Cracking Social Media: Minimizing Risk, Maximizing Gain

Background
More connected, more integrated, and some of them are more addicted. It is the new
era of world. It is caused by the high of internet penetration to most over population rapidly.
The onslaught of internet provides every person a new opportunity to engage, share and
participate for every moment and to enable a new collaboration, not only between the site
owners and internet users, but also among internet users. This era also become more massive
with the proliferation of social media and smartphone that allows interaction and participation
takes place more easily, because all participants connected automatically.
Friedrich, et. al. (2010) call this era as the new born of generation-C. C is connected,
communicating, content-centric, computerized, community oriented and always clicking.
Having owned digital devices all their lives, they are intimately familiar with them and use
them as much as six hours a day. They all have mobile phones and constantly send text
messages. More than 95 percent of them have computers, and more than half use instant
messaging to communicate, have Facebook pages, and watch videos on YouTubei.
In Indonesia, Oei (2014) mentions if internet penetration at 2013 has reached 72.7
million people and is predicted to increase to 93.4 million at 2014. Most of internet users
demographically are dominated by younger generation between 12-34 years old (58%), based
on the activity are those who work (53.3%) and on the profession is the white collar (63.4%).
Internet users are generally much access via smartphone (65.7%), desktop PCs (52%) and
notebook (45%) are generally used for social media (87.8%), browsing (68.9%), looking for
news (68.3%), downloading or uploading video (62.1%) and email (57.9%). Meanwhile,
smartphone users continue to grow 38.5% in 2013 and are predicted to reach 71.6% in 2015
from mobile phone users in Indonesia. In 2013 social media users is 92.3% of total Internet
users with the great platforms are Facebook (95.7%), YouTube (47.6%), Google Plus (37.6%)
and Twitter (29, 4%)ii.
Based on above condition, the social media forces the company to make a great
strategy to face the opportunity (and threat). Neti (2011) in her research concluded, the role of
social media for company is not only about in marketing way, but also to share their expertise
and knowledge, tap into wisdom of their customers, enable customers helping customers,
engage prospects through customer evangelism so that able to reduce cost, increase of
probability of revenue generation and increase the brand awareness for a long termiii.

A recent study, The State of Small Business Report, sponsored by Network

Solutions, LLC and the University of Marylands Robert H. Smith School of Business (2011),
point to economic struggles as the catalyst for social medias rapid popularity. The study
results show that social media usage by small business owners increased from 12% to 24% in
just the last year, and almost 1 out of 5, actively uses social media as part of his or her
marketing strategy. In 2009, only 23% of marketers were using social media for years. Now
that number has grown to 31%. Today, among Fortune 500 firms, 77% have active Twitter
accounts, 70% have Facebook pages and 69% have YouTube accounts. About one-third
(34%) maintain active blogs, 57% build network through a site such as LinkedIn, and 69%
post status updates or articles of interest on social mediaiv.
A significant sticking point when it comes to properly leveraging social media is
dealing with the many risks to which companies are exposed. According to the 2014
RiskTech100 report, published by Accenture and Chartis, reputational and brand risk is the
one most often discussed, and certainly it is a serious one. Negative exposure on social media
sites, or inappropriate or unauthorized action in the companys name, can result in lost trust
and lost revenues. Social media risk affect in three parties: the company/institution; the
customer; and the social media companyv.
If not effectively mitigated, these risks can lead to serious negative consequences
including fraud, intellectual property loss, financial loss, privacy violations and failure to
comply with laws and regulations. For example, based on Accenture Finance and Risk
Services research (2014) said if the biggest risk for major US bank is their employees
disclosing information about their clients on social media. This risk is especially prevalent
given the growing presence of Millennial in the workplace, because they are accustomed to
sharing personal information and many of their current activities over social media. At times
there is over-disclosure of their personal life moments, which can bleed over into their
professional life momentsvi.
Based of above background, this paper offers an approach to crack social media as the
new holistic strategy for company which could adopt to impalement for their business
strategy or as a new references. Cracking, beyond Prof. Rhenald Khasali is breaking the code
of changes, do not embrace the principle of wait and that is adapted to the professionalsconventional, but immediately act and break through cracking zone. So, cracking in this
paper is the new way how we are looking for a gap and opportunity of social media risk, how
we minimize risk and how we maximize gain.

Mapping Risk of Social Media: Where are the Opportunity?

From business dictionary, risk is a probability or threat of damage, injury, liability,
loss, or any other negative occurrence that is caused by external or internal vulnerabilities,
and that may be avoided through preemptive action. While offering a host of potential
business benefits, the use of social media can expose companies to numerous business risks.
Most of these risks result from a combination of organizational weaknesses and
vulnerabilities exposed through data misuse and data sharing. Risks are also embedded in
what appear to be innocuous features of many social media tools. For example, an executives
Facebook or LinkedIn profile can potentially leak material of value for competitors who
might be able to be mine their contacts and post to acquire inside information about the
companys plan. Executive who use the Trip feature of LinkedIn to announce where they will
be traveling open themselves up to followed. So for whatever reason and whatever the pace at
which company embraces social media, the channels many risks must be identified,
monitored and managed. To be prevented is a situation in which company extends their social
media exposure before recognizing and anticipating the threats.

