Digital Governance

Is your business up-to-speed with digital governance? It might not sound like the most exciting of questions. But it is an important one.

Digital governance involves the processes and guidelines, overseen by an organisation’s Board, that define the ways that the opportunities and risks associated with digital technologies are managed.

It is a lot wider than “best practice” in e-commerce, content management and digital asset management. It’s about responding to, and managing the use of, digital technologies across the whole of an organisation: finance, HR, marketing, sales, IT and operations.

Digital governance is important as a separate and defined part of wider corporate governance principally because digital technology is increasingly becoming a vital part of the lives of consumers and because more and more business involves digital technology. These days, make a bad call about digital and the chances are you are causing real damage to your organisation.

But digital governance is also important because the way regulations apply to digital technology is not always well understood and this leaves organisations open to risks of compliance failures. (Never mind that the regulators themselves are sometimes not up to speed and can fail to make things clear!)

While digital governance is complex, most organisations can conveniently consider it within a number of different topic areas:

  • Business strategy
  • Cyber risks
  • Social media risks
  • Regulatory compliance
  • Talent acquisition and management
  • Investments and returns

Let’s briefly take these one by one.

Business strategy

How does digital technology affect business strategy? Senior executives need to ask themselves whether they understand consumer trends; for instance, are they keeping up with the way that many consumers are moving away from fixed internet access to smart mobile devices?

And there is a need to look wider than consumers. How are your competitors reacting to digital technology? Can you work with suppliers in a different way, cutting costs and timescales, through the use of digital? And how does digital technology affect the PESTLE (political, economic, social, technical, legal, environmental) landscape?

Finally, while no one can predict the future, it’s as well to be aware of potentially disruptive technologies on the horizon. Don’t spend too much time on this as it is easy to get wrong. For instance the jury is still very much out on whether wearables (at least as currently developed) will have popular applications wider than health and fitness. So spending a lot of time and effort in this space may be wasted (sometimes there is a lot to be said for “second mover advantage” as Google, Apple and Facebook have all discovered).

Cyber risk

It’s easy to give up on cyber risk and say “Well, if it happens, it happens. I leave that to the geeks in the IT department”. But Boards have a statutory obligation to oversee risk management and report on it and that includes cyber risk. It’s important because cyber risk can cause damage to operational efficiency, reputation and share price. So Boards really do need to get a handle on this and equip themselves with the knowledge to be able to quiz IT specialists.

For instance, good IT people will know that cyber risk is not just about defending networks. It involves defending information, wherever it is. And it’s often driven by phishing rather than brute hacking. Are you equipped to question your IT team about this?

In addition there is a need to monitor identity theft and fraud sites and this may not even be part of your IT team’s remit.

Social media risk

Part of cyber risk is social media risk. This is little understood but can have massive impact as New York Stock Exchange investors found when $130 billion was wiped off stock values as a result of a single tweet from a Twitter account that had been hacked.

Social media risk can cause reputational damage but the risks go wider and can affect business strategies, recruitment, compliance and legal risks such as libel and discrimination. In order to defend against these risks companies need to manage employee use of social media as well as listening to and managing public social media comments.

Compliance

Digital technology can cause many compliance issues. For instance inappropriate social media use can result in fines for breaching advertising regulations or Fair Trading rules. And careless data protection can result in considerable fines (and reputational damage). Potentially there are also dangers around accessibility and disability discrimination: for instance if you offer a service online and are not taking reasonable steps to provide access to the disabled (such as the visually impaired) you are breaking the law.

In addition many industries have their own regulations that are impacted by digital technologies. For instance financial services and pharmaceutical companies have particular requirements about recording interactions with consumers that are increasingly difficult to meet in the light of social media technology.

Human resources

Digital can also affect how organisations attract and retain talent, an issue of major concern to many Boards. Issues to consider include:

  • How to use social media profiles during the recruitment process without risking accusations of discrimination
  • How to manage employee use of social media at work without de-motivating people and without being accused of invasion of privacy
  • How to ensure that employee’s use of social media does not leave an organisation open to vicarious liability
  • How to manage any damage to the “organisation-as-an-employer” brand that happens via social media
  • How to ensure that irresponsible or disaffected employees cannot damage the organisation’s brand by unmonitored access to social media accounts

Investments

Finally, Boards need to ensure that digital investments are appropriate, and deliver appropriate returns. Questions to ask here include:

  • Do web and mobile assets deliver value from a user perspective, ratger than simply from an organisational viewpoint?
  • Is any spending on digital advertising appropriate and are returns being reported accurately?
  • Do digital investments, for instance in websites and apps, assist or hinder a consistent and positive brand experience across all channels?
  • Is there an appropriate strategy for developing digital assets across the organisation so that redundant investment is avoided and ownership is managed?

