Managing Social Media Risks MAY 13, 2014

Transcription

1 NYBA 2014 Annual Technology, Compliance & Risk Management Forum Managing Social Media Risks MAY 13, 2014 Jerry Gagne, CPA, CISA Wolf & Company, P.C. Ryan Bell, CEO Gremln

2 Today s Agenda Intro to Social Media Benefits Risks Controls Software Solutions Questions

3 Social Media Sites

4 A little Confused?

5 Awesome

6 Sounding Board

7 social media USERS 225 MILLION 500 MILLION 1.11 BILLION 77% of Fortune 500 companies reported using social media for business in % of consumers say it s important to read user-generated content before making a decision about financial services 44% of millennials will not purchase insurance without referencing others' opinions

8 Social Media is an incredible marketing, customer service, & brand awareness tool 77% Using Social Media Promotes Trust Of Fortune 500 companies reported using social media in 2013 Social Media Helps you Listen to Customers Avoid Reputation Risk Through Social Media

9 70 % of customer questions on Twitter are being ignored 51 % WILL ONLY GIVE YOU ONE CHANCE 86% will stop doing business with your company because of bad service experiences 50% of social media users in the US expect a reply to their complaint within an hour, 24 hours a day. 1/3 of customers prefers social care to contacting a company by phone

10 Social Media Personal Benefits New Channel of Information Late breaking news Regulation updates Electronic Rolodex Personal Branding Networking

11 Social Media Corporate Benefits Improve customer satisfaction Recruit and retain talent Enhance Company brand awareness Strengthen connections and relationships Access expertise Help address negative publicity Notification tool when incidents occur

12 What are the costs of not participating CUSTOMER SERVICE REPUTATION CLIENT REACH SECURITY BREACHES

13 Social Media Risks Social Engineering (Phishing, etc.) Reputation Risk Strategic Risk Privacy Risk Compliance Malware & Tiny Urls

14 social ENGINEERING The clever manipulation of the natural human tendency to trust.

15 Not your traditional fishing! Phishing Spearphishing Whaling SMishing Vishing Twishing

16 Its not hard to fool us! I forward this file to you for review, please open and view it. 13 words that took down RSA Authentication World Wide

17 Case Study RSA Breach Information gathered on four specific employees Possibly through social media such as Facebook Specific, targeted s ( spear phishing ) sent to the employees Attached file 2011 Recruitment plan.xls contained a virus Virus exploited a vulnerability in unpatched Adobe Flash software Backdoor program installed on affected computers Compromised computers used to obtain critical data

18 Case Study Bin Laden s Video claiming Bin Laden s capture was posted on FB When users clicked on the link to the video, they were told to copy JavaScript code into their browser bar Automatically sent the hoax to their friends Gave hackers full access to their account

19 Case Study My Friend My friend joined a social network Hacker sent fake photo of himself (malware) My cousin clicked on photo which allowed malware to take control of computer including the web camera, online accounts, and contacts Captured video and pictures Attempted to extort $

20 Reputation Risk - Employees Should we encourage them to use tools such as: Facebook Twitter Linked Are they friending Clients Are they representing the organization poorly Are they unaware of who sees them

21 Employees using wrong account Microsoft briefly got political in September, when one of the people who manages its Twitter account dissed conservative talking head Ann Coulter from the Microsoft account, rather than from his personal account. Microsoft replied to a tweet from former U.S. labor secretary Robert Reich with the following post: "@RBReich your granddaughter s level of discourse and policy > those of Ann Coulter." Ouch.

22 Employees using wrong account When it comes to offensive tweets, KitchenAid takes the cake. After President Obama mentioned his grandmother during the first presidential debate in October, the kitchen appliance manufacturer responded by posting the following tweet to its 24,000 followers: "Obamas gma even knew it was going 2 b bad! She died 3 days b4 he became president. #nbcpolitics To the company's credit, it quickly removed the tweet and issued an apology, explaining that a member of the KitchenAid team had mistakenly posted it from the company account instead of from a personal handle.

