Business processes and cyber risk

Cyber risk doesn’t just involve malicious techies hacking into corporate accounts. It can also involve risk to every day business processes: “process cyber risk”. Unfortunately, because the IT Department are kept busy defending the corporate network from the hackers, these process risks are often left to themselves.

What do I mean by process cyber risk? Quite simply, a risk of loss or damage to an organisation caused by a weak business process combined with the use of computer technology. These weak processes are often found within finance departments, but you will also find them in HR, in marketing and across organisations.

Process risk and identity

Many business processes rely on a particular document being signed off by an authorised individual. As many processes migrate online, the assumption is that the sign-off process can also be undertaken online. Sign on as an individual and perhaps you have authorisation to access a particular document or process.

As most people have to log in to company systems with a password and a name, then this shouldn’t be a problem. Except that passwords get shared. Busy people often share log-in details with juniors, allowing unauthorised people to access systems and documents that they are not authorised to access.

Any authorisation process that simply relies on someone logging in with name and password is weak because it is easily subverted. Issuing “dongles” as a second factor authentication device isn’t much better as these can get shared (unless they are integral to a company identity card). Robust processes where sensitive data or decisions are concerned should assume that a password has been shared (or stolen) and require additional security such as a second pair of eyes.

Process risks and finance departments

One big risk for finance departments is invoice fraud. This can happen in several ways. A common way is for thieves to gather information about a company, perhaps the news that it is investing in new technology. They will then use this information plus other easily obtainable assets such as company logos and the names of senior people in an organisation to put together a scam.

This might involve an email “from” a director of the organisation to a mid ranking person in the finance department asking for an invoice to be paid promptly; the invoice, which is of course a fake, is attached to the email.

In other cases the invoice is genuine. For instance thieves may pose as a supplier and ask for details of any unpaid invoices. They then resubmit a genuine invoice – but with the bank payment details changed.

All too often the unwitting finance executive passes the invoice for payment. Once the money has reached the thief’s bank account it is quickly transferred to another account making it unrecoverable.

This type of fraud is big business. Earlier this year Ubiquiti Networks disclosed that thieves stole $46.7 million in this way. While in the UK, the police’s Action Fraud service received reports of around 750 in the first half of 2015. And of course many similar frauds go unreported – or undetected.

What can you do to protect against this? Well start by educating staff about the nature of the threat – all staff not just in the finance department. Ensure that the details of all invoices are scrutinised carefully: Is the logo up-to-date? Is the email address correct (perhaps it is a .org instead of a .com)? Are the bank payment details the same as usual (if they have changed then telephone someone you know at the supplier to ask for confirmation)? And take extra care with larger invoices, for instance requiring them to be check by two separate people.

There are other cyber risks within finance processes – and often these are internal risks, initiated by employees. Examples include purchase fraud when personal items are bought using company money or when required items are bought at inflated prices, with the purchaser then getting a kick back at a later date. Again fake emails can be used to support these purchases. And again simple processes can disarm the threat.

Process risks within HR

Within HR there are numerous process risks. Let’s start with recruitment. The risks here can involve social media profiles designed to misinform, perhaps with fake endorsements or untrue job details. Looking at a LinkedIn profile is an easy way to identify potential candidates – but it is important to realise that the profile you see may well be substantially embroidered.

Another short cut, especially when looking for “knowledge leaders”, is to see what sort of “rating” candidates have on sites like Klout.com. Superficially this is fine. However, it is essential to be aware of how people are rated by the site (for instance what data is used) before making a judgement using this type of data as you may well be given an untrue perspective.

Another risk of using social media to identify candidates is that you open yourself to accusations of discrimination. An attractive cv may not have information on social media about age, ethnicity or sexual preference. Social media will. You really don’t want to know this sort of information but once you know something you can’t “unknown it”: and this can open you up to accusations of bias. It isn’t unknown for companies to commission an edited summary of a candidate’s social media profiles with anything that could lead to accusations of discrimination taken out in order to de-risk the profile before it is given to the recruiter.

In fact HR is full of cyber risk, especially where social media is concerned. There may be problems with the posts employees make on social media. There may be issues around bullying or discrimination at work. And maintaining a positive “employer brand” can be very difficult if an ex-employee starts to deride their old employer on line in sites such as Glassdoor.

