One of us was recently asked for some advice by a quite well-known international organisation which was concerned about helping its staff understand and manage social media risks a bit better.
A fairly typical corporate response in this type of situation would be to look at ways to restrict social media usage further, including adding levels of permissions needed to make posts and screening content on corporate social media channels more actively.
However what made this request a little more complex and also interesting from our perspective, was that because of what this organization does, it requires far more of its staff to actively use and engage with social media than a firm of its size usually would, and for them just adding more restrictions wasn’t going to work either for their staff or their business model.
So this was a situation where managing the risks of social media really did mean trying to look at both the advantages and the disadvantages (or to use risk management terminology, the threats and opportunities) of social media, not just the bad stuff.
As most of us probably already know there are lots of potential corporate benefits to using social media. It provides opportunities to share views and opinions, promote products and services, build organizational brands, engage with customers and other stakeholders, and recruit new talent amongst other things.
If desirable, it can also allow staff within an organization to network and gain personal recognition too as well as recognition for their employers.
The downsides include reputational damage when social media engagement or more generally public relations go wrong, the potential for social media channels to be used to introduce malware into corporate systems, accounts being created and then abandoned, the unintended release of sensitive business information, and other types of over-sharing, including giving too much information away to competitors.
As with other forms of marketing there might just also be a failure to connect with intended audiences in the way that it was planned and hoped.
Sometimes individual staff members can also be subjected to harassment and threats that go beyond organizational boundaries, for example in cases where a dissatisfied customer starts pursuing a company point of contact on personal as well as business platforms and sites, or in situations where someone with a higher public profile like a entertainer, journalist or sportsperson is subjected to other types of unwanted attention, including personal threats and / or stalking-style behaviour.
There are mental health considerations too. Formal academic research has offered some diverse findings about the potential benefits and harm of social media on mental health, but there is growing evidence to suggest that for at least some people the use of social media has negative effects on their mental health.
In one study published in 2017 in the American Journal of Epidemiology for example researchers found that increased use of Facebook corresponded with a decline in self-reported feeling of mental well-being. In other words, the more of it that someone did the less happy they felt.
In another Facebook survey by Stanford and New York University researchers, the results of which were released last year, “small but significant improvements in their levels of happiness, life satisfaction, depression, and anxiety” were observed when subjects in the study were asked to take a 4-week break from it.
It’s definitely a subject that needs more formal research in relation to both the short and long term effects and different social media platforms as well as just Facebook, in order to help us all work out what are the best solutions for ourselves and our businesses.
However if a business is expecting social media engagement to be a formal part of someone’s work duties, then there is also, at very least, a moral responsibility to ensure that adequate health support is provided for those staff. Just as a worker is given a hard hat and boots on a worksite because of potential physical health hazards, there should also be measures in place to prevent damage to mental health from online activities that are potentially harmful.
Depending on the legislation in place where the business is based and the employees work, there may also be legal obligations to protect them too.
So What Can We Do?
Coming back to the original question, which was what to do in situations where a business needs its staff to engage consistently on social media, this section looks at some ideas to think about. These would also be useful if you are self-employed or are in a situation where you have to use social media publicly as an individual too.
- Education and Training Make sure that anyone who is expected to engage in social media for professional reasons understands what the potential corporate and individual threats are, and what they can do about them. We listed some of these above, but there are many more. Learn about the dangers of social engineering and manipulation, and look at cases studies where people have got it right and wrong.
- Know Your Apps and Platforms Make sure everyone knows how to use the different apps and platforms they are expected to use. This doesn’t just mean the basics of making posts, but really understanding levels of permissions, geo-location settings, what it means when you follow someone, connect with them, or when you share or like a post, and what information a picture you are sharing might contain. Know how to block and ignore. Think about the pros and cons of different features and then lock them down accordingly or accept the risks knowingly rather than through being unaware of them. No responsible business would tell someone to use a new worksite tool without first telling them how to use if safely, so why should it be different with apps?
- Plan in Advance Look at your work activities. Are you about to take part in a project that might be unusually controversial or particularly likely to generate trolling and other types of negative social media interest. If so, be prepared individually and organisationally by locking down personal accounts, cleaning up information that is out there already, brainstorm potential lines of criticism and pre-design some responses to the ones that are most likely. Think about the short and long term effects, is it going to be something that creates a quick shock and then goes away in a news cycle or is it something that could last much longer? Either way, consider what further step on- and off-line you can take to reduce the threats and enhance the opportunities, and above all else don’t leave it until you are in the middle of social media storm to start to learn about your options.
