Corporate Social Media Guidelines

Protecting your organization from Hidden Risks.

KPMG: Ten to-do's for audit committees in 2010

How Important is Social Media

Understand the company's policy on the use of Twitter and other Social Media networks to reach Investors and customers.

http://www.accountingweb.com/topic/kpmg-ten-dos-audit-committees-2010

Revealed: Which social networks pose the biggest risk?

Biggest Risk in a Social Network?

“...sizeable pool of information for hackers.”

 “Sites like LinkedIn provide

hackers with what is effectively a corporate directory, listing your staff's names and positions. This makes it child's play to reverse-engineer the email addresses of potential victims.”

http://www.sophos.com/blogs/gc/g/2010/02/01/revealed-social-networks-pose-biggest-risk/

According to the Sophos Security Threat Report 2010

Over 500 Firms Polled

Bigger risks with younger employees than older ones.

SN Risk: Managing the Inevitable

“According to the survey, about 50 % of those responding use Web-based social networking to make new friends”

“The problem lies in the tendency for experienced social networkers to continue to initiate new friendships, friendships with people they’ve never actually met.”

“So the 1st element is making a person feel accepted, part of a group of at least two.  This isn’t difficult for experienced social engineers.” 

http://blogs.techrepublic.com.com/security/?p=730

1. Does your organization block use of social networking sites?

1. Yes2. No3. Don’t Know

2. Does your organization address social networking in its acceptable use policy?

1. Yes2. No3. Don’t Know

Defending against the inevitable

SN Risk: Managing the Inevitable

“Block use of public social networking sites from the office is a strong recommendation.  This will help protect your data or social engineered information, about your company or network, from finding its way directly from the employee’s desk or your network, to either a social networking site or a friend met at such a site.

“Implement DLP*.  Know where and how your data is moving.  If an online ‘friend’ of one of your employees happens to gain access because of sharing activities, you will be able to block data loss or at least know it’s happening.” http://blogs.techrepublic.com.com/security/?p=730

1. Block use of Social Networking Sites from Office.

2. Implement Data Leakage Prevention

3. Know where your data is moving

4. Create, edit, or update your social media policies.

* DLP (data leakage prevention

Social Media Policy the 1st line of defense

What Every Company Should Know About Social Media Policy

1 in 3 companies has a social media policy in place.

Part of the problem is that a social media policy is a misnomer. Your company should have social media policies.

http://www.socialmediaexplorer.com/2010/02/03/what-every-company-should-know-about-social-media-policy/

socialmediaexplorer.com

Social Media Policies

What Every Company Should Know About Social Media Policy

It’s not just making rules for who can blog and say they work for you.

It’s more than just telling employees what they can and cannot do on company computers.

Three Main Groups of Policies

• Employee Code of Conduct Policies

• Employee Policies

• Corporate Policieshttp://www.socialmediaexplorer.com/2010/02/03/what-every-company-should-know-about-social-media-

policy/socialmediaexplorer.com

• Employee Code of Conduct for : • Online Communications • Company Representation in

Online Communications

• Employee:• Blogging Disclosure Policy• Facebook Usage Policy• Personal Blog Policy• Personal Social Network Policy• Personal Twitter Policy• LinkedIn Policy

Social Media Policies

What Every Company Should Know About Social Media Policy

While it may seem frivolous to spell out policies for every social network, that’s not quite the point.

Different networks have different implications for different companies.

http://www.socialmediaexplorer.com/2010/02/03/what-every-company-should-know-about-social-media-policy/

socialmediaexplorer.com

• Corporate:• Blogging Policy • Blog Use Policy• Blog Post Approval Process • Blog Commenting Policy • Facebook Brand Page Usage

Policy • Facebook Public

Comment/Messaging Policy• Twitter Account Policy • YouTube Policy • YouTube Public Comment Policy

• Company Password Policy

Social Media Policies

Few Companies Have Policy for Employee Use of Social Networks

Does Your Company have a written policy?

Does it include all or part of the listing?

