The Tory minister, the fake Sophie Wittams profile, & data security

The hilarious-if-it-wasn’t-so-tragic incident of Tory minister Brooks Newmark sending dodgy pictures to a male journalist pretending to be a female party worker raises an interesting data security issue for business.

It would be very easy to build a credible Twitter profile of an important person (say a prospective client), using a photograph of them taken from the web and buying a large number of followers to make the profile look genuine.

This profile could then be used in two ways:

  • to publish misleading information
  • to gain the trust of other people who are happy to communicate via Twitter with the prominent person

In the latter case, the person behind the fake Twitter profile might reference a particular person (the “victim”) in a number of tweets in the hope that the victim would follow the fake profile. Once that connection is established, the fake profile can communicate privately via Direct Message with the victim soliciting information (rather than dodgy pictures). Alternatively the fake profile can simply address public tweets to you by putting your Twitter name at the start of their posts.

Similar scams could take place on LinkedIn and Facebook although in both of those cases it might be more difficult to build up credible profile with lots of connections/friends as connecting on these platforms is a “mutual” action that both parties need to agree to, whereas on Twitter you can follow people without their permission and buy “followers” for a few dollars thus easily building a credible profile.

How can businesses (and politicians) guard themselves against false Twitter profiles? If someone you think you may know engages you in conversation on Twitter about a strategically important issue:

  1. First, check out the number of connections the profile has. If there are only a few then you should check out whether they follow lots of people and whether they are active on Twitter. A profile with only a few connections should be checked out. Call them up and ask if they are messaging you on Twitter. (The fake “Sophie Wittams” profile that brought Brooks Newmark down had 52 followers and had tweeted 172 times, so the journalist responsible had taken care to build a credible profile over a period of time.)
  2. Second, check out the authenticity of the followers the profile has. You can use a service like twitteraudit.com to see how many fake followers a particular account has. Too many (more than 50%) and you should be suspicious.
  3. Third, check out their profile. Does it look genuine: for instance does it contain a recent photograph and perhaps contact details or other personal information? If not, then you are right to be wary.
  4. Fourth check out whether there are any similar profiles on Twitter. Search for their name, and variants of their name, to see if there are other accounts that seem to belong to the same person. If there are several similar accounts all seeming to belong to the same person, you will need to discover which is the genuine profile.
  5. Fifth, check out whether the person with the name on the profile has connected with you before on Twitter, but under a different profile; if they have then something may be up.
  6. Sixth, if you are suspicious use the profile image to search Google. It may indicate that the photo belongs to someone else (but if it doesn’t, don’t take this as proof that the photo is genuine)
  7. Seventh, if it seems too good to be true for any reason, then it almost certainly is! (Politicians take note.)

LinkedIn is slightly more difficult to check out as it isn’t possible to detect fake connections (and depending on the account settings it may be impossible to see them at all). However, it is still possible to check out the number of connections, the extent of the biography and the level of activity. If a profile looks incomplete, unused, and with few connections then you might want to treat it as suspicious. In addition, check whether the profile seems to have connected with you before: if they have then the chances are that one of those profiles is a fake.

Facebook? Well my advice here is to avoid business conversations on Facebook. Connect only with people who are genuine friends, not business acquaintances. And never discuss business on a Facebook page or via any form of Facebook messaging.

Back in 1993 the New Yorker magazine published a cartoon with the caption “On the Internet, no one knows you are a dog”. This is still very true, especially in social media. And it is something that anyone with an interest in data security needs to remember.

The FCA and social media

OK, this isn’t the most exciting post. But it is important. The Financial Conduct Authority (FCA) has finally published its draft guidelines on the use of social media by financial services organisations.

There is some very sensible advice in the FCA guidelines. For instance they recommend identifying a tweet as a promotion by including the hashtag #ad.

However there are a number of illogicalities and omissions.

Take tweets. The FCA advise that promotional tweets for financial services need to contain a lengthy risk statement along the lines of, in the example they give, “Your capital is @risk & losses can exceed your deposits.” That’s 56 characters – getting on for half the characters available, and more than half once you have included a link to your products.