- Separate Business and Personal This one might not work for someone who is trying to build up a personal brand that relies on openly sharing their personal life like some influencer profiles, but for many people using social media in a professional context they should think about having separate business and personal accounts, then restricting access to the personal one and trying to avoid crossover between the two. This does require some work but if you are someone starting to build a career online and want to keep some separation, the earlier you do this the better as a particularly vulnerable point is that transition from being a private individual to being in the public eye: think for example a singer who has sudden success on a show like Pop Idol or an emerging sportsperson, all it takes is one clip to go viral and you are viral too. This also includes IT security basics like using different passwords and login information for public and private platforms.
- Don’t Feed The Trolls Individuals and groups who deliberately troll are not seeking to have a constructive debate: there is no “win” or “lose” for them because they are only seeking noise, and through that noise to gain both further legitimacy and followers for their particular viewpoints or grow their self-esteem at the expense of yours. If responsible or notable businesses and individuals engage with them this gives them and their opinions more online validity and importance. So yes, do have some strategies for responding to and engaging with genuine inquires involving you or your businesses but no, don’t give oxygen to trolling. (1)
- Think About Conflict Resolution Techniques There are techniques that designed for conflict resolution in the offline world that can apply online too. These include:
- Knowing when to walk away. If you are someone whose conflict resolution style is to try and out-compete, try to recognise this and try not to stay in debates and online conflict longer than you need thinking you have to try and “win”. (See above comments about trolling). In many cases you cannot win and will only benefit the adversaries by trying to win.
- Recognising what’s a rant versus a narrative Does the engagement have a constructive theme to it or is it just circular and insulting (by circular we mean just coming back to the same ideas and not really going anywhere). If it’s a rant then you should probably ignore or block. Remember that social media is designed in a way that makes it difficult to make complex arguments about topics in a way that can compete against memes that tap into populist narratives.
- Bringing in a 3rd Party. If you find yourself involved in an exchange on social media that is unwelcome, have a think if there is anyone else you can involve. There might be an official spokesperson or someone else within your organisation who might be able to respond better. If we are talking about threatening behaviour, this 3rd party could be the platform itself, a designated risk or security officer or even law enforcement authorities, particularly if there are indications that online and offline threats are coming together. Record and Report if necessary.
- Encourage Staff to Stop, Think and Breathe When we are upset and emotional we tend to think less clearly. Not only does this lead to us potentially making comments that are not well thought-out, it also greatly increases our exposure to threats like malware which are helped to spread by careless, emotional clicking. So just like in the offline world, if you feel stress rising take a moment to stop, reflect, breathe and then respond, or not because after you have taken a moment to stop think and breathe you might not think it is worth engaging anymore.
- Understand What is Out There With Your Name On It We should all think carefully about what we say and put online, however if there are things that have your name or profile attached to them that are historic or no longer represent your views, you should try to remove them. If that’s not possible at least understand that they are out there so that if they are ever brought up against you it doesn’t come as a surprise and you have already thought about ways that you could respond.
- Have Supportive Policies and Procedures Policies and procedures don’t always need to be made more restrictive, but they do need to be made more helpful. These could include:
- Making sure staff know they have the ability to disengage, and that corporate will still support them if they do.
- Consider making social media break periods mandatory.
- If there are some minimum desirable privacy settings for certain applications, then consider making that into a formal procedure.
- If there are some mandatory responses (for example, automatic blocking or reporting in response to certain types of behaviour) make sure that staff know this. It will take away some of the stress of having to decide for themselves.
- Make sure they know the mechanisms to report harassing, threatening or abusive behaviour. Not only because it will help your staff manage the situation, if the company doesn’t have clear picture of what is happening it makes it difficult to respond effectively or offer the right kind of support too.
- Offer Access to Counselling Services That Understand Social Media Risks Larger firms often have either in-house counselling services or provide access to this service externally. Make sure that staff know where they can go to get the support, and for those who are required to regularly use social media make sure that these services understand the particular vulnerabilities associated with it. This could be further augmented by mandatory screening for those who are most often involved in social media activities.
- Consider Auditing for Vulnerabilities Consider the possibility of doing audits on staff social media profiles: what is out there, what is accessible and what could an adversary learn from this. This could be done in-house or via a external 3rd party. We are not talking about trying to hack or socially engineer your own staff, just taking a look at what is out there. Getting the agreement of the individuals is highly desirable too, as this could be seen as excessive intrusion without expressed consent even if it doesn’t need further permission from a contractual point of view.
There’s a lot to think about on this topic, and it continues to change as new applications appear and become influential. This post doesn’t include everything you need to think about but hopefully stimulates some thought, particular about managing social media risks when you need to use social media rather than just adding more restrictions.
(1) There is some good information and ideas on how to respond to trolling and deliberate attempts to spread misinformation and hate-speech on the website of Centre for Countering Digital Hate https://www.counterhate.co.uk/ including their Practical Guide on Dealing With Hate On Social Media.