Process risk and marketing

Process risk is also very at home in marketing. Again social media is one of the culprits. Not everyone, even in marketing, is a social media addict. Senior marketers frequently hand over their brands’ social media profiles to junior marketers, or even interns, because “they have a Facebook page”.

It’s a mistake. Not only is it likely that the output will be poor, the junior marketer may well (they frequently do) break advertising regulations (for instance by glamorising alcohol, or even fair trading laws (e.g. by including “spontaneous” endorsements from paid celebrities).

This shouldn’t be difficult: there is no reason that the processes that govern advertising in general can’t be applied to social media.

Procurement and cyber risk

Finally there is procurement – and the process of ensuring that third party suppliers don’t represent a cyber risk. This is a huge area of risk and one that is not always well appreciated.

The issue is not just that the third party may be insecure (for instance the massive hack to US retailer Target came about via an insecure supplier) and it is hard to know whether they are secure or not. It is also that people working for a supplier who have been given access may then leave the supplier without you being told: and as a result they retain access to your information, perhaps after they have joined a competitor. In additions suppliers may well have their own reasons for being a risk – they are in dispute with you, they are in financial difficulty, they have been taken over by a competitor…

Business processes frequently have the potential to be undermined by online technologies. It takes imagination to identify where the threats lie. However once they have been identified, actions to reduce the effect of the threat are often very simple.

Advertisements

The Tory minister, the fake Sophie Wittams profile, & data security

The hilarious-if-it-wasn’t-so-tragic incident of Tory minister Brooks Newmark sending dodgy pictures to a male journalist pretending to be a female party worker raises an interesting data security issue for business.

It would be very easy to build a credible Twitter profile of an important person (say a prospective client), using a photograph of them taken from the web and buying a large number of followers to make the profile look genuine.

This profile could then be used in two ways:

  • to publish misleading information
  • to gain the trust of other people who are happy to communicate via Twitter with the prominent person

In the latter case, the person behind the fake Twitter profile might reference a particular person (the “victim”) in a number of tweets in the hope that the victim would follow the fake profile. Once that connection is established, the fake profile can communicate privately via Direct Message with the victim soliciting information (rather than dodgy pictures). Alternatively the fake profile can simply address public tweets to you by putting your Twitter name at the start of their posts.

Similar scams could take place on LinkedIn and Facebook although in both of those cases it might be more difficult to build up credible profile with lots of connections/friends as connecting on these platforms is a “mutual” action that both parties need to agree to, whereas on Twitter you can follow people without their permission and buy “followers” for a few dollars thus easily building a credible profile.

How can businesses (and politicians) guard themselves against false Twitter profiles? If someone you think you may know engages you in conversation on Twitter about a strategically important issue:

  1. First, check out the number of connections the profile has. If there are only a few then you should check out whether they follow lots of people and whether they are active on Twitter. A profile with only a few connections should be checked out. Call them up and ask if they are messaging you on Twitter. (The fake “Sophie Wittams” profile that brought Brooks Newmark down had 52 followers and had tweeted 172 times, so the journalist responsible had taken care to build a credible profile over a period of time.)
  2. Second, check out the authenticity of the followers the profile has. You can use a service like twitteraudit.com to see how many fake followers a particular account has. Too many (more than 50%) and you should be suspicious.
  3. Third, check out their profile. Does it look genuine: for instance does it contain a recent photograph and perhaps contact details or other personal information? If not, then you are right to be wary.
  4. Fourth check out whether there are any similar profiles on Twitter. Search for their name, and variants of their name, to see if there are other accounts that seem to belong to the same person. If there are several similar accounts all seeming to belong to the same person, you will need to discover which is the genuine profile.
  5. Fifth, check out whether the person with the name on the profile has connected with you before on Twitter, but under a different profile; if they have then something may be up.
  6. Sixth, if you are suspicious use the profile image to search Google. It may indicate that the photo belongs to someone else (but if it doesn’t, don’t take this as proof that the photo is genuine)
  7. Seventh, if it seems too good to be true for any reason, then it almost certainly is! (Politicians take note.)

LinkedIn is slightly more difficult to check out as it isn’t possible to detect fake connections (and depending on the account settings it may be impossible to see them at all). However, it is still possible to check out the number of connections, the extent of the biography and the level of activity. If a profile looks incomplete, unused, and with few connections then you might want to treat it as suspicious. In addition, check whether the profile seems to have connected with you before: if they have then the chances are that one of those profiles is a fake.