Managing digital governance

Managing digital technology is now key to almost any organisation. A structured process is required. This should involve auditing technology touchpoints, listening to social media activity, controlling how employees use social media, preparing for difficult situations, and archiving any conversations with consumers in case of future legal requirements. In addition it is important to develop a culture that is prepared to learn from events rather than simply blaming people when unexpected things go wrong. More on this in a subsequent post.

Advertisements

The Tory minister, the fake Sophie Wittams profile, & data security

The hilarious-if-it-wasn’t-so-tragic incident of Tory minister Brooks Newmark sending dodgy pictures to a male journalist pretending to be a female party worker raises an interesting data security issue for business.

It would be very easy to build a credible Twitter profile of an important person (say a prospective client), using a photograph of them taken from the web and buying a large number of followers to make the profile look genuine.

This profile could then be used in two ways:

  • to publish misleading information
  • to gain the trust of other people who are happy to communicate via Twitter with the prominent person

In the latter case, the person behind the fake Twitter profile might reference a particular person (the “victim”) in a number of tweets in the hope that the victim would follow the fake profile. Once that connection is established, the fake profile can communicate privately via Direct Message with the victim soliciting information (rather than dodgy pictures). Alternatively the fake profile can simply address public tweets to you by putting your Twitter name at the start of their posts.

Similar scams could take place on LinkedIn and Facebook although in both of those cases it might be more difficult to build up credible profile with lots of connections/friends as connecting on these platforms is a “mutual” action that both parties need to agree to, whereas on Twitter you can follow people without their permission and buy “followers” for a few dollars thus easily building a credible profile.

How can businesses (and politicians) guard themselves against false Twitter profiles? If someone you think you may know engages you in conversation on Twitter about a strategically important issue:

  1. First, check out the number of connections the profile has. If there are only a few then you should check out whether they follow lots of people and whether they are active on Twitter. A profile with only a few connections should be checked out. Call them up and ask if they are messaging you on Twitter. (The fake “Sophie Wittams” profile that brought Brooks Newmark down had 52 followers and had tweeted 172 times, so the journalist responsible had taken care to build a credible profile over a period of time.)
  2. Second, check out the authenticity of the followers the profile has. You can use a service like twitteraudit.com to see how many fake followers a particular account has. Too many (more than 50%) and you should be suspicious.
  3. Third, check out their profile. Does it look genuine: for instance does it contain a recent photograph and perhaps contact details or other personal information? If not, then you are right to be wary.
  4. Fourth check out whether there are any similar profiles on Twitter. Search for their name, and variants of their name, to see if there are other accounts that seem to belong to the same person. If there are several similar accounts all seeming to belong to the same person, you will need to discover which is the genuine profile.
  5. Fifth, check out whether the person with the name on the profile has connected with you before on Twitter, but under a different profile; if they have then something may be up.
  6. Sixth, if you are suspicious use the profile image to search Google. It may indicate that the photo belongs to someone else (but if it doesn’t, don’t take this as proof that the photo is genuine)
  7. Seventh, if it seems too good to be true for any reason, then it almost certainly is! (Politicians take note.)

LinkedIn is slightly more difficult to check out as it isn’t possible to detect fake connections (and depending on the account settings it may be impossible to see them at all). However, it is still possible to check out the number of connections, the extent of the biography and the level of activity. If a profile looks incomplete, unused, and with few connections then you might want to treat it as suspicious. In addition, check whether the profile seems to have connected with you before: if they have then the chances are that one of those profiles is a fake.

Facebook? Well my advice here is to avoid business conversations on Facebook. Connect only with people who are genuine friends, not business acquaintances. And never discuss business on a Facebook page or via any form of Facebook messaging.

Back in 1993 the New Yorker magazine published a cartoon with the caption “On the Internet, no one knows you are a dog”. This is still very true, especially in social media. And it is something that anyone with an interest in data security needs to remember.

Are mobile devices a threat to your business?

