Social Media Risk – Third Party Threat Management
Addressing Social media starts with an assessment of threats – both internal and external – and a growing number of these threats originate in third-party relationships and applications, and by third-parties posting messages to your social media properties.
In their last survey, the Altimeter Group concluded: “The average corporate social business program was established more than three years ago. Yet as social business efforts permeate the enterprise, those without ‘social’ in their titles often lag in understanding of the corporate social business strategy, let alone know how to use social media safely or effectively. The need for employee education on social media becomes apparent as social business programs formalize and mature.”
We couldn’t agree more.
What types of third party threats are we discussing?
- Outsourced social media vendors – those who create and publish content for your company
- Outsourced applications: productivity tools that plug in to your social accounts and allow you to publish by scheduling messages, publishing to multiple accounts simultaneously, or that bring content in to your properties, and publish
- Third parties that publish to your properties – those you interact with – brand advocates and brand detractors alike
- Third parties that discuss your brand, company, employees, products, services, clients though not necessarily on your own social media accounts
Outsourcing social media activities – or conducting social media programs with no understanding or oversight – can leave companies vulnerable to substantial risks. Third party publishing of social media may not however be an outsourced relationship; it may be the publishing itself through one or more third party applications to social media properties.
Due Diligence in this area should ensure that procedures regarding the use of third-party service providers are consistently followed, including due diligence, contract management and relationship termination. The professionals in this function should also be involved in the due diligence process in selecting third-party providers, including examining the third party’s control environment, security, legal and compliance history.
Monitoring of third party posts is the additional charge to monitor social media sites, services and applications (and web-sites generally) for potentially damaging third-party comments about the company or its products or services, as well as infringement of the company’s intellectual property. These may include taking measures to prohibit third parties from using social media to harass employees, taking measures to enforce the company’s intellectual property rights and confidentiality against suspected infringement, defamation and false advertising, false endorsements, disclosure of the company’s confidential information or trade secrets, trademark, copyright or patent infringement and trademark dilution; and sale of counterfeit goods.
Keys Areas of Oversight:
Third-Party Security: Even if a social media site is owned and maintained by a third party, consumers using your company’s part of that site may blame your company for problems that occur on that site, such as uses of their personal information they did not expect or changes to policies that are unclear. (See “Hacked in the New Year – Snapchat and Skype“)
Third-Party Due Diligence: Social media is one of several platforms vulnerable to account takeover and the distribution of malware. Your company must ensure that the controls it implements to protect its systems and safeguard customer and employee information from malicious software adequately address social media usage. Your company’s incident response protocol regarding a security event, such as a data breach or account takeover, should include social media, as appropriate. (See “Buffer Hack and Brand Advocates“)
Data Breach: Even if your company complies with applicable privacy laws in its social media activities, it must consider the potential reaction by the public to any use of customer or client, vendor, employee, and other information via social media. (See “1.9 Million of you use 123456 as a Password and it has to stop“)
Third-Party Management: If your company is using social media, it must be aware of the challenges it faces to protect its brand identity in a social media context. Risk may arise in many ways, such as through comments made by social media users, spoofs of company communications, or activities in which fraudsters masquerade as the company. (See “Major Media Sites Hacked Through Vendor Outbrain”)
*Article Image: cloudpreservation from Nextpoint