But why have a risk statement at all? Consumers don’t expect full information in a tweet. They expect to find more information behind any links. A more sensible rule would to be  to require the risk statement to appear on the landing page beneath the tweet. Alternatively perhaps a shorter statement leading to a risk statement along the lines of “Risks: [link]” should be allowed.

Perhaps they should think of a promotional tweet as being like the header of an email – something designed to persuade you to look for further information. Just as email headers don’t contain risk statements, why should tweets? Including one seems to offer no extra protection to consumers.

The FCA also mandates risk statements on banner ads. They give an example of an ad with three frames, the last of which contains a risk statement. But is this sensible advice? Consumers can’t be guaranteed to watch an animated banner until its completion. So what is the purpose of a risk statement in the final frame? Either the risk statement should be visible all the time – or it should be available on the landing page that links from the banner.

Another problem with the guidelines is the absence of any recognition that social media content can be either static or interactive. The FCA guidance states that social media content needs to be pre-authorised. While this is clearly possible for banners ads, blog posts and even promotional tweets, it is simply not practical for interactive content that takes place within an exchange of tweets for instance. Clearer guidance is needed here – US regulators such as Finra accept that “unscripted” interactions need a different kind of management.

Another weakness is the use of the word “significant” when describing content that needs archiving. This leaves a lot up to the financial services provider. What is “significant”? Surely sensible guidance would insist on all content available to consumers being archived, not a hard thing to achieve with a digital medium. 

My final major worry is that the FCA seem to think that awareness is not part of a promotional journey. Thus a tweet saying “To see our current mortgage offers, go to…” is not a promotion but a tweet saying “To see our great mortgage offers, go to…” is a promotion. Presumably the FCA are saying that “current” is not a word that promotes value? If it isn’t, then will the FCA provide a list of other words that are safe to use? It might be more logical to say that the inclusion of any adjective turns something from an invitation to look at information into a promotion. However, even without an adjective, an informational tweet that generates awareness is a promotion (remember AIDA?)

The FCA is asking for comments on these guidelines and will accept them until 6 November 2014. If you work in financial services marketing you will need to make your feelings known.

 

How to manage your reputation online (4 of 4)

Responding to critical posts

People are posting very unpleasant things about you in social media. What can you do about it?

You have prepared well. You have registered all the necessary social media accounts. You have built up a strong online profile. And now your efficient social listening process has uncovered some unpleasantly critical comments.

But those unpleasant comments are showing up right at the top of Google’s  results when you search for your name. You need to take action.

Now, if the comments are untrue (as opposed to opinion) then you may have some legal redress: although that is expensive and sometimes self defeating if it casts you, or your organisation, in the role of a bully.

So if you don’t want to go down the legal route, or if the critical   comments are true (I am sure they are not!) what else can you do?

The first thing to accept is that you probably won’t be able to get rid of the comments completely. What’s on the web remains on the web. Even if you can somehow get the original source taken down, the chance is that the comments have been repeated somewhere.

Your strategy is to make the comments less prominent. And this means making sure they don’t feature in the first 4 or 5 search results and ideally taking them off the first page of Google’s search results: results here get 94% of clicks with only 6% on the second page and almost nothing on the third page.

Engage

So how are you going to do that? The first step, if the criticisms are justified, is to engage with your critics. Disarm the criticism by apologising for whatever you have done wrong and explain what you are planning to do about it; remember to take any discussion with critics offline if you possibly can. The intention here is to limit the damage so that further criticisms are not posted.

Try to take the links down

The next step is to try to get rid of the information or the links to it.