How many of your employees have smart phones? Probably a high percentage. If so, do you recognise the risks that employees with smart phones can pose to your organisation?

Loss

First of all consider what might happen if an employee lost their mobile phone. Inconvenient for them of course.

But what if they have synched Outlook with the phone? Someone who finds it could have access to emails, office contacts, their work calendar…

If that is the case then you will want to know that their phones are protected with a good password. But you also need them to agree to allow remote locking and wiping on their phones so that if they do lose their phone you won’t lose confidential information.

Listening in

Smart phones can be turned into spyware.

Malware can be used to hack into content on smart phones meaning that sensitive emails and office calendars can be read by outsiders.

But there’s worse. There are freely available apps like flexispy that can remotely spy on call logs and emails; track location; and even record surroundings. A phone that contains software similar to flexispy could potentially create an audio record and even a video record of a business meeting with the owner totally unaware.

At present this would probably involve someone having access to the physical device, unless of course the user downloads malware masquerading as a genuine app that requires access to the devices’s microphone or camera.

Education is key. And there is a case for insisting that employees who wish to bring smart phones into your premises are obliged to install appropriate protection software. You might even want to go as far as forbidding the presence of mobile devices (including iPads) in important meetings (which if you want to improve productivity wouldn’t be a bad idea anyway!)

Location tracking

Do you want your competitors to know where your employees are? What if you are negotiating a tie up with company in another city? Or investigating whether to export o an overseas territory?

You don’t need to have a phone infected with malware to give this information away. An employee taking photos and uploading them to a social media platform might accidentally disclose this information for instance via the Facebook Timeline Map.

If the location of an employee is at all sensitive then you need to educate them to edit the location settings on their phones and their Google accounts.

Managing the risks

The more employees’ personal mobile devices are given access to corporate information, the greater the requirement for organisations to understand and take action to manage the risks of information leaking those personal devices.

Educating employees about the risks is the cornerstone of any strategy. But a requirement that employees implement security software on any personal devices brought into a corporate environment is also increasingly important.

How to manage your reputation online (4 of 4)

Responding to critical posts

People are posting very unpleasant things about you in social media. What can you do about it?

You have prepared well. You have registered all the necessary social media accounts. You have built up a strong online profile. And now your efficient social listening process has uncovered some unpleasantly critical comments.

But those unpleasant comments are showing up right at the top of Google’s  results when you search for your name. You need to take action.

Now, if the comments are untrue (as opposed to opinion) then you may have some legal redress: although that is expensive and sometimes self defeating if it casts you, or your organisation, in the role of a bully.

So if you don’t want to go down the legal route, or if the critical   comments are true (I am sure they are not!) what else can you do?

The first thing to accept is that you probably won’t be able to get rid of the comments completely. What’s on the web remains on the web. Even if you can somehow get the original source taken down, the chance is that the comments have been repeated somewhere.

Your strategy is to make the comments less prominent. And this means making sure they don’t feature in the first 4 or 5 search results and ideally taking them off the first page of Google’s search results: results here get 94% of clicks with only 6% on the second page and almost nothing on the third page.

Engage

So how are you going to do that? The first step, if the criticisms are justified, is to engage with your critics. Disarm the criticism by apologising for whatever you have done wrong and explain what you are planning to do about it; remember to take any discussion with critics offline if you possibly can. The intention here is to limit the damage so that further criticisms are not posted.

Try to take the links down

The next step is to try to get rid of the information or the links to it.

  • Ask for the page to be taken down by approaching the webmaster and explaining why the comments are unfair (OK this probably isn’t going to work unless the comments are libellous, but it is worth a try)
  • Ask Google to take the links down. As a rule they won’t unless the links lead to a page with highly sensitive personal information such as a signature, credit card number or a social security number. However, for European websites they are now bound to go further and take down links to content that is “irrelevant, outdated or otherwise inappropriate”. At the moment it is Google’s call whether to take the links down; there is no guarantee that they will and in any case as things stand at the moment the links will still be there on non-European versions of Google

Make sure your own pages rank higher

If that doesn’t work (and it may well not) then your next move is to try to ensure your own pages rank more highly than the critical comments you are unhappy with:

  1. Review your web assets and web profile: Do you have all the large social media accounts you could have? Do you have your own YouTube channel and a  Google+, LinkedIn and Twitter profile and have you optimised them, for instance making sure you have “vanity URLs” which contain your name rather than a long number?  And are your web site pages sufficiently rapid and mobile friendly?
  2. Analyse why those unwanted links are ranking well: if it is because lots of sites are linking to those pages you may be able to ask the owners of the linking pages to take down the links, or to give you a link as well. Some people recommend aggressively targetting the sites that are ranking well using “reverse SEO” techniques such as buying lots of dodgy links to them from link farms in the hope that Google will penalise them. I wouldn’t recommend it: there are no guarantees and you may make things worse (besides this isn’t ethical behaviour especially if your critics have a point)
  3. Analyse the words that the unwanted sites are using about you. Say it is “customer service”: you need to put a positive spin on this by developing new positive content around the key phrase “customer service”: This could be a white paper; blog posts; comments in media sites relating to customer service; you could also develop social media pages that contain your name and the key phrase; and you might even want to buy some new URLs with the along the lines of JohnSmithCustomerService.com and develop appropriate content for them
  4. Freshen up your own web pages with new content so Google is likely to rank them more highly: the more popular the content, the higher they will rank. Start adding a new piece of content a couple of times a week at least. Get more active on sites like LinkedIn – changing your profile, posting updates and entering into discussions within Groups
  5. Develop content for social bookmarking sites like Digg, Delicious and Squidoo: It needs to be new content, not a duplicate of articles published elsewhere but that shouldn’t be difficult if you think “lists”: favourite restaurants, books, flowers, dogs, capital cities, flags…the opportunities are literally endless
  6. Upweight your PR activities: seek to get quoted in the press
  7. Upweight your SEO activities: focus on building more back links from high quality sites through social bookmarking, article submission, guest posts, and comments on other people’s blogs and articles
  8. Identify your friends (happy clients etc) and ask them to engage with all your social media profiles, following you and sharing your content with their followers. Start to write testimonials for suppliers and customers and make sure they include the words you identified in point 3
  9. Look for other ways to get mentioned on line: Register a company in your name. Join a service that will list you as an expert such as nonexecutivedirector.com, opentoexport.com or liveperson.com. If you can afford it, pay to be a speaker at a large conference as these often rank very well
  10. Self publish: take advantage of Amazon’s search profile buy publishing an ebook and an audio book on the site

None of this is free: but then having your name appear below pages that are critical of you isn’t exactly free either!

And sadly none of this is guaranteed to work every time. If you have been caught out doing something unsavoury, and if the public or the press create a social media crisis for you, then there is little you can do to reduce your exposure on search engines. But if you are just trying to down-weight some criticism or reduce the prominence of an unfavourable stories, then taking the steps I have outlined should help.

How to manage your reputation online (3 of 4)

Developing a strong online profile

You’ve registered social media accounts in your name. And you are listening to what people are saying about you online. But that’s not enough to protect your reputation. You also need to establish a strong profile so that positive links to content you control show up when people search for your name. It’s not that hard. But it does take some structured effort.

Your social media accounts

It isn’t sufficient to have a social media account with no content. A Twitter account with no tweets could damage your reputation (have you got nothing to say of interest?) and a LinkedIn page with no information certainly won’t help your employment prospects.

So the first thing to consider is how you are going to make you social media profiles credible. The basics are obvious: make sure you have a good profile picture (no Twitter “eggs” please!); and make sure you attend carefully to what your profiles say about you. If you don’t have the time or energy to fill out full profiles for all those social media accounts you have registered, choose one to complete carefully and then link the other profiles to it.

But you also need a regular stream of content. Now, if you are using social media for marketing you will want to think carefully about the content you write for each of your accounts. But we are doing this simply for reputation management so it doesn’t matter particularly if the content in various different accounts is the same. Rather than cutting and pasting your posts from Facebook to LinkedIn and Google+, you can use a service like BufferApp to schedule and distribute your posts to multiple social media accounts. That way you have have several active social media accounts without writing content separately for each one.

Your website

In the first post in this series, I suggested registering a URL in your name perhaps using the suffix .me if it is available. If you do this you might as well also build a small website containing your resume. (If you are not comfortable with this then head for CodeAcademy where you can learn how to programme a simple website: it is much easier than you might imagine.)

If you are comfortable with coding html, then it is important to remember that your website should be “mobile friendly” as Google will rank it higher if it is. Use a template to help you: there are plenty online but you could try Proweb Design’s Simple Responsive Template.