Compliance

Type of Risk
Foreign and domestic privacy law

BM

HR

Primary Impacted Risk

LG
RM
PR
IA

Explanation
IS
Regardless of how companies and
individuals define or perceive
privacy, companies
need to
understand
the
privacy
and
protection laws, including those in
countries in which they do business.

Mitigation:
Create social media policies, including those relevant to privacy issues
Communicate to and train employees on social media policies and the risks related to privacy
Consider whether a particular platform is appropriate for the nature of the interaction or information being shared
Managing Compliance with other Company

Policies
Mitigation:
Social media policies should explicitly state when other internal policies apply when it comes to social media use.
Social media policies should be clear on the ramifications of policy violation such as disciplinary or other action.
Monitoring should be considered to detect associate non-compliance with internal policies.
Associate relations and managers should be engaged when non-compliance is detected.
A well established and ongoing awareness and training program should accompany any changes to policy, especially in areas as nuanced as social
media.
Information Retention Management

Mitigation:
Education should be pervasive given that such a policy most likely would affect all employees.
Employees should be provided resources to help them make appropriate decisions when interpreting the social media and related policies.
Data retentian tools.
Endorsement Guidelines

Mitigation:
Bloggers or other online publishers including individuals participating in social media must disclose relationships with advertisers when they

Legal

receive free products for review, compensation or other consideration. This enables the consumer to better decide how much value to place on the
publishers opinions about the product.
Company policies and practices should be developed for educating associates, bloggers and other endorsers regarding disclosure requirements.
Guidelines around required disclosure format should be included.
Monitoring advertisements for endorsements on key web sites and social media sites should be implemented to ensure proper disclosures have
been made.
Labor Relation

Mitigation:
A clearly posted and well communicated Social Media policy around the usage of social media on and off network.
Carefully consider reason for discipline, and consult with the Legal and Human Resources departments.
Understand labor laws and maintain a relationship with Legal and Human Resources.
Verify information obtained on social media not all information is accurate.
Companies should review their liability insurance programs, including employment practices coverage, to ensure they are financially covered if
they are sued by employees, job prospects or government agencies.
Payment Card Industry

Mitigation:
Policies and procedures should include specific controls around posting of card data.
Debit card account numbers and credit card account numbers must always be truncated or masked, regardless of their association with other data.
Marketing Laws and Regulation

Mitigation:
Perform a risk assessment.
Review content prior to posting.
Establish, socialize and enforce a Corporate Social Media policy addressing personal and corporate use expectations to minimize risk of noncompliance to laws and regulations.
Establish process and accountabilities for ongoing site content monitoring, identification, escalation and remediation of any issues of noncompliance.
Lack of Separation of Personal and Professional

Communication
Mitigation:
Employees who are assigned responsibility to manage a corporate presence on a platform either through a personal account or professional
account need to be sure they can distinguish between business and personal communications.

Operational

Conduct all work-related social media contacts at work and on company equipment
Only read and respond to messages, alerts or postings from the specific webpage to which they are attached.
Civil Litigation

Mitigation:
As with any other risk resulting in harm to the employees firm, strong policies and procedures outlining the use of social media both
professionally and personally reduce civil litigation risks. Employees should be fully trained on proper usage and understand all policies,
procedures and consequences for failing to comply.
eDiscovery

Mitigation:
Set policies on the use of social media sites and the use and preservation of information, including information on social media sites.
Communicate to and train employees on these policies and the risks of using social media.
Establish an information retention program, and document gaps and plans for remediation. Use the same principles for social media sites.
Take inventory of social media sites used by your organization. Research and understand the controls and policies set by these social media sites.
Look into software that is available for the preservation and production of social media information.
Make your best effort. Maintain consistency with retention and discovery practices, and demonstrate logic in decisions made regarding these
practices.
Identity Theft

Mitigation:
Think about keeping some control over the information you post. Make sure your screen name doesnt say too much about you. Don't be
scammed.
Choose your password carefully.
Spreading Malware

Mitigation:
Social networks have become an essential part of the business mix, so institutions cannot just block access to them. Instead institutions need to
apply security measures, educate employees and customers, and implement training, policies and procedures to mitigate the risk.
Use a third-party vendor to monitor IT infrastructures, scan all files downloaded and keep security patches up to date.
Utilize full-disk encryption software to render hard drive data illegible to anyone that doesnt have proper authorization.
Create and consistently use a unique shortened URL so that customers recognize your institutions links and know that they can be trusted.
Social Engineering

Mitigation:
Continual education and awareness is key to coaching employees to heightened awareness of sophisticated social engineering exploits and

tactics. Depending on the accepted or anticipated extent of usage of social media channels by employees, contractors and/or clients, training
should be as specific as possible to the potential exploits of social engineers and does not mean blocking social media from financial institutions.
Disclosure of Intellectual Property or other Sensitive