Facebook? Well my advice here is to avoid business conversations on Facebook. Connect only with people who are genuine friends, not business acquaintances. And never discuss business on a Facebook page or via any form of Facebook messaging.

Back in 1993 the New Yorker magazine published a cartoon with the caption “On the Internet, no one knows you are a dog”. This is still very true, especially in social media. And it is something that anyone with an interest in data security needs to remember.

The FCA and social media

OK, this isn’t the most exciting post. But it is important. The Financial Conduct Authority (FCA) has finally published its draft guidelines on the use of social media by financial services organisations.

There is some very sensible advice in the FCA guidelines. For instance they recommend identifying a tweet as a promotion by including the hashtag #ad.

However there are a number of illogicalities and omissions.

Take tweets. The FCA advise that promotional tweets for financial services need to contain a lengthy risk statement along the lines of, in the example they give, “Your capital is @risk & losses can exceed your deposits.” That’s 56 characters – getting on for half the characters available, and more than half once you have included a link to your products.

But why have a risk statement at all? Consumers don’t expect full information in a tweet. They expect to find more information behind any links. A more sensible rule would to be  to require the risk statement to appear on the landing page beneath the tweet. Alternatively perhaps a shorter statement leading to a risk statement along the lines of “Risks: [link]” should be allowed.

Perhaps they should think of a promotional tweet as being like the header of an email – something designed to persuade you to look for further information. Just as email headers don’t contain risk statements, why should tweets? Including one seems to offer no extra protection to consumers.

The FCA also mandates risk statements on banner ads. They give an example of an ad with three frames, the last of which contains a risk statement. But is this sensible advice? Consumers can’t be guaranteed to watch an animated banner until its completion. So what is the purpose of a risk statement in the final frame? Either the risk statement should be visible all the time – or it should be available on the landing page that links from the banner.

Another problem with the guidelines is the absence of any recognition that social media content can be either static or interactive. The FCA guidance states that social media content needs to be pre-authorised. While this is clearly possible for banners ads, blog posts and even promotional tweets, it is simply not practical for interactive content that takes place within an exchange of tweets for instance. Clearer guidance is needed here – US regulators such as Finra accept that “unscripted” interactions need a different kind of management.

Another weakness is the use of the word “significant” when describing content that needs archiving. This leaves a lot up to the financial services provider. What is “significant”? Surely sensible guidance would insist on all content available to consumers being archived, not a hard thing to achieve with a digital medium. 

My final major worry is that the FCA seem to think that awareness is not part of a promotional journey. Thus a tweet saying “To see our current mortgage offers, go to…” is not a promotion but a tweet saying “To see our great mortgage offers, go to…” is a promotion. Presumably the FCA are saying that “current” is not a word that promotes value? If it isn’t, then will the FCA provide a list of other words that are safe to use? It might be more logical to say that the inclusion of any adjective turns something from an invitation to look at information into a promotion. However, even without an adjective, an informational tweet that generates awareness is a promotion (remember AIDA?)

The FCA is asking for comments on these guidelines and will accept them until 6 November 2014. If you work in financial services marketing you will need to make your feelings known.

 

How to manage your reputation online (4 of 4)

Responding to critical posts

People are posting very unpleasant things about you in social media. What can you do about it?

You have prepared well. You have registered all the necessary social media accounts. You have built up a strong online profile. And now your efficient social listening process has uncovered some unpleasantly critical comments.

But those unpleasant comments are showing up right at the top of Google’s  results when you search for your name. You need to take action.

Now, if the comments are untrue (as opposed to opinion) then you may have some legal redress: although that is expensive and sometimes self defeating if it casts you, or your organisation, in the role of a bully.

So if you don’t want to go down the legal route, or if the critical   comments are true (I am sure they are not!) what else can you do?

The first thing to accept is that you probably won’t be able to get rid of the comments completely. What’s on the web remains on the web. Even if you can somehow get the original source taken down, the chance is that the comments have been repeated somewhere.

Your strategy is to make the comments less prominent. And this means making sure they don’t feature in the first 4 or 5 search results and ideally taking them off the first page of Google’s search results: results here get 94% of clicks with only 6% on the second page and almost nothing on the third page.

Engage

So how are you going to do that? The first step, if the criticisms are justified, is to engage with your critics. Disarm the criticism by apologising for whatever you have done wrong and explain what you are planning to do about it; remember to take any discussion with critics offline if you possibly can. The intention here is to limit the damage so that further criticisms are not posted.