  • Ask for the page to be taken down by approaching the webmaster and explaining why the comments are unfair (OK this probably isn’t going to work unless the comments are libellous, but it is worth a try)
  • Ask Google to take the links down. As a rule they won’t unless the links lead to a page with highly sensitive personal information such as a signature, credit card number or a social security number. However, for European websites they are now bound to go further and take down links to content that is “irrelevant, outdated or otherwise inappropriate”. At the moment it is Google’s call whether to take the links down; there is no guarantee that they will and in any case as things stand at the moment the links will still be there on non-European versions of Google

Make sure your own pages rank higher

If that doesn’t work (and it may well not) then your next move is to try to ensure your own pages rank more highly than the critical comments you are unhappy with:

  1. Review your web assets and web profile: Do you have all the large social media accounts you could have? Do you have your own YouTube channel and a  Google+, LinkedIn and Twitter profile and have you optimised them, for instance making sure you have “vanity URLs” which contain your name rather than a long number?  And are your web site pages sufficiently rapid and mobile friendly?
  2. Analyse why those unwanted links are ranking well: if it is because lots of sites are linking to those pages you may be able to ask the owners of the linking pages to take down the links, or to give you a link as well. Some people recommend aggressively targetting the sites that are ranking well using “reverse SEO” techniques such as buying lots of dodgy links to them from link farms in the hope that Google will penalise them. I wouldn’t recommend it: there are no guarantees and you may make things worse (besides this isn’t ethical behaviour especially if your critics have a point)
  3. Analyse the words that the unwanted sites are using about you. Say it is “customer service”: you need to put a positive spin on this by developing new positive content around the key phrase “customer service”: This could be a white paper; blog posts; comments in media sites relating to customer service; you could also develop social media pages that contain your name and the key phrase; and you might even want to buy some new URLs with the along the lines of JohnSmithCustomerService.com and develop appropriate content for them
  4. Freshen up your own web pages with new content so Google is likely to rank them more highly: the more popular the content, the higher they will rank. Start adding a new piece of content a couple of times a week at least. Get more active on sites like LinkedIn – changing your profile, posting updates and entering into discussions within Groups
  5. Develop content for social bookmarking sites like Digg, Delicious and Squidoo: It needs to be new content, not a duplicate of articles published elsewhere but that shouldn’t be difficult if you think “lists”: favourite restaurants, books, flowers, dogs, capital cities, flags…the opportunities are literally endless
  6. Upweight your PR activities: seek to get quoted in the press
  7. Upweight your SEO activities: focus on building more back links from high quality sites through social bookmarking, article submission, guest posts, and comments on other people’s blogs and articles
  8. Identify your friends (happy clients etc) and ask them to engage with all your social media profiles, following you and sharing your content with their followers. Start to write testimonials for suppliers and customers and make sure they include the words you identified in point 3
  9. Look for other ways to get mentioned on line: Register a company in your name. Join a service that will list you as an expert such as nonexecutivedirector.com, opentoexport.com or liveperson.com. If you can afford it, pay to be a speaker at a large conference as these often rank very well
  10. Self publish: take advantage of Amazon’s search profile buy publishing an ebook and an audio book on the site

None of this is free: but then having your name appear below pages that are critical of you isn’t exactly free either!

And sadly none of this is guaranteed to work every time. If you have been caught out doing something unsavoury, and if the public or the press create a social media crisis for you, then there is little you can do to reduce your exposure on search engines. But if you are just trying to down-weight some criticism or reduce the prominence of an unfavourable stories, then taking the steps I have outlined should help.

How to manage your reputation online (3 of 4)

Developing a strong online profile

You’ve registered social media accounts in your name. And you are listening to what people are saying about you online. But that’s not enough to protect your reputation. You also need to establish a strong profile so that positive links to content you control show up when people search for your name. It’s not that hard. But it does take some structured effort.

Your social media accounts

It isn’t sufficient to have a social media account with no content. A Twitter account with no tweets could damage your reputation (have you got nothing to say of interest?) and a LinkedIn page with no information certainly won’t help your employment prospects.

So the first thing to consider is how you are going to make you social media profiles credible. The basics are obvious: make sure you have a good profile picture (no Twitter “eggs” please!); and make sure you attend carefully to what your profiles say about you. If you don’t have the time or energy to fill out full profiles for all those social media accounts you have registered, choose one to complete carefully and then link the other profiles to it.

