Internet Reputation Management Guidelines Building a Roadmap for Continued Success

Transcription

1 Internet Reputation Management Guidelines Building a Roadmap for Continued Success

2 Table of Contents Page INTERNET REPUTATION MANAGEMENT GUIDELINES 1. Background 3 2. Reputation Management Roadmap 5 3. Prevention 6 I. Establishing an Internet Reputation Management Council 6 II. Developing policies and procedures 7 III. Training and communicating with staff 8 IV. Measuring progress against objectives 8 4. Monitoring 9 5. Analysis Mitigation Summary 12 INTERNET REPUTATION MANAGEMENT WORKBOOK Workbook Elements 14 I. Sample Questions for Prevention Stage 15 II. Internet Reputation Management Council 16 III. Mitigation Processes 17 o The BP Process 19 IV. Rules of Engagement 20 V. Guidelines and Best Practices for Social Media Participation 21 VI. Sample Policy Statements 23 o Social Media Participation Policy 23 o Internet Incident Response Policy 24 o Software, Internet Use and Policy 26 o Policy Acknowledgement Form 29 VII. Social Media Incident Response Processes 30 ABOUT BRANDPROTECT 34 ABOUT BRANDPROTECT

3 1. Background Internet-based brand fraud, defamation and identity theft are relatively new additions to business risk for most organizations. The conventional view is that damaging activities, such as identity theft attacks, became a legitimate concern to law enforcement agencies and enterprise risk managers as recently as During this time, corporate information technology departments were focused on building firewalls to secure their internal information systems, customer databases and systems. Companies with high profile brands were caught unaware and ill-prepared to implement measures to combat internet-based threats targeting their valuable brand names. As a result, criminals were able to operate in an open and ungoverned environment stealing personal customer information, misrepresenting brands and redirecting web traffic, causing a substantial amount of financial and reputational damage to legitimate enterprises. Today, with ever more coordinated and sophisticated criminal activity and the explosion of social media, there is an urgent call to action for companies to immediately establish an enterprise-wide state of readiness to combat internet fraud, reduce the severity and levels of brand abuse and to mitigate the financial harm to customers and collateral reputational damage to the corporate brand. When threats appear, organizations need to consider a number of key questions in assessing their state of preparedness (see Workbook for more potential questions): Corporately Who are the various internal stakeholders responsible for reputation management and what are their needs? How are decisions being made and what approval processes are there? Who in the organization needs to be involved? What help do we need to design, implement and run the process? Specific to an Issue What is the size, scope and level of severity of the problem? How quickly, and to what extent, can the problem be solved? What kind of skill set will be required to effectively mitigate this new risk? What formal and informal processes are already in place that we can build upon? 3

4 Based on BrandProtect s experience in protecting the rights, revenue streams and reputation of organizations worldwide for over a decade, we have developed a strategy and roadmap to ensure that policies, processes and procedures are established within the early stages of an Internet Reputation Management Program. Recognizing that each organization will face its own specific internal and external challenges in dealing with internet threats, BrandProtect has provided these full-scale Guidelines. It is our recommendation that you adopt all or parts of this Roadmap that are applicable to your organization. This will help to ensure successful implementation of a customized Internet Reputation Management Program. The following document outlines the steps involved to define internal and external project resources, and the Workbook provides process requirements, timelines, deliverables and expected outcomes, including the following: 1. Creation of an Internet Reputation Management Council with crossorganization representation 2. Development and implementation of internet reputation management policies based on corporate risk management strategies and response processes 3. A risk assessment and mitigation process to help analyze threats and establish appropriate mitigation strategies 4. Defining the rules of engagement to be followed to help guide organizational response to threats 5. Development of corporate policies, with particular emphasis on those relating to social media participation, given its special and potentially explosive nature 4

5 2. Reputation Management Roadmap One of the primary objectives of any program is to assist in establishing longterm policies, strategies and processes involving cross-functional participation to improve internet reputation management. With a long-term corporate focus on risk management and prevention, organizations will be able to minimize the damages resulting from online criminal activity, intellectual property rights abuses and defamatory discussion. The critical components of an effective Internet Reputation Management Program are illustrated in the diagram below: Roadmap to Establish a State of Enterprise Readiness The focus of this document is on the first stage of prevention, with the attached Workbook serving to further help guide efforts across the entire roadmap. Within prevention, the key elements are as follows: 1. The formation of an Internet Reputation Management Council 2. The development of policies and procedures 3. Training and communicating with staff 4. Measuring progress against objectives 5