Try to take the links down

The next step is to try to get rid of the information or the links to it.

  • Ask for the page to be taken down by approaching the webmaster and explaining why the comments are unfair (OK this probably isn’t going to work unless the comments are libellous, but it is worth a try)
  • Ask Google to take the links down. As a rule they won’t unless the links lead to a page with highly sensitive personal information such as a signature, credit card number or a social security number. However, for European websites they are now bound to go further and take down links to content that is “irrelevant, outdated or otherwise inappropriate”. At the moment it is Google’s call whether to take the links down; there is no guarantee that they will and in any case as things stand at the moment the links will still be there on non-European versions of Google

Make sure your own pages rank higher

If that doesn’t work (and it may well not) then your next move is to try to ensure your own pages rank more highly than the critical comments you are unhappy with:

  1. Review your web assets and web profile: Do you have all the large social media accounts you could have? Do you have your own YouTube channel and a  Google+, LinkedIn and Twitter profile and have you optimised them, for instance making sure you have “vanity URLs” which contain your name rather than a long number?  And are your web site pages sufficiently rapid and mobile friendly?
  2. Analyse why those unwanted links are ranking well: if it is because lots of sites are linking to those pages you may be able to ask the owners of the linking pages to take down the links, or to give you a link as well. Some people recommend aggressively targetting the sites that are ranking well using “reverse SEO” techniques such as buying lots of dodgy links to them from link farms in the hope that Google will penalise them. I wouldn’t recommend it: there are no guarantees and you may make things worse (besides this isn’t ethical behaviour especially if your critics have a point)
  3. Analyse the words that the unwanted sites are using about you. Say it is “customer service”: you need to put a positive spin on this by developing new positive content around the key phrase “customer service”: This could be a white paper; blog posts; comments in media sites relating to customer service; you could also develop social media pages that contain your name and the key phrase; and you might even want to buy some new URLs with the along the lines of JohnSmithCustomerService.com and develop appropriate content for them
  4. Freshen up your own web pages with new content so Google is likely to rank them more highly: the more popular the content, the higher they will rank. Start adding a new piece of content a couple of times a week at least. Get more active on sites like LinkedIn – changing your profile, posting updates and entering into discussions within Groups
  5. Develop content for social bookmarking sites like Digg, Delicious and Squidoo: It needs to be new content, not a duplicate of articles published elsewhere but that shouldn’t be difficult if you think “lists”: favourite restaurants, books, flowers, dogs, capital cities, flags…the opportunities are literally endless
  6. Upweight your PR activities: seek to get quoted in the press
  7. Upweight your SEO activities: focus on building more back links from high quality sites through social bookmarking, article submission, guest posts, and comments on other people’s blogs and articles
  8. Identify your friends (happy clients etc) and ask them to engage with all your social media profiles, following you and sharing your content with their followers. Start to write testimonials for suppliers and customers and make sure they include the words you identified in point 3
  9. Look for other ways to get mentioned on line: Register a company in your name. Join a service that will list you as an expert such as nonexecutivedirector.com, opentoexport.com or liveperson.com. If you can afford it, pay to be a speaker at a large conference as these often rank very well
  10. Self publish: take advantage of Amazon’s search profile buy publishing an ebook and an audio book on the site

None of this is free: but then having your name appear below pages that are critical of you isn’t exactly free either!

And sadly none of this is guaranteed to work every time. If you have been caught out doing something unsavoury, and if the public or the press create a social media crisis for you, then there is little you can do to reduce your exposure on search engines. But if you are just trying to down-weight some criticism or reduce the prominence of an unfavourable stories, then taking the steps I have outlined should help.

How to manage your reputation online (3 of 4)

Developing a strong online profile

You’ve registered social media accounts in your name. And you are listening to what people are saying about you online. But that’s not enough to protect your reputation. You also need to establish a strong profile so that positive links to content you control show up when people search for your name. It’s not that hard. But it does take some structured effort.

Your social media accounts

It isn’t sufficient to have a social media account with no content. A Twitter account with no tweets could damage your reputation (have you got nothing to say of interest?) and a LinkedIn page with no information certainly won’t help your employment prospects.

So the first thing to consider is how you are going to make you social media profiles credible. The basics are obvious: make sure you have a good profile picture (no Twitter “eggs” please!); and make sure you attend carefully to what your profiles say about you. If you don’t have the time or energy to fill out full profiles for all those social media accounts you have registered, choose one to complete carefully and then link the other profiles to it.