But you also need a regular stream of content. Now, if you are using social media for marketing you will want to think carefully about the content you write for each of your accounts. But we are doing this simply for reputation management so it doesn’t matter particularly if the content in various different accounts is the same. Rather than cutting and pasting your posts from Facebook to LinkedIn and Google+, you can use a service like BufferApp to schedule and distribute your posts to multiple social media accounts. That way you have have several active social media accounts without writing content separately for each one.

Your website

In the first post in this series, I suggested registering a URL in your name perhaps using the suffix .me if it is available. If you do this you might as well also build a small website containing your resume. (If you are not comfortable with this then head for CodeAcademy where you can learn how to programme a simple website: it is much easier than you might imagine.)

If you are comfortable with coding html, then it is important to remember that your website should be “mobile friendly” as Google will rank it higher if it is. Use a template to help you: there are plenty online but you could try Proweb Design’s Simple Responsive Template.

And if you are really competent with coding then you will implement “rich snippets” on your website using schema.org data. Find out more about rich snippets here. Using rich snippets will make your website more strongly on search results page, simply because more content will be shown.

If you have a  common name then it is unlikely that you will see it on the first page of Google (take a look at what comes up when you search for “John Smith” – it’s not ordinary people). If that is the case then perhaps there is less reason for reputation management purposes to create your own website – although it might be useful in other ways.

Wikipedia

If you are running a business it is reasonable to consider developing a page on Wikipedia. Remember though that Wikipedia is NOT the place for self-promotion. The site enforces a strict “Neutral Point of View” policy that means only facts based on valid sources can be published.

Unless you are running a reasonably sized business or are in some way a prominent person it is probably unnecessary to have a Wikipedia page. Indeed there are disadvantages to having one. As the site is strictly neutral anything bad about you that can be verified can be added to the page. So if you have been to prison recently you might not want to create a page… Wikipedia gives an excellent explanation of why it is not always a good thing to have a Wikipedia page.

Remember also that even if you write a page about yourself it may not be published. Wikipedia requires pages to be about content that has “significant coverage in reliable sources”. If you cannot provide links to this type of coverage then your page may be declined as “non-notable”.

Whether or not you have a Wikipedia page it is important to monitor it: if you are being mentioned on the site then you will want to check out whether the facts given are true. If they are, and they are damaging, then you won’t be able to do much about it, although you may be able to add some additional verifiable facts that are more favourable to you.

Blogs and discussions

It is pointless thinking about blogging unless you are prepared to put some energy into it. That means having a regular stream of content. You don’t have to post content every day. But it should be at least once a month for your blog to have any credibility. Use a site like Tumblr or WordPress to host your blog and you immediately benefit from the popularity of those sites.

Don’t confine yourself to your own blog as you build up your profile though. Identify some key blogs in your industry in or areas you are interested in and follow them, contributing your own comments to them as appropriate. How to find them? Well, back in the day, when the web was smaller, there were a number of blog directories. With so many blogs published, most existing directories tend to focus on particular areas. Google “Blog [area of interest]” and you will probably be lucky. Or go straight to a search engine that specialises in blogs like Icerocket.

As well as blogs, find other places you can leave comments or join discussions: popular media websites for instance, or community sites.

Other platforms

Think creatively about other platforms you could use. Look for popular websites that have a good reach as these will rank highly. Are there any societies or industry bodies you can join: if there are do they have a place where you can write a personal or business profile? For instance I belong to the Institute of Consulting which enables me to publish a profile about my services on a reasonably prominent website. And if you are running a business you might want to put a review of working for your company on a site like Glassdoor.

Google and Google+

One last thing to consider: Google. Make sure you make it as easy as possible for Google to find you and to rank your pages highly. This means having a Google+ presence with a good “headshot” photograph: this is helpful if you want to stand out in search results. Google used to use the photo in search results and while it no longer does this, your photo can still appear on the right of the screen as part of a mini profile that Google will create. You should also implement  Google “authorship” on your website and your blogs: it’s not the easiest thing in the world although perfectly achievable and there are several good guides on how to do it such as this from Searchengineland.