What challenges did you find writing it or are concerned you will find?

http://www.emarketer.com/Article.aspx?R=1007493

emarketer.com

Dell Sucks becomes Dell Hell

o Issue: o Jeff Jarvis, Journalist, wrote on his

blog about his frustration of poor customer service by Dell. With the Title “Dell Sucks”.

o Thousands of people where having the same issues.

o Biggest Issue:o Dell was Not:

o Reading Blogso Listening

o Dell’s policy on blogs was do not touch them.

buzzmachine.com

JEFF JARVIS

@JeffJarvis

Learn from Dell : Embraceo Start by:

o Start at Google:o Search for your company, team,

yourself. o Same search on Blogs:

o Technorati, Icerocket, & BlogPulse, Youtube, Twitter, & Facebook.

o Respond to Peopleo Do it yourself! o Try to solve problems online

o Put Yourself in their own shoeso Set up your own blog. o Don’t Forget to thank your customer.

puertoblogs.com

Dell Doing it Everywhereo Embracing Social Media

o Didn’t shy away from obstacleso Cultivating a cross-platform

communityo Multiple Twitter handleso Network of Blogso Very active on Facebook

o 1 of the few companies to publicly state a ROI fromo 1 Million In Revenue

community.dell.com

dell.com/twitter

Dell Doing it Everywhere

Corporate Social Media Guidelines

I'd just say that rather than starting from

the risks, start from the opportunities:

• how can  you build new relationships with your constituents using these tools.

• The greater risk is ignoring the conversation that is going on with or without you. 

JEFF JARVISJournalist & Author

@JeffJarvis

Buzzmachine.com

Jeff Jarvis’ Quote | Via Email

Corporate Social Media Guidelines

Morgan JohnstonManager Corporate

Communications

@MHJohnston

knitwitr.tumblr.com

Morgan Johnston’s Quote | Via Twitter

Always ask for Permission when quoting someone

Opportunities / Threats

1. Open Up Fan Page or Group to reach out.

2. Recruiting tool for young professionals looking to join your company and worldwide connections with other professionals.

• Magazine’s like CIO.com are posting information

3. Monitor the competition’s presence.

1. Customer’s or Disgruntled employees can create groups to defame a company & disperse sensitive Information.

2. Passing over a possible good candidate based on profile information, pictures, & other postings.

3. The competition can also monitor You.

Threats / RisksOpportunities

Opportunities / Threats

Opportunities

1. HR Department uses it to keep in touch with present and past employees.

2. Posting relevant articles, press releases, public company information, and get feedback.

3. Connecting and finding opportunities by creating and joining groups of interest.

Threats / Risks

1. Customer’s or Disgruntled employees can create groups to defame a company & disperse sensitive Information.

2. Passing over a possible good candidate based on profile information, pictures, & other postings.

3. The competition can also monitor You.

Opportunities / Threats

Opportunities

1. Links to articles related to professional seminars, conferences, & traditional media.

2. Connecting with potential clients, influencers and leads.

3. Instant customer service issues & monitoring of public relations issues.

Threats / Risks

1. Some links to articles may be spam and malware for computer.

2. Could be pressured by the competition or other 3rd parties to engage in company vs. company discussions.

3. Without presence you risk losing customer’s by not being able to solve the issue.

Guilty of one of these security oversights?

7 Deadly Sins of Social Networking Security

1. Over Sharing Company Activities

2. Mixing personal with professional

3. Engaging in Tweet (or other social network) Rage

4. Believing he/she who dies with the most connections wins

5. Password Sloth

6. Trigger Finger

7. Endangering yourself and others

http://www.csoonline.com/article/496314/Seven_Deadly_Sins_of_Social_Networking_Security

CSOonline.com

1. Over Sharing Company Activities

7 Deadly Sins of Social Networking Security

Divulging intellectual property regardingwhat your company is doing on socialnetworks;

Information that everyone willwant to read about

You might tip off competitors:

• Maybe you work for a drug company that is on the verge of developing the cure for cancer.

• Maybe the company is developing a new car that runs on curbside trash

http://www.csoonline.com/article/496314/Seven_Deadly_Sins_of_Social_Networking_Security

CSOonline.com

2. Mixing personal with professional

7 Deadly Sins of Social Networking Security

Know objectives of why you are onsocial networks.

Remember to post carefully your words are now public across the internet.

What you share with your family and friends may not be considered appropriate with business contacts an example would be pictures.

Some folks separate facebook for friends and business contacts with linkedin.com.

Some folks who work in media have to get people’s interest and need to be on as many social networks as possible in order to promote business.

http://www.csoonline.com/article/496314/Seven_Deadly_Sins_of_Social_Networking_Security

CSOonline.com

3. Engaging in Tweet (or Facebook/LinkedIn/Myspace) rage:

7 Deadly Sins of Social Networking Security

Rants look childish and immature.  

May be looking at your rant for years.