But you also need a regular stream of content. Now, if you are using social media for marketing you will want to think carefully about the content you write for each of your accounts. But we are doing this simply for reputation management so it doesn’t matter particularly if the content in various different accounts is the same. Rather than cutting and pasting your posts from Facebook to LinkedIn and Google+, you can use a service like BufferApp to schedule and distribute your posts to multiple social media accounts. That way you have have several active social media accounts without writing content separately for each one.

Your website

In the first post in this series, I suggested registering a URL in your name perhaps using the suffix .me if it is available. If you do this you might as well also build a small website containing your resume. (If you are not comfortable with this then head for CodeAcademy where you can learn how to programme a simple website: it is much easier than you might imagine.)

If you are comfortable with coding html, then it is important to remember that your website should be “mobile friendly” as Google will rank it higher if it is. Use a template to help you: there are plenty online but you could try Proweb Design’s Simple Responsive Template.

And if you are really competent with coding then you will implement “rich snippets” on your website using schema.org data. Find out more about rich snippets here. Using rich snippets will make your website more strongly on search results page, simply because more content will be shown.

If you have a  common name then it is unlikely that you will see it on the first page of Google (take a look at what comes up when you search for “John Smith” – it’s not ordinary people). If that is the case then perhaps there is less reason for reputation management purposes to create your own website – although it might be useful in other ways.

Wikipedia

If you are running a business it is reasonable to consider developing a page on Wikipedia. Remember though that Wikipedia is NOT the place for self-promotion. The site enforces a strict “Neutral Point of View” policy that means only facts based on valid sources can be published.

Unless you are running a reasonably sized business or are in some way a prominent person it is probably unnecessary to have a Wikipedia page. Indeed there are disadvantages to having one. As the site is strictly neutral anything bad about you that can be verified can be added to the page. So if you have been to prison recently you might not want to create a page… Wikipedia gives an excellent explanation of why it is not always a good thing to have a Wikipedia page.

Remember also that even if you write a page about yourself it may not be published. Wikipedia requires pages to be about content that has “significant coverage in reliable sources”. If you cannot provide links to this type of coverage then your page may be declined as “non-notable”.

Whether or not you have a Wikipedia page it is important to monitor it: if you are being mentioned on the site then you will want to check out whether the facts given are true. If they are, and they are damaging, then you won’t be able to do much about it, although you may be able to add some additional verifiable facts that are more favourable to you.

Blogs and discussions

It is pointless thinking about blogging unless you are prepared to put some energy into it. That means having a regular stream of content. You don’t have to post content every day. But it should be at least once a month for your blog to have any credibility. Use a site like Tumblr or WordPress to host your blog and you immediately benefit from the popularity of those sites.

Don’t confine yourself to your own blog as you build up your profile though. Identify some key blogs in your industry in or areas you are interested in and follow them, contributing your own comments to them as appropriate. How to find them? Well, back in the day, when the web was smaller, there were a number of blog directories. With so many blogs published, most existing directories tend to focus on particular areas. Google “Blog [area of interest]” and you will probably be lucky. Or go straight to a search engine that specialises in blogs like Icerocket.

As well as blogs, find other places you can leave comments or join discussions: popular media websites for instance, or community sites.

Other platforms

Think creatively about other platforms you could use. Look for popular websites that have a good reach as these will rank highly. Are there any societies or industry bodies you can join: if there are do they have a place where you can write a personal or business profile? For instance I belong to the Institute of Consulting which enables me to publish a profile about my services on a reasonably prominent website. And if you are running a business you might want to put a review of working for your company on a site like Glassdoor.

Google and Google+

One last thing to consider: Google. Make sure you make it as easy as possible for Google to find you and to rank your pages highly. This means having a Google+ presence with a good “headshot” photograph: this is helpful if you want to stand out in search results. Google used to use the photo in search results and while it no longer does this, your photo can still appear on the right of the screen as part of a mini profile that Google will create. You should also implement  Google “authorship” on your website and your blogs: it’s not the easiest thing in the world although perfectly achievable and there are several good guides on how to do it such as this from Searchengineland.

Next time…

So far we have talked about registering appropriate URLs and social media profiles, listening to what people say about you online, and establishing a strong profile. But what do you do if people start trying to damage your reputation? You will have to wait for my next post for that!