Next time…

So far we have talked about registering appropriate URLs and social media profiles, listening to what people say about you online, and establishing a strong profile. But what do you do if people start trying to damage your reputation? You will have to wait for my next post for that!

How to manage your reputation online (2 of 4)

Listen

Managing your online reputation isn’t just about ensuring you have registered all the appropriate social media accounts and URLs for your name. As well as preventing people from using your name online in social media accounts and URLs as far as possible, you also need to:

  • Listen to what people are saying about you online
  • Create a strong profile, using the social media accounts and URLs you have registered
  • Repair any damage caused by people abusing your name online

This post briefly looks at how to listen out for when people are using your name.

Monitor the web

The first thing you need to do is to monitor when people use your name (or your company name or brand names). It is very simple to set up a Google alert that will email you when Google finds someone using your name. You shouldn’t rely on this though. Google isn’t perfect and may miss some mentions. It’s sensible to set up an alert using another tool like Yahoo. Alternatively simply  use another search engine such as Bing on a regular basis (say once a week) as an extra check.

Remember to set your searches up for appropriate variations of your name: I have alerts for jswinfengreen, “j swinfen green”,” j swinfen-green”,  “jeremy swinfen green” and “jeremy swinfen-green” (my fault for having a silly name). You can also include your twitter handles such as @jswinfengreen.

Google allows various options when setting up your alerts such as how often they are delivered. You may want to consider selecting “All results” rather than the default “Only the best results”.

It is also sensible to use a dedicated social listening tool to search for mentions of your name on social media. There are plenty of free tools. I particularly like SocialMention but there are dozens of others. SocialMention does have an Alert facility although it is disabled at the time of writing.

Note that the social media tools (especially the free ones) are generally less comprehensive than the big search engines so you will get a different and probably much smaller set of results. But they will be results from social media which may be useful as it can be easier to manage comments in the social media space than in the wider web. If you want to be more certain of who has mentioned you on social media then you will need to go to each platform and search: a useful exercise on Twitter and YouTube ( where it is just a simple search) as well as LinkedIn (search for Posts) but less so on Facebook which will not show you posts where your name is mentioned.

Identify themes

Once you have pulled out the relevant results, perhaps those where people are being unpleasant about you or your brands, you should start to identify the themes that reoccur. For instance if you work for a motor manufacturer (let’s call them “Supa Carz”) and people are complaining about the breaks failing you will want to monitor that closely and make sure you don’t miss any instances of a complaint that you need to respond to.

In this case you will want to set up alerts for things like Supa Carz breaks failure as well as more general alerts such as Supa Carz sucks.

Note that if you are paying for a social media listening tool you may still need to search the web for mentions of your name or brand because not all tools will monitor sites beyond the main social media platforms. This means that mentions in online communities like mumsnet may get missed.

Monitor sentiment

A change in sentiment can be a signal for an approaching problem. So it also makes sense to monitor this. Doing this well takes time but if you just want an indication  of sentiment then simply use the free sentiment measure on SocialMention or Coosto (shown below). coosto sentiment

Don’t fool yourself

The search engine you use will typically customise the results it shows you depending on your previous behaviour. This means that you may not see the same set of results for a brand that I see. This can be a problem: perhaps it means that you are seeing a set of results on the first couple of pages that are favourable to you: because you are always checking out your social media pages, your blog and your website these come up at the top of the list of links you are shown.

But, because I rarely if ever check your social media pages out, I may see other links at the top of my list of results. And some of these may be damaging to your reputation.

Because of this, it is a good idea to make sure that “personalised search” is disabled when you search for your name. There are several ways of doing this but the simplest is to toggle between the two buttons found to the right of “Search tools” and the left of the Options “cog” to see or hide personalised results for a particular search.

Icons that allow you to turn personalised search on and off in Google

Listening isn’t enough

If you are not listening you won’t be able to manage your reputation online. But listening is not enough. You will also need to create a robust profile so that your name appears linked to positive content such as your Twitter and LinkedIn profiles. And you will need to know what actions to take should someone start damaging your reputation online. More on that shortly.