Information
Mitigation:
Company policies must be adhered to, one example being not disclosing any non-public financial or operational information.
Make it clear that the use of company computers or networks to access social media is subject to review by the company and that there is no
expectation of privacy when utilizing these computers or networks.
Create a mechanism for reporting any violations of company policy that occur through the use of social media.
Designate a manager that has oversight over the use of social media that has the responsibility to review all reported violations.
Providing employee training that spells out what should or should not be shared when utilizing social networks and making certain that they
understand how they can be exploited through social engineering when on a social networking site.
Products Lack Maturity

Mitigation:
create a policy and guidelines for the overall organization regarding social media and the specific individual, or team, that have will be accessing
the company social media profiles.
To reduce potential account security risks an organization can limit access to only select individuals. Another option is to use a free or fee-based
tool.
Post social media disclosures on your profiles and company site advising customers that your organization will never ask for personal or account
information, that the company is not affiliated or responsible for the security, privacy or any other operations of social media sites, and that the
company reserves the right to remove posts that are inappropriate.
Physical Security Risk

Mitigation:
Limit the information you share on social media sites.
Be alert and be wary. When all else fails, remove your social media accounts.
Know your friends. Dont friend someone you dont personally know. Stalkers are masters at creating fake personas in order to connect
with unknowing victims.
Social Media Content is Forever

Mitigation:
Strategy toward controlling negative online content is to not remove it but make it irrelevant. By careful use of online search engine terms,
advertisement campaigns, and website creation, more positive entries can appear at the top of search results while negative results fall down or

Reputation

off the first few pages of search results.

Lack of Associate Productivity

Mitigation:
Blocking social media sites is one way of reducing lost productivity due to use of social media.
Create a social media policy which outlines expectations, acceptable behaviors and consequences.
Provide proper supervision.
Monitor use of social media sites.
Look for ways to harness the use of social media in a positive and productive manner.
Lack of Monitoring

Mitigation:
Monitoring plans should include a clear response plan and escalation contacts for negative or harmful postings from both external and internal
sources. Additionally some standards for immediate post/comment removal for inappropriate content should be in place.
The scope of monitoring should be defined as part of the monitoring plan. Since the Internet is virtually endless, it is imperative to prioritize your
monitoring efforts.
The monitoring plan should include keywords that are relevant to your social networking efforts and marketing campaigns. At the least, you
should consider tracking your company name, key executives, competitors, taglines and product names.
Various monitoring tools are available to support monitoring efforts. Tools should be selected that match your social media strategy.
Reputational Threat

Mitigation:
Training employees on social media use, risks, company policies and guidelines is the first line of defense for preventing inappropriate
dissemination of content by employees and for sensitizing them to potential reputational risks from outside sources.
An institution should clearly identify reputational threats and the criteria for determining potential risk to a companys reputation.
Insufficient Employee Training

Mitigation:
Mitigation of such risks can include a corporate-wide PR campaign about social media use targeted to employees, training programs to
familiarize select employees on social media tools and regular communications about social media use to increase awareness of risks and best
practices.
Could be shown cautionary language against divulging personal information such as date of birth or social security or account numbers.
A company may offer tips to its clients on optimal privacy settings for the different social media platforms used.
Negative Brand Impact

A robust 24/7 monitoring system, also known as an Online Reputation Management platform (ORM), to listen for negative or defamatory content

in real-time.
As support to brand monitoring, a company must develop and implement a clear crisis communications plan that includes a step-by-step
escalation process for directing negative commentary to the proper departments and individuals to handle.
Additionally, timeline responses are important so client or report queries swift responses and escalation. A failure to respond in a timely way can
reflect poorly on a companys commitment to client service, and hence the brand.
Responses to comments and complaints must always be sincere and direct.
Comprehensive, mandatory training is essential for staff charged with monitoring, assessing and escalating potential threats or client queries so
that company response is prompt.
BM: Brand/Marketing
PR: Public Relation
HR: Human Resource
IA: Internal Audit
: Area Where Primary Impacted Risk happen
L: Legal
C: Compliance
RM: Risk Management
IS: Information Security

Minimazing Risk, Maximizing Gain

i Friedrich, Roman., Michael Peterson, Alex Koster, & Sebastian Blum. 2010. The Rise of Generation C:
Implication for The World of 2020. PWC.
ii Oei, Danny. 2014. Indonesian Digital Landscape 2013. Jakarta: Merah Cipta Media.
iii Neti, Sisira. 2011. Social Media and Its Role in Marketing. International Journal of Enterprise
Computing and Business System. Vol. 1 Issue 2.
iv Network Solutions, LLC. 2011. The State of Small Business Report: January 2011 Survey of Small
Business Success. Rockbridge Associates, Inc
v Chartis. 2013. 2014 RiskTech 100 Report. Chartis Research Ltd 2013.
vi Accenture. 2014. A Comprehensive Approach to Managing Social Media Risk and Compliance.
Accenture