6 3. Prevention I. Establishing an Internet Reputation Management Council BrandProtect recommends setting up a cross-departmental Internet Reputation Management Council, made up of key internal stakeholders representing those functional groups that have ownership of the brand, enterprise risk management, customer information files, investor relations, and legal and human resources. The objective of bringing together this crossfunctional group is to ensure that ownership and management of the brand is carried out at the enterprise level. Most corporate brands are typically represented across multiple external stakeholder touch points such as the internet, customer service department, call center, retail outlets, broadcast media advertising, investor communication vehicles (e.g. press releases, analyst calls, annual reports), channel and alliance partners, resellers, agents and brokers. In this regard, the brand has high exposure. These are all collection points for customer information and they usually cover expansive geographic areas that present unique challenges in ensuring compliance with brand standards and protection of proprietary information. Council representation should consist of a variety of roles within an organization, for maximum effectiveness. These include: - A Team Leader, responsible for day-to-day operations and process management - Functional area leadership with representation from groups that have responsibility for managing and protecting the brand, including: E-business, Human Resources, Marketing, Investor Relations, Legal, Public Relations, Security and Fraud, and IT - Executive level sponsorship In our experience, a program s success is predicated on the contribution that these roles provide. Each is crucial in defining how the company uses and protects brands with respect to corporate standards of governance. The cross-functional team will not only provide leadership on securing the brand, but will also act as agents of change by championing the implementation of training and policymaking within their respective departments. Executive leadership paves the way for cross-functional collaboration and resource collaboration, along with contributing to building a culture that is aware of the value of its brand and the dangers that threaten this valuable corporate asset in the age of internet threats. Finally, the Team Leader marshals the necessary resources to ensure that on a day-to-day basis the brand is safeguarded and that the appropriate processes are established and in place to address issues as they are encountered. 6

7 Setting up an Internet Reputation Management Council is a collaborative process; therefore, a company should instill a philosophy of internet reputation management by: 1. Identifying key internal stakeholders and inviting them to participate in a meeting to establish the guidelines of internet reputation management within the company 2. Planning to meet regularly to keep abreast of industry and technology changes as well as emerging forms of internet-based threats 3. Establishing goals and targets such as building a structure and policies to set up a Best of Breed Governance Policy ; setting metrics to track performance from the outset 4. Establishing emergency response protocols 5. Implementing training policies and communication within the organization 6. Reviewing, measuring, evaluating and managing progress against objectives II. Developing policies and procedures By building in a defined set of response procedures, it is possible to minimize the amount of damage that a phishing, identity theft, brand attack, or even a social media crisis can inflict. A defined set of procedures can also greatly reduce the amount of time the call center staff spend on the telephone, or provide your Investor Relations and/or Public Relations department(s) with documentation (key messages/talking points, press release templates, etc.) that are prepared in advance so as to minimize public response times. And since employees may unknowingly infringe on disclosure requirements and even contribute to espionage by revealing information that is either sensitive or not in the public domain, having internet reputation management processes and policies in place can help create a structure and culture of corporate awareness, allowing employees to be better able to detect brand infractions on their own and to proactively minimize the risk of their occurrence. 7