How to manage your reputation online (1 of 4)

Do you know what people are saying about you online? Everyone, but especially prominent people, needs to be aware of how people view them on line. And unless you know what people are saying, there will be nothing you can do to manage your online reputation.

This is especially true for people who are directors of other organisations. Directors represent their organisations. A director with a bad reputation will affect the reputation of their organisation, potentially with disastrous effects.

And what is true for a prominent person is equally true for any organisation that wishes to maintain public trust.

There are four things you need to do in order to manage your online reputation:

  • Prevent
  • Monitor
  • Profile
  • Mend

Prevent is about stopping people from creating prominent online content that pretends to be about you and thus hijacking your identity.

Monitor is about listening to what people are saying about you online: if you don’t listen then you won’t be able to respond to what people say.

Profile is about making sure your online profile is as prominent as possible: that way you will be making if difficult for someone else to create a false profile that is more prominent than your true profile.

And Mend is about what you can do if someone does create a hostile profile which starts to gain credibility and prominence.

I will take a look at each of these in turn. In this post I will cover some things you can do to prevent people hijacking your identity.

Prevent

The first thing to do is to make it harder for people to hijack your identity. People can hijack your identity in two ways.

  1. They can break into your existing social media accounts and take them over.
  2. And they can set up false social media profiles in your name.

I have covered social media account security in a separate post so here I am going to cover off some of the things you can do to stop people creating fake online identities.

URLs

One of the easiest things to do is to make sure you have registered all relevant URLs. If your company or brand is called “Supa Snax” you will want to register as many important and relevant URLs as are available. If you are based in the UK then SupaSnax.co.uk, Supa-Snax.co.uk, SupaSnax.com, and Supa-Snax.com would be ideal (if they are available of course).

It is sensible to register the .org, .info, .biz and .net versions as well. And look out for relevant new “TLDs” like, in the Supa Snax case, .cafe and .catering.

Unless you are a giant corporate, there is little point in going overboard and registering everything though. There are over 200 endings to choose from (see http://www.onlydomains.com/new-gtlds) and you could end up spending a disproportionate amount of time and money managing them.

If you are a prominent individual, you should consider registering URLs for your name in three forms: initial and surname, first name and surname and first name, hyphen and surname (jsmith, josmith and jo-smith). You will want a similar set of TLDs to organisations: .co.uk, .com, and .info together with .name and .me and any other relevant TLDs such as .actor or .author

Ordinary individuals (like me!) don’t normally need to bother with any of this although there is never any harm in having a resume or a little personal site under a .me address.

AntiURLs

Organisations (and people who have been subject to personal abuse on line in the past) may also want to register some antiURLs (an insulting url consisting of a name followed by “sucks” or “fail” or similar), to prevent other people being able to use them. PayPal probably wish they had registered PayPalSucks.com for instance.

The antiURL can point to your official website or simply point nowhere – perhaps a better strategy as you don’t really want your name being associated with something insulting.

Social media accounts

It is very important to have social media accounts in your, or your organisation’s, name. Again it is impractical to do everything, so stick to the main sites, currently (in the UK): Facebook, Google+, LinkedIn, Twitter, Instagram and Pinterest. In addition establish a blog on a popular site such as Tumblr or WordPress. Make sure you reference your official website from each of these.

You can use a service like knowem.com to identify which social platforms have accounts or content that uses your name

As far as possible try to make sure that the name you use for each account is as similar as possible. You don’t want an Instagram account for “SupaSnax” and a Twitter account for “SupaSnaxCafe” if you can avoid it.

You will probably be using one or two of these accounts, perhaps Facebook and Twitter, for marketing purposes. Just because you have several other social media accounts, don’t feel you need to be posting content to all of them regularly. After all, this is a defensive measure aimed at stopping someone from impersonating you easily. All you need is an occasional piece of content, so the account doesn’t look totally unused (which would damage your reputation, exactly what you are trying to avoid!), and relevant profile information that points people to where the action is really happening.

YouTube and video

YouTube is the second largest search engine after Google. It is where a lot of people go to find things. So having a presence there makes sense.

