auditing social media: the cae toolkit
TRANSCRIPT
THE ESSENTIAL RESOURCE FOR AUDIT EXECUTIVES
AUDITING SOCIAL MEDIA:
THE CAE TOOLKIT
JUNE 28, 2012
Presenter
Dan Desko, Senior
Schneider Downs & Co., Inc.
Technology Advisors/Internal Audit
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
INTRODUCTIONS
• Schneider Downs & Co., Inc.
– Public Accounting, Tax, Business Advisory, Internal Audit, Technology Advisors, etc.; Since 1956
• Dan Desko, Senior IT Audit Consultant
– 2 years with Schneider Downs, 8 years experience in total; Leads and Manages IT Audit Fieldwork
2
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
LEARNING OBJECTIVES
3
• Understanding the purpose of social media
use in organizations
• Impact and risks associated with having a corporate social media presence
• Controls and best practices to mitigate social media risks
• Audit techniques to test the effectiveness of social media controls
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
AGENDA
• Survey results
• What is social media
• Benefits of social media
• Threats/Risks/Controls
• Audit steps
• Social media disasters
4
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
ON WHICH SOCIAL NETWORKING WEBSITE(S) DOES YOUR COMPANY MAINTAIN A CORPORATE PRESENCE?
6
Own Platform
YouTube
None
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
DOES YOUR ORGANIZATION BLOCK ANY SOCIAL MEDIA WEBSITES FROM EMPLOYEE USAGE WHILE
THEY ARE ON COMPANY TIME?
7
Yes 47%
No 53%
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
IF YES, WHICH SITES ARE BLOCKED?
8
84%
71%
63%
63%
34%
21%
17%
MySpace
YouTube
Flickr
Google+
Multiple Responses Were Accepted
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
TOP REASONS FOR BLOCKING
9
1. Productivity issues, time waster, etc.
– Overwhelmingly the #1 reason for those who block
2. Information security (distant 2nd place)
3. Bandwidth (distant 3rd place)
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
WHY DON’T YOU BLOCK?
10
• “We are not dictators.”
• “Social media is representing a critical means to reach-out, interact with our customers and nurture our relationship with them. Which is at the very core of how we have been doing business for more than 100 years.”
• “Lack of management perception of risk.”
• “Because we use it as part of marketing.”
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
DOES YOUR ORGANIZATION USE SOCIAL NETWORKING AND BLOGS FOR ANY OF THE
FOLLOWING PURPOSES?
11
0102030405060708090
100
Neither
Both
Blogs
Social Networking
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
DOES YOUR ORGANIZATION ALLOW ITS EMPLOYEES TO IDENTIFY THE ORGANIZATION BY NAME ON THEIR PROFILES ON SOCIAL NETWORK
PLATFORMS OR BLOGS?
12
No
Yes, Must FollowPolicy/Guidelines
Yes, NoPolicy/Guidelines
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
DOES YOUR ORGANIZATION ALLOW EMPLOYEES TO OPENLY REPRESENT YOUR ORGANIZATION ON
SOCIAL MEDIA SITES (I.E., "BRAND EVANGELISTS")?
13
No
Yes, Only Certain People
Yes, Only for Discussion Boards
Yes, Only for Blogs
Yes, Everyone Can Blog or Post to a Board
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
IF YES, WHICH EMPLOYEES OPENLY REPRESENT YOUR ORGANIZATION ON SOCIAL MEDIA SITES?
14
• Chief Marketing Officer
• Corporate Communications
• Social Media Coordinators
• Director of Investor Relations
• CFO
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
REGARDING SOCIAL MEDIA, DOES YOUR ORGANIZATION HAVE:
15
0%10%20%30%40%50%60%70%80%90%
100%
No
Yes
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
PLEASE IDENTIFY THE KEY COMPONENT(S) OF YOUR ORGANIZATION'S POLICY OR GUIDELINES:
• Acceptable contents for posting. Sensitivity to “insider” type information.
• General do’s and dont’s • Employees are allowed to note they are
employed by the organization in their bio info but specific statements about the company are prohibited
• Users can only represent themselves, not the company
• Use common sense 16
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
DOES YOUR ORGANIZATION CONDUCT FORMAL TRAINING OR PROMOTE AWARENESS OF ITS
SOCIAL MEDIA POLICY?