And if you are really competent with coding then you will implement “rich snippets” on your website using schema.org data. Find out more about rich snippets here. Using rich snippets will make your website more strongly on search results page, simply because more content will be shown.

If you have a  common name then it is unlikely that you will see it on the first page of Google (take a look at what comes up when you search for “John Smith” – it’s not ordinary people). If that is the case then perhaps there is less reason for reputation management purposes to create your own website – although it might be useful in other ways.

Wikipedia

If you are running a business it is reasonable to consider developing a page on Wikipedia. Remember though that Wikipedia is NOT the place for self-promotion. The site enforces a strict “Neutral Point of View” policy that means only facts based on valid sources can be published.

Unless you are running a reasonably sized business or are in some way a prominent person it is probably unnecessary to have a Wikipedia page. Indeed there are disadvantages to having one. As the site is strictly neutral anything bad about you that can be verified can be added to the page. So if you have been to prison recently you might not want to create a page… Wikipedia gives an excellent explanation of why it is not always a good thing to have a Wikipedia page.

Remember also that even if you write a page about yourself it may not be published. Wikipedia requires pages to be about content that has “significant coverage in reliable sources”. If you cannot provide links to this type of coverage then your page may be declined as “non-notable”.

Whether or not you have a Wikipedia page it is important to monitor it: if you are being mentioned on the site then you will want to check out whether the facts given are true. If they are, and they are damaging, then you won’t be able to do much about it, although you may be able to add some additional verifiable facts that are more favourable to you.

Blogs and discussions

It is pointless thinking about blogging unless you are prepared to put some energy into it. That means having a regular stream of content. You don’t have to post content every day. But it should be at least once a month for your blog to have any credibility. Use a site like Tumblr or WordPress to host your blog and you immediately benefit from the popularity of those sites.

Don’t confine yourself to your own blog as you build up your profile though. Identify some key blogs in your industry in or areas you are interested in and follow them, contributing your own comments to them as appropriate. How to find them? Well, back in the day, when the web was smaller, there were a number of blog directories. With so many blogs published, most existing directories tend to focus on particular areas. Google “Blog [area of interest]” and you will probably be lucky. Or go straight to a search engine that specialises in blogs like Icerocket.

As well as blogs, find other places you can leave comments or join discussions: popular media websites for instance, or community sites.

Other platforms

Think creatively about other platforms you could use. Look for popular websites that have a good reach as these will rank highly. Are there any societies or industry bodies you can join: if there are do they have a place where you can write a personal or business profile? For instance I belong to the Institute of Consulting which enables me to publish a profile about my services on a reasonably prominent website. And if you are running a business you might want to put a review of working for your company on a site like Glassdoor.

Google and Google+

One last thing to consider: Google. Make sure you make it as easy as possible for Google to find you and to rank your pages highly. This means having a Google+ presence with a good “headshot” photograph: this is helpful if you want to stand out in search results. Google used to use the photo in search results and while it no longer does this, your photo can still appear on the right of the screen as part of a mini profile that Google will create. You should also implement  Google “authorship” on your website and your blogs: it’s not the easiest thing in the world although perfectly achievable and there are several good guides on how to do it such as this from Searchengineland.

Next time…

So far we have talked about registering appropriate URLs and social media profiles, listening to what people say about you online, and establishing a strong profile. But what do you do if people start trying to damage your reputation? You will have to wait for my next post for that!

Social media and reputational risk

A good reputation is the lifeblood of any organisation. And managing reputation in a world where social media plays an increasing part is hard. After all, no organisation can stop consumers criticising them if they choose too. In the past it might not have mattered much if one or two unhappy consumers complained to their friends. But now, a bad review (whether fair or not) can spread around the globe in hours.

Social media risk is the risk that the use of social media by an organisation, or by third parties including the general public, causes loss or damage to that organisation. The risk can be divided into five basic types:

  • reputational risk
  • operational risk
  • compliance risk
  • legal risk
  • asset risk

Reputational risk is the most common form of social media risk, and certainly the most well known. This is in part because much reputational risk is a consequence of other risk factors. In other words, most social media risk factors can lead to reputational damage.

The risks can involve damage to an organisation’s reputation, or to the reputation of brands and products it owns and the services it provides.

These risks vary in importance but they can be found right across most organisations, in finance, operations, HR, marketing, sales and general management.

