Social Media Policies have become a standard of practice across companies, non-profits and governments large and small. Created by committee, and with a sprinkling of legalese, social media policies speak to the who's, whats, whys and hows of social media. IBM is often credited with creating the first social media policy in 2005 - https://www.ibm.com/blogs/zz/en/guidelines.html and Intel is often credited as "the" best practice policy for companies - https://hbr.org/2010/02/intels-social-media-employee-t. There is no shortage of good examples but the challenge that companies now face is that their social media policies, carefully constructed as they may be, have been unable to keep up with the rapidly changing social media landscape.
Social Media Risks Grow
As the gap between policy driven mandates and execution continues to grow so do the risks organizations face as a result. While policies have remained largely static, the people and the processes of an enterprise have sprawled onto social with little to no protection. The potential for damage is extreme.
Here are some of the ways an organization can identify the policy-to-practice gap they face, the risk and damage implications, and what to do about it.
1. Has my policy kept up with the growth of new digital communication channels and platforms? Teenagers worldwide have taken the lead in driving adoption of new platform after new platform, all likely introduced since many social media policies were created - from telegram, to WhatsApp, to Instagram. While companies and governments will always trail teenagers, a policy should reflect all the channels in use by the company and its employees for professional purposes. Even the name of many policies are no longer apt as social has become a subset of a universe of channels that are often considered digital. Policies should be updated to reflect the continuing growth to an expanding world of Digital channels including new types of channels where "how" the communication happens may vary.
2. Are practices required in the policy becoming cost prohibitive or at risk of becoming abandoned entirely ? A great risk a company faces is when, faced with a catastrophe, they find out that promised conduct in a policy wasn't followed for cost or convenience. For example, a common aspect of policies is the requirement of a liaison or moderator who is responsible for policing content for which the company is responsible. This was fine when a company had a single facebook account but the cost of 24/7, multi-lingual moderation of millions of posts has become impossibly expensive. Further, a moderating team can't pick up risks like malware and spam and can't be relied on to act consistently from moderator to moderator. Technology is a powerful tool for addressing the volume problem and can take a laborious, imprecise, process accomplished in arrears and bring it into real time. To close this gap companies need to map their promises to their practices to figure out what they aren't doing and look for a cost effective way to accomplish it.
3. Does my policy reflect the changing regulatory landscape? Whether it's GDPR, MiFID II or any number of regional regulations. An organization needs a means to articulate how a patchwork of regulations govern their behavior. Take something as simple as retention; an organization must retain digital communications just like email so acquisition of communication and storage are a must. Employees are using digital and companies now have new regulations about data residency and privacy which need to be followed by region, by nation, by state, by employee type even. Considerations like governance, archiving, employee consent and authorization tracking are critical.
4. Can I demonstrate my organization enforces its policy? For a long time, one of the biggest technology gaps was that organizations had no means of actually knowing "who" and "what" digital activity was going on. The expectation now is that a company can audit their digital activity and pro-actively scan for unauthorized activity. Further, an organization needs to maintain the audit trail of the actions they took. Companies need processes or technology to ensure vigilance and to record remediations.
5. Finally, what does my policy say about information security for digital? By many accounts digital has become the largest risk vector for companies. A new breach happens daily and digital, particularly social media accounts, are an easy or soft target. This wasn't anticipated when organizations first created social or digital policy. Now, hardening digital targets at a company and scanning for external threats is a must and security expectations or standards must be part of all digital media policies so when a new channel is adopted, it's adopted safely.
The digital transformation is still long from hitting critical mass, so the platforms we have will continue to grow: adoption will grow and risk will grow. Your policies need to grow too and if you'd like our help in assessing your risk we've written a white paper about digital risks that appear when policy is not aligned with practice, and we have developed a rapid assessment process that could help you make progress.