You don’t need a massive investment for this. And it is good marketing in any case. You will need to create a handful of videos about your company (or if you are an individual about yourself and your interests). These can be simple “talking head” videos – perhaps explaining something about your organisation’s philosophy and products.

Script each video first and then practise it. Once you are familiar with what you want to say, write yourself some notes (so that you are not reading from a script) and set up a camera, with some good lighting, in a quiet room. Use a free video editor like Windows Movie Maker to trim out the stumbles and silences and to add captions and titles.

Try to add a new video once every couple of months. While the intention here is purely defensive (if you are using YouTube for marketing you probably need to do a little more than simple talking head videos) it will help you if you add new video content every now and then as it will maintain the prominence of your channel on YouTube.

A word of caution

Nothing you can do will prevent someone who is determined to hijack your identify from doing so. All you are doing here is to stop them from creating fake identities in the most obvious and noticeable places. That is important. But it isn’t the only thing you should do.

I will cover off how to listen for people who are insulting you, how to create a prominent profile, and what to do when someone does start to insult you, in later posts.

Social media and reputational risk

Social media isn’t just about marketing. It is an important way of managing risk for organisations, especially reputational risk. In fact it’s so important that failing to use social media to manage reputational risk could be considered negligent.

Internal risks

Internal risks include the use of employees using social media accounts to post inappropriate content about an organisation. And around Christmas Party time, this risk is especially strong.

You really don’t want employees using public social media to post salacious or unflattering content relating to any social event that other employees are attending, whether or not this event has been formally sponsored by your organisation.

For instance photographs of staff members behaving indecorously at a private party could have a negative effect on the organisation if the people involved are identified as working for the organisation in the caption.

But it would be far worse if the photographs were taken at the office party. It is great to use party photos as a way of showing the informal and fun side of your organisation. But do check that these photos are appropriate – and won’t embarrass anyone (use the “rule of mum” in other words “would they be happy for their mum to see this”) – before allowing them to be posted on the company Facebook page.

In addition, personal opinions or comments that do not reflect the organisation’s position should not be expressed on an account owned by an organisation. It happens!

Inappropriate (accidental) use of an organisational social media account

Using an organisation’s social media account to post informal and personal messages can cause embarrassment!

And even on a personal account, if the writer is identified as working for an organisation it is reasonable to ask people to state that their opinions do not necessarily reflect the opinions of your organisation – especially when those opinions are contentious. 

System risks

There are two common forms of system risks. The first relates to organisation social media accounts being “hacked”.

While there isn’t necessarily much that any organisation can do against a determined and skilled hacker, care can at least be taken to ensure that company accounts have adequately secure passwords. Without secure passwords it can be easy for company social media accounts to be hijacked, as Burger King found out in February 2013.

Image of Burger King's Twitter profile after it was hacked

Weak passwords can result in social media accounts being hijacked

The other main form of system risk relates to employees leaving after they have set up official social media accounts. In this case it can be quite difficult to get control back.

Both Google+ and Facebook demand that business “Pages” are set up from personal accounts, rather than directly by the organisation involved. For these websites especially, it is essential that an appropriate strategy is employed, such as asking a senior trusted employee to set up the business page. Appropriate protection also needs to be written into employment contracts.

External risks

Spoof and hate accounts can also be a problem. For instance disaffected employees may create accounts that focus on unflattering descriptions of an organisation. Unless they are libelous, negative opinions expressed on a personal account must be endured, although you can choose to ignore, acknowledge or rebut them. Dealing with them takes sensitivity: it is rarely appropriate (or cost-effective) to roll out the lawyers. Rebutting negative comments with an air of injured patience is more likely to be a better option, especially where the negative comments are not being seen by many people as may well be the case.

Listen and learn

Reputational risk will always be out there. By listening to the social media buzz you will have a good chance of picking up on any major threats. And by learning from how other organisation deal with (or invite) social media risks you will be able to find ways of mitigating them for your own organisation. But if you are not listening in the first place you are risking a great deal.

If you would like to know more about managing risk through social media then drop us a line at hello@mosoco.co.uk or call us on 07855 341 589.