17 0% 50% 100%
Yes, we provide training
Yes, we promoteawareness
No
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
PLEASE IDENTIFY THE FREQUENCY OF TRAINING OR AWARENESS EFFORTS:
18
0 5 10 15
Upon Hire
Annually
Twice Per Year
As Changes Occur
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
WHO IS RESPONSIBLE FOR TRAINING OR AWARENESS EFFORTS?
• Communications/PR
• Compliance
• Human Resources
• Information Technology
• Marketing
• Legal
19
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
IF APPLICABLE, WHAT ROLE DO THE FOLLOWING AREAS PLAY IN MANAGING YOUR ORGANIZATION'S SOCIAL MEDIA INITIATIVES OR ACTIVITIES?
20
0
10
20
30
40
50
60
70
80
90
Incident Handling
Daily SM Activities
Monitoring SM
Managing SM
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
IS SOCIAL MEDIA A PART OF YOUR ORGANIZATION’S GOVERNANCE STRUCTURE OR PROCESSES?
21
0 10 20 30 40
No No, but we plan to Yes
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
IS SOCIAL NETWORKING OR BLOGGING PART OF THE INTERNAL AUDIT FUNCTION'S ANNUAL AUDIT PLAN?
22
0 5 10 15 20
Yes, social networking only
Yes, blogging only
Yes, both
No, different dept is resp
Not managed at all
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
INDUSTRY AND COMPANY SIZE DEMOGRAPHICS
• The majority of responses were from Chief Audit Executives or company equivalents
• The majority of the organizations that the respondents work for are publicly traded organizations, privately held was next on the list, then government
• In addition the majority of organizations that the respondents work for have upwards of 1,000 employees
23
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
SOCIAL MEDIA POLL QUESTION #1
• Which social media sites does your organization or company use?
Twitter.com
LinkedIn.com
ISACA.org
YouTube.com
24
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
SOCIAL MEDIA FACTS
• Facebook tops Google for site traffic • 1 in 5 couples meet online • If Facebook were a country it would be the
world’s 3rd largest • A new member joins LinkedIn every second • Social gamers will buy $6 billion in VIRTUAL
goods by 2013 • If Wikipedia were a book, it would be 2.25 million
pages long • YouTube is the world’s 2nd largest search engine
25
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
WHAT DO THESE FACTS TELL US?
26
Social media must be embraced by business,
however, it should be done so carefully and strategically.
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
TOP 5 BENEFITS OF SOCIAL MEDIA
Communications platform
Sales growth
Brand recognition
Referral source
Recruiting conduit
27
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
COMMUNICATIONS PLATFORM
• Direct customer engagement – New products and features
– Convey messages instantly and without cost
• Customer surveys
28
• Learn customer preferences
• Receive feedback real-time
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
SALES GROWTH
• Direct marketing tool – E-commerce
• Demographic information
• Capture email addresses and other info
• Potentially expansive reach
30
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
SALES GROWTH CONTINUED
• Online ad spending will grow to $39.5 billion in 2012, compared to the $32 billion spent in 2011
• According to these estimates, online ad spending will top print spending (newspaper & magazine combined) in 2012
31
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
BRAND RECOGNITION
• Generate “buzz” around the office water cooler
• Get people sharing your video, pictures, content on their personal pages
• Using social media as a branding tool successfully takes creativity
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
REFERRAL SOURCE
• Social media outlets are valuable sources of business referrals – LinkedIn
– YouTube
– Blogs
– Forums
– Etc…
35
• All of these outlets point back to your business
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
RECRUITING CONDUIT
• Social media outlets are great tools for recruitment – Potential employees
learn about your organization
– Sites such as LinkedIn allow you to search for potential employees
– Save on recruiting costs and get to know potentials hires better
37
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
RISKS OF A CORPORATE SOCIAL MEDIA PRESENCE
38
There are
numerous social
media risks…
…let’s understand them.
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
RISKS OF A CORPORATE SOCIAL MEDIA PRESENCE
Threat Risks Risk Mitigation / Control Strategy
Exposure to customers and the enterprise through a fraudulent or hijacked corporate presence.