12 ways to protect your organisation against spear phishing

Online scammers are getting smarter. And one area of increasing threat is spear phishing.

You probably know what phishing is: an email, often badly written, trying to persuade you to divulge confidential information such as bank log in details, or asking you to click through to a site that will prove to be decidedly dodgy.

With spear phishing the scammers have taken things up a notch. For a start the emails tend to be well written. But they are also personalised. Highly personalised. What’s happening is that the scammers are targeting individuals, perhaps wealthy people or people who have access to things they want such as customer lists or corporate information. Once they have identified you as a target, they trawl your social profile, getting information form sites like Facebook and Twitter to identify things about you. They might even pay to get extra information from e.g. from genealogy sites. They then use this information to write an email that seems credible and relevant. For instance:

Dear Angie. Welcome to Acme Inc. It’s good to know you joined last week. Doris in HR tells me you like skiing. Well you might like to know that we have an Acme ski club and we are planning a little trip to the Alps next weekend. New joiners like yourself will get a big 40% discount so click through to find out more about the trip.

You click of course and – nothing seems to happen. But in fact your PC has been compromised with malicious software. What can you do about this. Well there are several techie things that your IT manager can put in place: setting the company’s firewall to block any emails that contain executable files, or running intelligent phishing detection software. But that won’t solve all your problems. There are a number of other things you need to put in place. And these mainly revolve around educating your staff:

  1. Tell people to be watchful. Describe what spear fishing emails can look like and what they do. And explain to them what they should do if they are suspicious. For instance if an email is asking for sensitive information they should check with a colleague. And if an offer is too good to be true, then it probably is!
  2. Ask people only to use their company email for business purposes; if they haven’t got a personal email help them to get a free one from Google or Yahoo. This will limit the potential ways users’ email addresses can get out onto the Internet.
  3. Teach people not to open email attachments from sources that they’re not familiar with. Similarly, warn people to take care when downloading software and apps to mobile devices; if they are not familiar with the source they should check it out and if they are familiar with it should should go directly to the source by typing in the url rather than clicking on a link.
  4. Teach people not to click on links in emails, especially shortened one. They should type in the URL directly. (Cutting and pasting the URL may not be a good idea because they may not have noticed a tiny change to the URL that means it isn’t going where they think it is). Similarly clicking on links in social media can be very dangerous: these links (often in surveys or special offers)  account for over half of malware attacks.
  5. Accept that people are lazy and they are unlikely to type in email addresses so tell them that at the very least they should check where the link is leading by looking at the address which comes up at the bottom of their screen when they put their cursor over the link.
  6. Include in your social media policy advice or instructions on what corporate information not to divulge on social media (e.g. on LinkedIn). The more information you share the easier you are making it for scammers. Depending on your business and the employee’s role you may want to restrict information such as the names of people they report to, direct telephone lines and email addresses. Directors and IT personnel should be particularly careful about this.
  7. Tell people that if a “friend” emails and asks for a password or other information, they should contact that friend they really are who they say they are. They shouldn’t do this by replying to the email obviously!
  8. Reiterate that it is never appropriate to share passwords and PINs with anyone online or on the telephone.
  9. Explain to people that just because a link starts with HTPPS that doesn’t mean it is safe.
  10. Give people a taste of spear fishing. Send your colleagues a targeted spear-phishing email using an outside email address. Ideally dig up some information on their social media sites (Facebook, Twitter, LinkedIn, etc.) and use this to make the email seem credible. If this is impractical, for instance if you work for a large company, one thing you might do is  find out which bank people’s pay is sent to (you won’t need their branch and account number and I’d hope HR wouldn’t give you that anyway). Send them a fake phishing message seemingly from that bank.  When they click on the link tell them that they have been phished and give them some tips about avoiding  this in future.
  11. You need people to report attempted attacks. Reward people for reporting suspicious emails and, if they do appear to be malicious, make sure everyone in your organisation knows to look out for them.
  12. You need people to report any instances when they think they have been scammed. After all you will need to check their PC and your corporate network. So make sure you have a “no blame” culture about spear fishing; and never discipline people if they fall foul of an attack.

The bad news is you are unlikely to be able to prevent 100% of spear fishing attacks as they are so difficult to detect. The good news is that you can prevent a lot of them by giving people the right information. Any other tips? Let me know and I will gladly share them.

Could you manage an international social media campaign?

Could you manage an international social media campaign?