Would be the equivalent as sending an angry email.

http://www.csoonline.com/article/496314/Seven_Deadly_Sins_of_Social_Networking_Security

Too Fat to Fly Southwest?Kevin SmithHollywood Writer & DirectorMovies: Jersey Girl (2004), Fan Boy (2009), and others.

4. Believing he/she who dies with the most connections wins:

7 Deadly Sins of Social Networking Security

Some folks such as people on Linkedin who are all about the number of people they are connected too, not who or how they know you.

Their friends could connect with you very easily.

Verify person’s account, don’t add them unless you know them.

Ask why they want to connect & research who they are.

If you can’t identify 1 person on their list, might not want to connect or send them to LinkedIn Jail.

http://www.csoonline.com/article/496314/Seven_Deadly_Sins_of_Social_Networking_Security

CSOonline.com

5. Password Sloth

7 Deadly Sins of Social Networking Security

Don’t use same password for all social networks, banking, or work accounts.

Someone is likely to figure the information out and get your information.

"Using the same password on several sites is like trusting the weakest link in a chain to carry the same weight. Every site has vulnerabilities, plan for them to be exploited."

http://www.csoonline.com/article/496314/Seven_Deadly_Sins_of_Social_Networking_Security

CSOonline.com

6. Trigger Finger

7 Deadly Sins of Social Networking Security

Clicking all links and applications.

Bad guys could send you links to give your pc/laptop malware.

http://www.csoonline.com/article/496314/Seven_Deadly_Sins_of_Social_Networking_Security

CSOonline.com

7. Endangering yourself and others

Posting birthday information, too much detail on family and friends , they could become the target of an identity thief or even a kidnapper.

9 or 10 Ways to Stumble in SM

1. Gaming the System2. Putting on a Puppet Show3. Flogging4. Playing Coy5. Forgetting your Users6. Acting like you own the place7. Looking down your nose8. Letting it slide9. Pitching without looking:10.

Gaming the Systemo There’s nothing stopping you from trying to

rewrite a Wikipedia entry to your advantage...

o Virgil Griffith's Wikipedia Scanner could make your life a PR misery.

o Brainchild of Cal Tech computation and neural-systems graduate student.

o Searchable database ties millions of anonymous Wikipedia edits to organizations where edits apparently originated, by cross-referencing the edits with data on who owns the associated block of internet IP addresses.

o The online world is full of talented people fanatically devoted to exposing online frauds and defending the integrity of the commons; cross them at your peril.

Putting on a Puppet ShowIf only those social media sites had comments

raving about you or your brand.

So why not log in under a false identity (what the online world calls a sock-puppet) and leave those comments yourself

According to the U.S. Federal Trade Commission, Whole Foods CEO John Mackey tried it, trashing the competition and boosting his company on Yahoo's message boards.

The result: a Securities and Exchange Commission investigation... and a very public humiliation.

FloggingIf the sock puppet has a cousin, it's the fake blog, or "flog".

• All I Want for Xmas is a PSP blog, purportedly written by a guy begging his parents for the Sony gaming console.

but in reality the creation of a marketing firm.

The blog was designed to become a meme, spreading virally across the Internet, and in a way it did.

but not the way anyone at Sony would have wanted.

Instead, it was ousted on the forums as Something Awful, and the meme's message was that Sony was duping the public.

Playing CoyOutright dishonesty isn't the only thing that can trip you up.

Wal-Marting Across America blog:• By a middle-aged couple driving their RV across the U.S.• Camping overnight in Wal-Mart parking lots and telling stories about

the wonderful people they met. • Remarkable number of whom had glowing things to say about Wal-

Mart.

None of this was untrue; the couple was genuine, the RVwas an RV, and nobody's disputing the stories peoplewere telling.

But what the blog didn't mention – anywhere o whole thing was paid for by Wal-Mart itselfo from airfares to the RV itself.

The blog was outed, the story hit the mainstream media, and both Wal-Mart and their PR firm, Edelman, were left looking very much like they'd tried to pull something sleazy.

Forgetting Your Users

o Not Getting the Results Expected.• Many organizational blogs written in market-ese and utterly failing to

engage visitors.

o The flip side of the nothing-but-spin blog is the nothing-but-nothing blog.

• CEO letting us Know how neat his trip was.

o Opportunity to offer:• Insights• Passion• Some thought leadership

o Please don't pass it up.