8 Examples of policies usually needed within an organization include: Policy towards employment listing security in conjunction with Human Resources Develop and police linking agreements via contracts and channel management Maintained and managed master lists of authorized users of corporate trademarks Established, communicated and enforced on-line advertising standards and protocols Established, communicated and enforced written corporate disclosure policy Established and continuously refined crisis communications plan Policy on how, where and if employees should conduct discussions online Policy for domain name registrations While creating these strategies and processes will take some time, once completed they will reduce response times to security breaches and fraudulent activities. This saves your organization tremendous time and money on recovery procedures and enables a focus on moving forward. Furthermore, implementation strategies will assist your organization in adopting a culture of corporate asset management and protection. III. Training and communicating with staff The best intentions and plans will not result in success without the understanding and collaboration of the extended organization, including partners. The extent of internet threats is such that only through marshalling the collective efforts of the many in finding, assessing and determining the steps to take when issues are encountered can an organization truly achieve its goals. This requires involvement of stakeholders in both the development and rollout of plans, as well as ongoing solicitation of their views and communication to them of actions and progress. IV. Measuring progress against objectives Simply put, success can only be determined on the basis of having clearly stated objectives in place. These can be both quantitative (e.g. reduction in the number of identity theft incidents, number of defamatory issues, etc.) or more qualitative in nature. They can also be split between external and internal goals, the latter being of particular importance in larger, less cohesive organizations. Determining a select set of objectives to achieve and monitoring progress should be a priority for the Internet Reputation Management Council. 8

9 4. Monitoring Effective internet reputation management is dependent on the ability to gain visibility into your internet presence. This requires understanding the particular internet ecosystem involved. The diagram below depicts the variety of ways brands are represented online, from its website through to the presence of associated marks on non-corporate sites, through to how they are being discussed in social media. These are the areas to be monitored for true coverage. Tools like Google s Blog Search, Alerts, and Trends enable organizations to monitor their brands ad hoc and for free. However, the time required to use these tools is prohibitive, and they do not provide comprehensive coverage of data sources and are highly dependent on the indexing patterns of search engines. Large enterprises need comprehensive coverage that requires an advanced automated solution in order to be able to adequately search and parse relevant data and do so in a timely fashion. Internet monitoring specialists like BrandProtect can simplify and make more effective any monitoring effort, usually at a fraction of the cost of any comparable internal effort. 9

10 5. Analysis Processes need to be put in place to help in determining priorities for addressing the massive volume of information obtained through any monitoring of the internet. While companies often tackle internet reputation management in different ways in different parts of the organization, in doing so they are not able to benefit from a more coordinated effort, as many of the issues encountered can have an impact on a variety of stakeholders. This is depicted in the diagram below. The Internet Reputation Management Council plays a crucial role in coordinating efforts across the organization; in effect becoming, or at least supporting, the Chief Reputation Officer s role. Crucial to its success is the ability to have access to data that has been sufficiently filtered for accuracy and relevance, as well as having the tools in place to assist with the interpretation of and reporting on findings. Access to BrandProtect s secure portal and its features provides for such capabilities. 10

11 6. Mitigation Processes need to be defined based on the type of threat observed. Broadly speaking, these break down into the three areas associated with threats to customers, to the company s assets and threats to reputation association with community perception. These will require processes to address the following in particular: 1. Brand abuse what constitutes a trademark violation, traffic diversion or other unauthorized association; who within the organization needs to be contacted; how to respond to an attack 2. Pre-determined response strategies to attacks on your reputation for your Public Relations, Investor Relations, Marketing and Call Center functions 3. Security & fraud response to identity theft attacks, both from a process and resources standpoint, as well as those from interaction with Investor Relations and/or Public Relations Through the implementation of a formal monitoring system, threats to rights, revenues and reputation can be reported to the appropriate stakeholders in a timely fashion. The key benefit is that stakeholders are alerted to the impact of brand infringements on their respective functional areas. These alerts should act as triggers for intervention, either at the policy, process, or technology level. Rules of engagement need to be in place and understood in order to then ensure such intervention is conducted effectively. To this end, BrandProtect offers the following services: Incident Response: Rapid response to deal with all forms of identity theft attacks Cease and Desist capabilities: Automated system tailored to address specific infractions Social Media Engagement: Subject matter expertise in-house and via partner Education Support: For employees and customers Forensic Development: Capturing of necessary data to assist with litigation support Further, key internal stakeholders should meet on a regular basis (we recommend monthly) to discuss relevant internet reputation management issues. These internal stakeholders should be prepared to drive internal training and implement internet reputation management policies within the organization. 11

12 7. Summary By following this roadmap to establish long-term policies, strategies and processes involving cross-functional disciplines, organizations will be able to minimize the damages resulting from online criminal activity, intellectual property rights abuses and defamatory discussion. To further customize your organization s approach, please reference BrandProtect s Internet Reputation Management Workbook in next section. 12