• Customer backlash/adverse legal actions
• Exposure of customer information
• Reputational damage • Targeted phishing
attacks on customers or employees
• Develop brand protection guidelines and assign staff or hire a firm that can scan the Internet and search out misuse of the enterprise brand
• Give periodic informational updates to customers to maintain awareness of potential fraud
39
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
RISKS OF A CORPORATE SOCIAL MEDIA PRESENCE
Threat Risks Risk Mitigation / Control Strategy
Mismanagement of electronic communications and/or inappropriate content posted on official corporate social media outlets.
• Reputational risk (self inflicted)
• Customer backlash • Brand tarnishing
• Strictly control who can post content
• Strictly control how users access corporate social media outlets
• Policy for approval of any content posts
• Social media crisis response plan
• Consider what can go wrong before posting
• Do not link corporate pages to personal accounts 40
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
RISKS OF A CORPORATE SOCIAL MEDIA PRESENCE
Threat Risks Risk Mitigation / Control Strategy
Unclear or undefined content rights to information posted to social media sites.
• Enterprise’s loss of control/legal rights of information posted to the social media sites
• Media (images, videos, content, etc.) that are a product of the organization can be easily copied, re-used without consent
• Ensure that legal and communications teams carefully review user agreements for social media sites that are being considered
• Policies that dictate to employees what info should be posted as part of the enterprise social media presence
• Log all communications requests and validate approval 41
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
RISKS OF A CORPORATE SOCIAL MEDIA PRESENCE
Threat Risks Risk Mitigation / Control Strategy
The move to a digital business model may increase customer service expectations.
• Customer dissatisfaction with the responsiveness received on social media sites, leading to potential reputational damage for the enterprise
• Customer retention issues
• Ensure that staffing is adequate to handle the amount of traffic that could be created from a social media presence
• Create notices that provide clear windows for customer response
• Content to establish expectations
42
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
RISKS OF A CORPORATE SOCIAL MEDIA PRESENCE
Threat Risks Risk Mitigation / Control Strategy
Introduction of viruses and malware to the organizational network through the allowed use of social media sites.
• Data leakage/theft • “Owned” systems
(zombies) • System downtime • Additional unplanned
resources required to clean systems
• Anti-virus/malware installed on systems & updated daily
• Content filtering technology to restrict or limit access to social media sites to appropriate users only
• Establish or update policies and standards
• Inform employees of the risks involved with using social media sites
43
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
RISKS OF A CORPORATE SOCIAL MEDIA PRESENCE
Threat Risks Risk Mitigation / Control Strategy
Excessive employee use of social media in the workplace.
• Network utilization issues
• Productivity loss • Increased risk of
exposure to viruses and malware due to longer duration of sessions
• Manage accessibility to social media sites through content filtering or by limiting network throughput to social media sites
44
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
RISKS OF A CORPORATE SOCIAL MEDIA PRESENCE
Threat Risks Risk Mitigation / Control Strategy
Use of personal accounts to communicate work-related information.
• Privacy violations • Reputational damage • Loss of competitive
advantage • Trade secret exposure • Transmission of sensitive
data
• Work with the HR department to establish new policies or ensure that existing policies address employee posting of work-related information
• Work with the HR department to develop awareness training and campaigns that reinforce these policies
45
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
RISKS OF A CORPORATE SOCIAL MEDIA PRESENCE
Threat Risks Risk Mitigation / Control Strategy
Employee posting of pictures or information that link them to the enterprise.
• Brand damage • Reputational damage • Trade secret exposure • Customer loss
• Work with the HR department to develop a policy that specifies how employees may use enterprise- related images, assets, and intellectual property (IP) in their personal online presence
• Self police or monitor each other as best you can
46
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
SOCIAL MEDIA POLL QUESTION #2
• What is the most pervasive Social Media risk?
Financial risk
Reputational risk
Environmental risk
Physical risk
47
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
COMMON THEMES AMONG MITIGATION STRATEGY
48
• Policies and procedures – Making sure employees read and understand
them
– Training on the policy and procedures
• Assess risk on a continual basis
• Limit, control and monitor access to the corporate social media presence
• Monitor the corporate page and for fake pages
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
CONTROL IMPLEMENTATION STRATEGY: ASSESS RISK
• Determine which risks are most applicable to your organization – Determine impact of the risks
– Determine likelihood of occurrence
– Even attempt to assign a rough estimate dollar value to the potential loss associated with each risk
• Revisit the assessment at least on an annual basis
49
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
CONTROL IMPLEMENTATION STRATEGY: POLICIES, PROCEDURES & TRAINING
• Involve the key stakeholders – Communications – Sales & Marketing – Technology
• Define what social media will be officially used for and in what capacity
• Develop a right sized training approach based on risk – Face to face, webinar, online document, etc.