Social media reputational risks occur across an organisation

There can be a wide variety of causes including:

  • Unethical employee behaviour online or offline such as inappropriate tweets or the uncovering of unethical manufacturing practices by an organisation
  • Consumer reactions to poor quality products and services or inadequate after sales service, especially where these are amplified by the media
  • Impersonation of prominent people associated with the organisation who are then apparently heard saying inappropriate things; or the takeover and altering of corporate social media assets so that they are no longer “on-brand”
  • Inappropriate use of social media by employees such as bullying behaviour or simply the posting of unwise content
  • Poor marketing activity including allowing consumers to discover and respond to obsolete marketing campaigns
  • Unflattering comments by third parties on social media platforms (e.g. poor reviews, aspersions made against directors, negative analysis of financial performance)
  • Unwise comments by executives that are amplified by the media (the “Gerald Ratner syndrome”) with disastrous results

Many instances of reputational damage are not particularly important. There is often a lot of fluttering by social media commentators but if the damaging issue isn’t seen by mainstream consumers the main outcome can be red faces in the marketing department! In these cases it is important not to over react.

The real danger is that a particular issue – low quality, unethical practices, inappropriate public comments by senior executives – gets taken up by the mass media and “amplified”.

 Growth of a social media crisis

Organisations often place their social media risk management processes within PR or marketing. However, reputational damage is not just a concern for marketing departments. A damaged reputation can affect many things adversely, including:

  • Finance: The ability of an organisation to borrow at the best rate of interest; the ability to attract investment can also be damaged and this can result in damage to the share price
  • Operations: The image of the organisation as a “corporate good citizen”, which in turn may reduce influence with external stakeholders such as regulators or suppliers, ultimately resulting in less efficient operations
  • HR: The organisation’s “employer brand” which if damaged can result in difficulties recruiting the best talent
  • Sales: The sales a company makes; in addition the profitability of those sales can be reduced due to increased costs (less influence with suppliers) or by the inability to charge higher prices (less credibility with consumers)

Because the potential effect of reputational risk extends across organisations, it is sensible to monitor the risks outside PR and marketing departments. The ideal organisational structure will allow for social media risk management to be a separate and stand alone function which can work with the relevant business function to manage any difficulty.

As with other social media risks, the simple ALP management process should be applied:

  1. Audit: Identify potential risks using scenarios or knowledge of previous social media “fails
  2. Listen: Listen out for potential problems
  3. Prepare: Prepare for potential problems by:
    1. Developing an appropriate social media policy and training all employees in its meaning and use (this includes Board members)
    2. Agreeing management processes to handle likely risks including escalation processes and generic position statements
    3. Simulating problems and practising the response

As we said at the start of this post, reputational risk isn’t the only risk area to stem from social media. More on the other social media risk areas next week.

What to do if your social media accounts are hacked

If your Twitter feed is hacked, it isn’t likely to knock $160 billion off the Dow Jones. But it could still be very damaging to sales, recruitment or share price.

What will a hack look like?

You will know you have been hacked if unauthorised posts are sent out from your social media account. These might be for “spam” products like diet pills or Viagra. Or they might be designed to damage your reputation perhaps by endorsing competitors or vilifying your own products and brands. Or they might simply be mischievous. Alternatively a hack might involve a change in your social media profile: perhaps a new profile picture or a change to your description, again often with the aim damaging your business. Even if you have taken reasonable measures to stop your accounts from being hacked, they can still happen. So it is a good idea to have a plan in place, just in case. After all, if you are hacked then you will need to respond as rapidly as possible. So here is a simple 5-step plan for damage limitation after a social media hack.

Step 1. Regain control by resetting passwords

The first thing to do (or at least attempt) is to regain control of any hacked accounts. You will do that by changing the password on the account (ideally to something not quite so easy to hack!) If you can’t get access to the account, because the hackers have changed the password, then try resetting your password using the forgotten password link on the site. You should then get a message, sent to the email registered as belonging to the account’s administrator, which will allow you to reset the password. At the same time you should also change the password of the account administrator’s email address. This may have been hacked too and if it has then it will be all too easy for the hackers to gain control again.

