intelligence, industrial espionage, “false profiles” and reliance on errant information, all generate the potential for significant business risk and liability.
Consider the following points:
| Social Media Profile Issues Today – Seven Facts Which Should Concern You! |
Yes |
No |
| Someone can go out and easily create a fake social media profile? |
X |
|
| Someone can completely fake their employment history and professional accomplishments? |
X |
|
| Individuals are prevented from creating fake profiles?(TOS Agreements say you can’t, but there are NO social media profile police on the front end!) |
X |
|
| Someone checks to see that you are really who you say you are? |
X |
|
| Someone checks to see that your background, education, training, accomplishments, awards, designations, certifications or work experience is really what’s in the profile? |
X |
|
| Employees are putting a wealth of information (proprietary, sensitive and confidential) in social media profiles. |
X |
|
| Information gathered from your employee’s profiles, posts, and online professional discussions, is being used for a variety of business purposes other than what was intended? |
X |
|
| Firms exist whose sole purpose is to gather competitive business intelligence about your company! |
X |
Given these facts, the inescapable conclusion is that social media technology poses quite a few challenges for companies GRC programs. Yet, despite that, there are very few GRC professionals addressing the issue, the potential risks it poses or solutions to the problem. The starting point for this conversation has to critically examine why so few companies have a social media policy of any kind.
While researching this column, I Googled the phrase “fake social media accounts” to get a feel for the magnitude of the problem and it was overwhelming. Here are a few headlines which caught my attention:
- Fake Google+ Profile Looks Bad For Bank of America, But Worse For Google (Huffington Post 11/16/2011)
- Fake hospital CEO on Facebook highlights social media security issues (Fierce Healthcare, December 20, 2011)
- Fake or Real Social Media Profile? (Huffington Post, July 10, 2011)
A New Phenomenon?
While social media applications seem relatively new, the Web has been used for commercial purposes since the mid 1990s. This type of misinformation has been going on in Web-based applications (chat rooms, forums, dating sites, etc.) for a long period of time, where misrepresentation of personal details like age, height, weight, gender, background, bust size, employment status and the amount of hair on one’s head was routinely exaggerated, if not outright fabricated.
Case in point, a man’s dating site profile which reads “6’2, 190 lb., 28-year-old, tanned, athletic, lifeguard” probably appeals more to most female readers than a more honest profile: “middle aged, balding (follicle challenged), overweight, unemployed, couch potato.
The bottom line is that things aren’t always what they appear, either in person or in cyberspace. Given the movement of social media applications into the business realm, false social media profiles and what others are doing with the information contained in legitimate profiles should have us all concerned.
Business Intelligence and Industrial Espionage
The thought some might be having about this issue is “so what?” So, there are fake social media profiles out there … how does that impact me?
For some, perhaps not at all, but in the bigger picture there are several important issues for corporations (risk, audit, security, compliance, investigation and legal operations) as there is a significant risk from the growing number of business intelligence entities (onshore and offshore) using cyberspace and social media applications to scour readily available social media profiles for information about your company, your employees, your proprietary business projects and intellectual property – “cyber dumpster diving” if you will. Forbes (The Spy Who Liked Me) suggested some of these firms are clearly not beyond impersonating members of the opposite sex to “lure you in.”
How far will these firms go to get the information they’re after? It’s hard to say. While some of those firms may not intentionally misrepresent themselves (they don’t have to … your employees share information voluntarily), others might not be so transparent in their information-gathering mission.
Social media providers like LinkedIn have language in their User Agreements (10B (8a)) that specifically prohibit creating false profiles, positions and qualifications, etc. But in the high stakes world of corporate intelligence and industrial espionage, Terms of Service (TOS) language is unlikely to stop anyone from doing so until violations, for the express purpose of gathering corporate business intelligence, are made criminal offenses and prosecuted. That has not happened to date but there has been dialog about it.
According to an article, DOJ Wants ‘Terms Of Service’ Violations Criminalized, “Richard Downing, the Justice Department’s Deputy Chief of Computer Crime, testified (before a House Judiciary subcommittee on crime, terrorism and homeland security) that ‘customers who intentionally exceed those [terms of service] limitations and obtain access to the business’s proprietary information and the information of other customers’ should be eligible for prosecution under U.S. cyber law.” The law referenced is the Computer Fraud and Abuse Act (CFAA) (18 U.S.C. § 1030).
While it likely isn’t their intent, the words employees write in social media profiles to describe their background, skills and professional/industry experiences have meaning to others in ways you might not imagine. Whether employees think they’re talking to someone they aren’t or they innocently place information in their social media profiles, the old war adage comes to mind here: “Loose lips sink ships.”
In this competitive business age your employees might be unwittingly providing your competition with valuable pieces of information. This might seem innocuous to some but could be the launching point for larger, more targeted competitive intelligence efforts, providing a “strategic competitive business advantage” to others in your industry. The result could be “second to market” and that might easily be the difference between extreme profitability and delivering shareholder dividends, or being out of the game.
As their commercials used to say, “When E.F. Hutton talks, people listen!” While E.F. Hutton isn’t around anymore, the principle still applies. When your employees talk, people listen, and when your employees write something in a forum, blog, group discussion or social media profile, you can bet someone is making note of it, analyzing it and disseminating it somewhere. Bloomberg (Social Media Spying) concurs that “people are listening,” providing examples of the dangers of social media applications and corporate spying in more detail.
Information is power and those who have it often possess a distinct business advantage. Unlike laws that govern insider trading, (Rajaratnam and Galleon paid for information), gleaning voluntarily posted information from social media profiles isn’t illegal.
Information is a valuable commodity, which is being sold for a price, and your employees may be the unwitting providers of sensitive information your company would rather not be made public. Aside from competitive business intelligence and corporate espionage, there are other concerns with the usage of and unverified information contained in social media profiles.
Tomorrow
Dan will wrap up his exploration of fake social media profiles tomorrow when he discusses how human resource departments have incorporated social media background checks in the hiring process. He will also point out key takeaways from his investigation into fake social media profiles.
**********
About the Author
Daniel Draz is the principal at Fraud Solutions. Draz is a senior fraud and investigations management professional with extensive experience in the private sector. He has a Masters in Economic Crime Management and is a Certified Fraud Examiner (CFE). Often published in industry and trade publications, he also develops customized training content for speaking engagements and currently consults with companies on their anti-fraud/risk mitigation efforts, employee training and investigation applications. Email: dan@fraudsolutions.com.
PDF 