23 Ooops

24 Strategic Risk Employee representing the organization poorly Partner integration Incorrect content Wasted $ Just using it as content sharing? Responding to your followers? Third party risks Typically due diligence on social media vendor is not performed (no say in contract) Breach response (no contract outlining vendor accountability or responsibility)

25 #McDStories: When A Hashtag Becomes a Bashtag Dude, I used to work at McDonald s. The #McDStories I could tell would raise your hair. (via Twitter) One time I walked into McDonalds and I could smell Type 2 diabetes floating in the air and I threw up. #McDStories (via Twitter) The promoted TT of #McDStories isn t going the direction I wanted it to go. Lots of weed stories and heart attack jokes. (via Paid Content) Ate a McFish and vomited 1 hour later.the last time I got McDonalds was seriously 18 years ago in college.. #McDstories (via Twitter)

26 When Ads go wrong CelebBoutique, an online store, posted a promotional tweet with the Aurora hashtag to take advantage of a trending topic. Unfortunately, the company's PR apparently did not take the time to read up on why Aurora was trending (mass shooting), so the tweet came off as incredibly insensitive.

27 Privacy Risk Information posted can be used in Social Engineering (Phishing, etc.) Date of birth Password hint information (what was your first job?) Accidental posting of information by customer Accidental or malicious posting of confidential information Social Media sites are hacked on a regular basis Default privacy settings Public, anyone, and everyone settings Connecting with everyone?

28 Compliance Risk FINRA Regulatory Notice Copyrights and fair use (don t steal someone else s image or content) Gramm-Leach Bliley Act and Data Security Guidelines Truth in Savings/Regulation DD and Part 707 Fair Lending Laws: Equal Opportunity Credit Act/Regulation B and Fai Housing Act Truth in Lending Act/Regulation Z Real Estate Settlement Procedures Act Fair Debt Collection Practices Act

29 Compliance Risk (Continued) Unfair, Deceptive, or Abusive Acts or Practices Deposit Insurance or Share Insurance Electronic Funds Transfer Act/Regulation E Rules applicable to Check Transactions CAN-SPAM Act and Telephone Consumer Act Children s Online Privacy Protection Act Fair Credit Reporting Act

30 HR Issues?

31 Malware and Tiny Urls Risk Social media sites are hacked Images, documents and links loaded with malware Users accounts are compromised Just because you know them and they are sharing content, should you click on that picture? Tiny Urls and user habits of clicking on them (where do these go?)

32 HOW DO YOU PARTICIPATE AND STAY Compliant? APPROVAL FILTRATION ARCHIVING MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2010 Wolf & Company, P.C.

33 If only he had

34 Controls Governance structure Policies & procedures Vendor due diligence Employee training Oversight & monitoring Audit and compliance functions Response

35 Governance Structure Governance Structure Identify roles and responsibilities Board of Directors or Senior Management direction Risk assessment Board reporting Effectiveness of social media program and is it meeting objectives

36 Policies & Procedures Clearly define how social media will be utilized Monitoring of use to ensure compliance with consumer protection laws, regulations and guidance Guidance on postings, edits, replies, and retention of these items Ensure that employees are trained or made aware of social media risks Companies continually looking to block social media sites Cannot stop home or phone use

37 Vendor Due Diligence Selecting and managing third-party service provider relationships You are not going to get much (no SOC reports) Contracts: it s on their terms, can t negotiate Focus on what you can do to mitigate the risks

38 Employee Training Most social media blunders are due to poor training and awareness Most employees don t necessarily understand the impact of their postings Training should include: Work related use Other use Define unacceptable use

39 Oversight & Monitoring Negative (or Positive?) comments Fake pages or websites promoting or advertising products inappropriately Regulatory compliance

40 Audit & Compliance Is social media included in your audit and compliance programs? Validate compliance with: Internal policies Applicable laws, regulations, and guidance

41 Response Update Incident Response plan to include social media problems such as: Negative comments or inappropriate postings E-Discovery and regulatory requirements Make sure to understand the viral nature of the Internet and how a simple mistake can lead to even more criticism (Dominoes Pizza ) Should social media be included as a way to communicate with customers during a disaster, DDoS, fraud alerts?

42 INTEGRATED marketing tools

43 HOW DO YOU save time?

44

45 HOW DO YOU STAY Organized?

46

47 HOW DO YOU MEASURE Success?

48

49 HOW DO YOU DETERMINE ROI? Follow the tweet to the sale!

50 New reality and bottom line You can choose not to use it (personally) but you have to embrace it (commercially) Your customers are taking about you and you can t hear them Regardless if you decide not to use it, your employees are communicating with it (about you?) And you can t hear them.

51 Resources Sample Social Media Policies: Best practices:

52

53

54 Resources (Continued) Lessons we can all learn from: /#_ Regulatory guidance

55 Questions? Ryan Bell CEO GREMLN Gerald R. Gagne Member of the Firm Wolf & Company, P.C MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2013 Wolf & Company, P.C.