Acting Like You Own The Place

You may own:• Servers• Software• Branding

But you don't own the community.• Forgetting that, for instance by making big changes without consulting

the community or, worse, letting them know why, is a recipe for disaster.

o Heavy-handed actions can be just as bad. • When the Washington Post encountered a flood of abusive comments on one of its

blogs, they could have decided to have a moderator approve each comment before publishing it, until the flood subsided. Instead, they temporarily suspended commenting altogether – and endured a week of accusations of censorship and bad faith.

Looking Down Your Nose

In January 2008, a blogger asked Target to explain one of their ads, which she felt was sexually exploitive.

Target's PR department replied by email:"Unfortunately we are unable to respond to your inquiry because Target does not participate with nontraditional media outlets.”

That garnered them a bunch of ill-will in the bloggingworld... and some bad press in one of those more traditional media outlets that Target prizes so highly.

Your selection of quality goods is so impressive; your blogger engagement strategy... not so much.

Letting it Slide

The real work comes in doing the gardening: o Seeding new contento Nurturing the shoots of new communityo When necessary, weeding out abuses.

Canadian politician Paul Martin launched ablog that went months without new posts

The Blog became an embarrassment.

Setting up a blog or other social web presence is the easy part.

You don't have to search too far to find blogs and forums that have become playgrounds for comment spam.

Pitching Without Looking

Engaging with bloggers? Good idea Firing off impersonal pitches with no idea who you're

talking to? Bad idea

Blogs are highly personal endeavorso Only a few earn income for their creatorso The rest are labors of love. Treat them that way.

Suggestion - Read a blog for at least a week, thenjoin its commenting community, and then try pitchingthe author – in a personal way that relates directly tothe blog's focus.

10th Way to Stumble

Make the participation positive and productive

Avoid pretty much any of the previous pitfalls

And that's to let the first nine scare you away from social media.

Start from the right place:

• Proceed with authenticity and transparency

• Respect your audience and the community you're engaging understand that this can be hard work

• Dedicate resources accordingly

• Even if you do stumble, you'll have friends ready to catch you.

Top 10 Guidelines for Social Media Participation

o These guidelines apply to (company employees or contractors who create or contribute to o blogso wikiso Social networkso Virtual worlds, o or any other kind of Social Media.

Top 10 Guidelines for Social Media Participation

o Whether your employees or other stakeholders log into o Twittero Yelpo Wikipediao LinkedIno Facebook pageso or comment on online media stories

o Should include all employees

Top 10 Guidelines for Social Media Participation

These rules should sound strict and contain a bit of legal-sounding jargon but please keep in mind that our overall goal is simple:

• to participate online in a respectful, relevant way that protects our reputation and of course follows the letter and spirit of the law.

Be Transparent

Be Transparent and state that you work or represent the company.

o Your honesty will be noted in the Social Media

environment.

o If writing about a competitor use o Real Nameo Identify that you represent or work for an

entityo Be clear about your role

Never Lie or Mislead

Never represent yourself or company in a false or misleading way. o All statements must be:

o True

o All Claims must be Substantiated

Meaningful & Respectful

Post meaningful, respectful commentso no spamo no remarks that are off-topic or

offensive.

Use Common Sense

o it’s best to ask permission to publish or report on conversations that are meant to be private or internal.

o Make sure your efforts to be transparent don't violate company'so Privacyo Confidentialityo Legal guidelines for external

commercial speech.

Use Common Sense and Common Courtesy

Stick To Your Area

Stick to your area of expertise

Do feel free to provide unique individual perspectives on non-confidential activities at your Company.

When Disagreeing with Other’s

When disagreeing with others' opinions:o keep it appropriate and polite.

If you find yourself in a situation online that looks as if it’s becoming antagonistic:o do not get overly defensiveo do not disengage from the

conversation abruptly.

Feel free to ask the PR Director for advice and/or to disengage from the dialogue in a polite manner that reflects well on your Company.

Writing about Your Competitor

o If you want to write about the competition:

o make sure you behave diplomatically

o have the facts straight

o have the appropriate permissions.

Never Comment on Legal Matters

Please never comment on anything related to:

o legal matterso litigationo or any parties your company may be

in litigation with.

Never Participate In a Crisis

o Never participate in Social Media when the topic being discussed may be considered a crisis situation.

o Even anonymous comments may be traced back to your or company’s IP address.

o Refer all Social Media activity around crisis topics to PR and/or Legal Affairs Director.