If you can’t regain control

If the hackers have locked you out of your account and you can’t get back in, then you will need to contact the social platform directly. This may take a little time as there will be forms to fill in and proof to provide so it is important to start this process as soon as possible. All the big social media sites provide an easy way into this process:

  • Facebook: http://www.facebook.com/hacked
  • YouTube: support.google.com/youtube/answer/175276?hl=en (link to AutoRecovery at bottom of page)
  • LinkedIn: help.linkedin.com/app/answers/detail/a_id/1501/ft/eng (link to Contact Us at bottom of page)
  • Twitter: support.twitter.com/articles/185703-my-account-has-been-hacked (link to Contact Support at bottom of page)
  • Google+: support.google.com/mail/answer/50270?hl=en

Lock down content publishing if you can

If you can, it’s a good idea to lock down any publishing activity while you check the security of all your social media accounts. Some software providers such as Nexgate’s ProfileLock will do this automatically should they detect an unauthorised change to your profiles.

Step 2. Protect your other platforms

The next thing you need to do is to check all your other social media platforms and ensure they have not been hacked as well. If they are safe check that they have a secure password and that this is different from the passwords on your other social media sites.

Step 3. Get back to normal

Once you have control back you will want to get your social media accounts back to the state they were in before the hacking incident.

Delete unwanted content

You will need to delete any unwanted content such as tweets that have been sent out without your authorisation. This doesn’t guarantee the content will disappear completely and for ever. Other people may have seen it and saved it or shared it with other people. But you can at least limit the possibility of other people seeing being exposed to messages you don’t want them to see.

Check account settings

Back in control, you will also want to make sure there aren’t any nasty surprises waiting for you. Have any automated responses been tampered with? Does your profile or email signature contain new and unwanted links? Have any Twitter lists been tampered with? Do you have new some “friends” you weren’t expecting to see?

Step 4. Let people know

There is no point in hiding the fact that you have been hacked. If it is embarrassing they are bound to find out. It is far better to tell people what has happened and apologise for it.

Tell your audience

Post messages, e.g. tweets, to anyone following you apologising for any inconvenience or offence caused. It may be appropriate to pay to promote these messages if that option is available on the platform you are using. If you don’t it is highly likely that many people who follow your social media accounts won’t see your explanation. It may also be sensible to put a message upon your website and any other “static” content such as blogs and even social media profiles. Some companies have ready-made web pages that are pre-approved and can be published quickly in the event of an emergency. It is likely that you will want this page to be a template of some sort so that the precise content can be adapted to suit the nature of the crisis.

Tell your employees

Make sure you have a clear communication plan that is directed towards your employees. They may need reassurance that the damage won’t affect them; they will certainly need to know what to do and say if they are asked about the crisis by friends or peers.

Tell the media

It is also sensible to tell the media, who are likely to pick up on a crisis anyway. Of course if the breach is trivial then there may not be any reason to do this but if the breach is potentially damaging then you will want to make sure any relevant media have your version of events as soon as possible.

5. Review your security

Once things have settled down you will want to review your security to reduce the risk of anything similar happening again. You will of course cover off the basics: make sure that passwords are robust and that you have managed and limited access to your social media accounts. But there are a few other things you need to do as well.

Review any apps that have access

Review any applications that have access to your social media accounts and remove any that you don’t recognize. Apps may include measurement tools, media owner sites, or tools that link different social media platforms. For instance if you want to see the apps that have access to your Twitter profile you can find them at twitter.com/settings/applications. If in doubt it may be safest to delete all applications and then start adding apps to your account from scratch.

Check for viruses

Run a virus scan on any devices that have been used to access your social media accounts to ensure you haven’t picked up a virus or other malware. Don’t forget to check any mobile devices that may be used and if home computers are ever used to access your social media accounts then ask the relevant people to check these too.

Enable 2-factor authentication

Many social networks now offer “2-factor authentication”. This is a security system which requires a number sent to a device like a mobile phone as well as your password to get access. Generally this makes it very difficult for a hacker to break into your account. So if this hasn’t been set up on your social media accounts you should do so right away, unless you are using software such as Single Sign On software that makes this unnecessary.

Review your training

Most hacking events are the result of human error – clicking on a phishing URL or using weak passwords for instance. In order to guard against future risk, review the knowledge of anyone who has the ability to log on to your social media accounts, whether or not they ever do so. Do they understand the need for strong passwords, are they aware of the risks caused by cookies, do they always check which site they are going to when clicking on shortened URLs, are they aware of how they might get fooled in a phishing attach? If your staff are knowledgeable about these issues then the chance of a social media hack will be very much reduced. Any other tips? Please do let us know.