Social media campaigns are hard enough at the best of times. Soggy metrics, a lack of control, unexpected reactions…So adding an international dimension can make them even harder.

But if you are faced with managing an international campaign, what are the areas you need to consider?

I have been involved with a good number of international clients over the years and they are never easy to manage. Some of the learnings from international advertising campaigns are easy to apply to social media though.

Global vs local

The problem with international campaigns is knowing how “global” or “local” campaigns should be – to what extent they should be the same around the world and to what extend they should be designed for individual markets. And the answer to this is likely to vary across markets.

In some territories local activity will predominate. While in other territories it may be appropriate to use global assets that are produced by head office. The balance will depend on a number of factors.

Language

The simplest thing to address is language. If a client is headquartered in an English speaking country then running campaigns in English may be a logical solution for other English speaking countries and even in countries (such as Sweden, the Netherlands and India) where large parts of the population speak English.

However, while this is an easy solution, it may not be the best. Cultural differences may mean that campaign messages in one country may not be well received in another. Early UK advertisements for Coca Cola’s Dasani water used the message “Can’t live without spunk”. True possibly, but not something calculated to attract the average UK consumer. Research into whether localisation is needed is essential. And this is true whether or not messaging is being translated from one language to another.

Consumer perceptions

Another very obvious thing to address is the consumer. It is quite possible that the brand you are working with is perceived very differently in certain markets.

The oddest example of this I have come across was a UK cough sweet that was associated in Germany with, er, physical love! Fashion and retail brands often show differences around the world: for instance Levi Jeans have less fashion cachet in the USA than they do in Europe. Fast food too: Millward Brown show how Burger King is a weak brand in Belgium (compared with MacDonalds) but a strong brand in Mexico.

But getting the right message across to consumers isn’t necessarily the hardest part of managing an international social media campaign. There are many other issues.

Local platforms

A “one size fits all” approach to which social media platforms to use is unlikely to work. For instance Twitter penetration in Spain is around three time that of France but only half that of Saudi Arabia. Some markets, notably China and Japan, are very different from Western Europe and North America.

Local strategy implementation will need to take account of the strengths of different social media platforms. For instance if the strategy is to disseminate lots of photographs, then using Instagram to supplement picture posts on Facebook may be wasted effort in markets like Canada and France but worthwhile in Germany and Indonesia.

Local resources

If you are working with local operations in international markets then you will almost always find that resources in individual countries will vary widely, as will skill levels. One market may have a team of half a dozen experienced social media marketers, while in another the intern looks after social media in between doing the filing.

This means that you may need to moderate the amount of global assets you share with some local markets, or at least give territories with less resource the option to pick and choose between which global assets they decide to use.

 Local perceptions of social media

In most countries around the world consumers use a lot of social media. But that doesn’t mean that local marketers take social media seriously. There may be a big education job to be done helping local marketing managers understand why, and how, to use social media.

Where you are dealing with a local market that is sceptical about social media, it will be important to avoid a situation where social media is managed by a junior who may post inappropriately, without any (informed) supervision; social media is global and you won’t always be able to stop people in one country reading damaging posts in another country.

Local independence

Some local marketing operations will be more independent and harder to influence than others. Managers in a large territory such as the USA may well feel that they don’t need (or want) central control.

This may be especially true if the territory concerned has a heritage in effective social media marketing (which you could argue is the case in many English and Spanish speaking markets).

Dealing with resentment aimed at “interference from the centre” is always difficult. Providing reasons to use global strategies and assets (such as cost saving) is likely to be more effective than simply mandating the approach they must take.

Building consensus through joint development of assets and best practice will also help. And with social media, this shouldn’t be too difficult given that accepted knowledge of how best to use social media is still building.

Local laws

And finally do remember that laws vary across the world. For instance a competition that is legal in one country may be illegal in another. And similarly some countries have very stringent rules about endorsements.

Ensuring that local market operations are aware of the rules of what they can and cannot do on social media is important if you don’t want the humiliation of having your campaigns being deemed illegal or noncompliant by local regulators.

All in all

Setting up and managing an international social media campaign isn’t easy. As well as understanding how consumers differ across markets there are many practical issues around the nature and relative strengths of local marketing partners.

The safest way forward is to develop a global strategy with input from local markets and then allow local markets to tweak the global strategy, localise global assets and, if appropriate, add their own local content. Developing appropriate best practice guidelines to help less experienced local partners will also be important.