Be Smart about Protecting Yourself

Be smart about: o protecting yourselfo your privacyo Company’s confidential information

o What you publish is widely accessible and will be around for a long time, so consider the content carefully.

o Google has a long memory.

NOTE: Mainstream media inquiries must be referred to the Director of Public Relations.

Summary of Major Risks

Many organizations think the biggest risk of social media isthat people will use it to say negative things about them. o The biggest risk is actually the opposite:

o Organization creates a social media presence & nobody participates.

o Others garner participationo but the conversations quickly veers off-topic or into

belligerent shouting matches.

o Others start off well, but can't sustain their momentum

o Some aren't ready to scale up, some encounter embarrassing technical failures, and some just quit and fade away.

Avoid the Fate of SM Risks!So how do you avoid their fate?

o thinking about your audience before you think about your technology

o staffing up to encourage participation and put out fires.

o both knowing and pushing the limits of your organizational.

o These can all help.

But nothing works quite as well as knowing social media in your bones, and that means diving in yourself.

First Stepso Build accounts, quickly

start using various platforms to listen for your name, your competitor’s names, words that relate to your space. (Listening always comes first.)

o Add a picture. Your Audience wants to see you.

o Talk to people about THEIR interests, too. I know this doesn’t sell more, but it shows us you’re human.

o Point out interesting things in your space, not just about you.

o Share links to neat things in your community.

o Don’t get stuck in the apology loop. Be helpful instead.

o Be wary of always pimping your stuff. Your fans will love it. Others will tune out.

o Promote your employees’ outside-of-work stories.

Ideas On How To Handle SMo Instead of answering the question,

“What are you doing?”, answer the question, “What has your attention?”

o Have more than one person involved at the company.

• People can quit. People take vacations. It’s nice to have a variety.

o When promoting a blog post, ask a question or explain what’s coming next, instead of just dumping a link.

o Ask questions.

• SM is GREAT for getting opinions.

o Follow interesting people.

• If you find someone who uses SM in an interesting way, see who they interact with, and interact with them.

o When you DO talk about your stuff, make it useful.

• Give advice, blog posts, pictures, etc.

o Share the human side of your company.

• If you’re bothering to update, blog, or tweet it means you believe social media has value for human connections. Point us to pictures and other human things.

Some sanity for youo You don’t have to read every

update, blog, & tweet.

o You don’t have to reply to every message directed to you (try to reply to some, but don’t feel guilty).

o Use direct messages for 1-to-1 conversations if you feel there’s no value to Twitter, blog, or a public update to hear the conversation.

o Use services like Twitter Search to make sure you see if someone’s talking about you. Try to participate where it makes sense.

o Third party clients like Tweetdeck and Twhirl make it a lot easier to manage Twitter.

o If you update or tweet all day while your coworkers are busy, you’re going to hear about it.

o If you’re representing clients and billing hours, and tweeting all the time, you might hear about it.

o Learn quickly to use the URL shortening tools like TinyURL and all the variants. It helps tidy up your tweets.

o If someone says you’re using twitter wrong, forget it. It’s an opt out society. They can unfollow if they don’t like how you use it.

o Commenting on others’ tweets, and retweeting what others have posted is a great way to build community.

Some sanity for you (continued)

The Negatives People Will Throw At Youo Social Media takes up

time.

o SM takes you away from other productive work.

o Without a strategy, it’s just typing.

o There are other ways to do this.

o SM doesn’t replace customer service.

o Most SM platforms are buggy and not enterprise-ready.

o SM is just for technonerds.

o SM’s is effective for a few million people. (only)

o SM doesn’t replace direct email marketing.

o SM opens the company up to more criticism and griping.

Some Positives to Throw Backo SM helps one organize great, instant

meetups (tweetups).

o SM works swell as an opinion poll.

o SM can help direct people’s attention to good things.

o SM at events helps people build an instant “backchannel.”

o SM breaks news faster than other sources, often (especially if the news impacts online denizens).

o SM gives businesses a glimpse at what status messaging can do for an organization.

o SM brings great minds together, and gives you daily opportunities to learn (if you look for it, and/or if you follow the right folks).

o SM gives your critics a forum, but that means you can study them.

o SM helps with business development, if your prospects are online.

o SM can augment customer service. (but see above)

Contact us!

Contact US!CIMA IT Solutions Corp.

info@cimapr.net

TWITTER : @infosecpr | @twitpuerto

Raúl Colón, CISA, CGEIT@ConsultantRC

rcolon@cimapr.net