• Ensure your organization possess the right capabilities and fill in the missing links 50
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
CONTROL IMPLEMENTATION STRATEGY: CONTROL & MONITOR
• Restrict user access to official pages • Determine chain of approval for various levels of content
(text, media, sales messages, etc.) • Set frequency of monitoring activities • Determine which tools to use:
– Google alerts (free tool) – Google trends (free tool) – Socialmention.com (free tool) – Tweetscan.com (free tool) – Lithium (paid service) – Radian6 (paid service) – Market Sentinel (paid service)
51
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
CONTROL IMPLEMENTATION STRATEGY: CONTROL & MONITOR CONT’D
52
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
CONTROL IMPLEMENTATION STRATEGY: CONTROL & MONITOR CONT’D
53
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
RISKS OF TOO MANY CONTROLS
• Stifle business/marketing efforts • Legal risks
– If policies are too stringent they may be unlawful under the National Labor Relations Act
• Disenchanted employees if the company blocks social media sites – In reference to the Millennial generation, a recent Cisco report
noted, “The ability to use social media, mobile devices, and the Internet more freely in the workplace is strong enough to influence job choice, sometimes more than salary.”
• While many social media sites are free the cost of FTEs to monitor and control the corporate social media presence can be staggering
54
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
TESTING APPROACH
• Review formal policies related to Social Media – If formal policies are in place this provides Internal
Audit with actual metrics and standards to audit against
– Review policy for key elements: Protocols for communication Standard phrases and tone that convey the corporate voice Use of company logos/brand marks Employee use of social media using personal devices Use of mobile devices to access social media Response protocols on social media sites Review and monitoring protocols
55
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
TESTING APPROACH
• Policy Review for Key Elements Cont’d: – Personal Use in the Workplace
Is it allowed Posting of business related content Prohibited disclosure of certain work related topics
– Personal Use Outside the Workplace Prohibited disclosure of certain work related topics Dangers of posting too much personal information
– Business Use Is it allowed and for whom Process for gaining access Appropriate usage guidelines for the org
56
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
TESTING APPROACH
• Interview personnel that use Social Media from every angle (Communications, Marketing, Sales, HR, etc.) and understand how they use it
• Review the Risk Assessment to ascertain if Social Media has been a part of the risk process and if management understands the risks involved
57
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
TESTING APPROACH
• Determine if there is Social Media awareness training by HR for the appropriate employees
• Determine if there are appropriate personnel in charge of the Social Media function and that staffing is adequate to monitor
• Determine if access to corporate Social Media outlets follow the access management policy No shared IDs
Routine password changes, 8 characters in length, etc
Pages not linked to personal accounts 58
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
TESTING APPROACH
• Determine if appropriate safeguards are in place over computer assets used for official Social Media purposes Antivirus/Antimalware
Lockout, passwords on smartphones/iPads/tablets
Remote wipe capabilities
• Determine if there is an incident response plan for Social Media in the event something goes wrong (see Social Media disasters)
59
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
SOCIAL MEDIA POLL QUESTION #3
• What is the cornerstone control of Social Media risk management?
Monitoring employee Facebook pages
Social Media policy acknowledgement with regular training
Strong passwords
Don’t use it
60
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
SOCIAL MEDIA DISASTERS
• McDonald’s tried to promote the quality of their ingredients and have fans share positive experiences via a Twitter campaign
• Instead, the tag became a way for animal activists and less-than-satisfied diners to air their grievances
• The #McFail hash tag was born
• A very big lesson learned for all parties involved
61
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
SOCIAL MEDIA DISASTERS
• A drunk Red Cross employee accidentally tweeted from the official account on his phone
62
• He thought it was his personal account
WWW.THEIIA.ORG/CAE Staying Ahead of Social Media
SOCIAL MEDIA DISASTERS
• A hacking group gained access to Fox’s Twitter accounts and started tweeting that President Obama had been assassinated and that ground zero had been attacked
• They promptly removed the false reports and worked with Twitter to prevent future compromise
63