Internet Reputation Management Guide. Building a Roadmap for Continued Success

Transcription

1 Internet Reputation Management Guide Building a Roadmap for Continued Success

2 About BrandProtect BrandProtect is the leader in multi-channel Internet threat monitoring and risk mitigation. The company provides a comprehensive suite of social Internet risk detection and threat mitigation solutions for enterprises. BrandProtect deploys a unique combination of advanced proprietary technology, overseen by a seasoned team of threat analysts, to quickly identify and mitigate fraudulent or unauthorized online activity, such as brand abuse and trademark infringement incidents, phishing attacks, web traffic diversions, website integrity issues and defamatory discussions. BrandProtect helps security, governance, risk management, compliance and marketing organizations at leading financial services institutions, large-scale retailers, insurance providers, telecommunications operators and pharmaceutical companies protect their brand value and business bottom line. Eleven of the top thirty-five banks in North America depend on BrandProtect to protect both their enterprise and their customers from third-party Internet attacks that leverage or damage their brands. From banksmart, a unique fixed-price offering for banks, credit unions and other financial institutions, to comprehensive multibrand/multi-channel monitoring solutions that exceed the requirements of the world s most security conscience enterprises and the world s most-trusted brands, BrandProtect sets the Internet monitoring standard for Security Operations teams, Compliance/Governance committees, Risk Organizations and Executive suite members, including CEOs, CFOs, CIOs and CMOs. For more information visit: BrandProtect 5090 Explorer Drive Mississauga, ON Canada L4W 4T [email protected] 2014, BrandProtect Inc. All rights reserved. BrandProtect, banksmart and the BrandProtect logo are trademarks of BrandProtect Inc. Internet Reputation Management Guide 2

3 able of Contents Executive Summary 4 Reputation Management Roadmap 6 Prevention 7 Monitoring 10 Mitigation 12 Internet Reputation Management Guide 3

4 Executive Summary Reputation Risk, Compliance Risk, Internet-based Brand Fraud, Social Media Risk, and Identity Theft are relatively new additions to business risk for most organizations. Over the past ten years, Internetbased threats and cybercrime have become a legitimate concern to law enforcement agencies and enterprise risk managers. Unlike traditional threats, which directly attack an organization s secure perimeter, Internet-based risks, including brand threats and reputational attacks, are targeted at intangible business assets that cannot be protected by an ever-more-secure firewall. Today, sophisticated criminals are able to operate in an open and ungoverned environment, stealing personal customer information, misrepresenting brands and redirecting web traffic, thus causing a substantial amount of financial and reputational damage to legitimate enterprises. As a result, companies with high profile brands must implement strategies to combat Internet-based threats targeting their valuable brand names. And as social media and e-commerce converge, there is an urgent call to action for companies to immediately establish an enterprise-wide state of readiness to combat Internet fraud, reduce the severity and levels of brand abuse, as well as to mitigate the financial harm to customers and collateral reputational damage to the corporate brand. Not surprisingly, forward thinking companies are moving rapidly to establish internal guidelines, created escalation committees and procedures and deploy technology solutions to monitor online activities that could potentially affect their trusted brands, reputation and business continuity. Governmental regulators are active, too, publishing regulatory guidelines, such as the FFIEC Social Media: Consumer Compliance Risk Management Guidance (Dec 2013), which highlights these new threats and risks to important business segments. When threats appear, organizations need to consider a number of key questions in assessing their state of preparedness. Organizational Questions Who are the various internal stakeholders responsible for reputation management and what are their needs? How are decisions being made and what approval processes are there? Who in the organization needs to be involved? What help do we need to design, implement and run the process? Situational Questions What are the size, scope and level of severity of the problem? How quickly, and to what extent, can the problem be solved? Internet Reputation Management Guide 4

5 What kind of skill set will be required to effectively mitigate this new risk? What formal and informal processes are already in place that we can build upon? BrandProtect has been protecting the rights, revenue streams and reputation of organizations worldwide for more than ten years. During that time, we have developed an enterprise-tested methodology to assist clients who are implementing an Internet Reputation Management Program. The BrandProtect process ensures that appropriate policies, processes and procedures are established within the early stages of a brand protection practice. BrandProtect has created these full-scale guidelines to assist corporations with this critical task. But each organization will face its own specific internal and external challenges in dealing with internet threats. Depending upon your online exposure (which is not only based upon your direct online activity) you and your organization should adopt any or all of these recommendations. This will help to ensure successful implementation of a customized Internet Reputation Management Initiative. This Internet Reputation Guide outlines the steps involved to define internal and external project resources including the following: 1) Creation of an Internet Reputation Management Council with cross-organization representation 2) Development and implementation of internet reputation management policies based on corporate risk management strategies and response processes 3) A risk assessment and mitigation process to help analyze threats and establish appropriate mitigation strategies 4) Defining the rules of engagement to be followed to help guide organization response to threats 5) Development of corporate policies, with particular emphasis on those relating to Social Media participation, given its special and potentially explosive nature By following this roadmap to establish long-term policies, strategies and processes involving crossfunctional disciplines, organizations will be able to minimize the damages resulting from online criminal activity, intellectual property rights abuses and defamatory discussion. Internet Reputation Management Guide 5

6 Reputation Management Roadmap One of the primary objectives of any program is to assist in establishing long-term policies, strategies and processes to improve internet reputation management. To be successful, this must be a crossfunctional effort. With a long-term corporate focus on risk management and prevention, organizations will be able to minimize the damages resulting from intellectual property rights abuses and defamatory discussion, and online criminal activity, The critical components of an effective internet reputation management program are illustrated in the diagram below: Roadmap to Establish a State of Enterprise Readiness The focus of this document is on the first stage of Prevention, with the attached Workbook serving to further help guide efforts across the entire roadmap. Within Prevention, the key elements are as follows: The formation of an Internet Reputation Management Council The development of Procedures and Policies The training and communication for staff Measuring progress against objectives Internet Reputation Management Guide 6

7 Prevention Establishing an Internet Reputation Management Council BrandProtect recommends setting up a cross departmental Internet Reputation Management Council (IRMC), made up of key internal stakeholders representing those functional groups that have ownership of the brand, enterprise risk management, customer information files (CIF s), investor relations, legal and human resources. The objective of bringing together this cross-functional group is to ensure that ownership and management of the brand is carried out at the enterprise level. Most corporate brands are typically represented across multiple external stakeholder touch points such as the Internet, customer service department, call center, retail outlets, broadcast media advertising, investor communication vehicles (e.g. press releases, analyst calls, annual reports), channel and alliance partners, resellers, agents and brokers. In this regard, the brand has high exposure. These are all collection points for customer information and they usually cover expansive geographic areas that present unique challenges in ensuring compliance to brand standards and protection of proprietary information. Council representation should consist of a variety of roles within an organization, for maximum effectiveness. These include: A Team leader, responsible for day-to-day operations and process management Functional area leadership with representation from groups that have responsibility for managing and protecting the brand, including: Marketing, Legal, Investor Relations, Compliance, E-business, Human Resources, Public Relations, Security and Fraud, and IT Executive level sponsorship A successful Internet Reputation Program depends upon the contribution that all of these roles provide. Each is crucial in defining how the company uses and protects brands with respect to corporate standards of governance. The Team will not only provide leadership on securing the brand, but they act as agents of change by championing the implementation of training and policymaking within their respective departments. Executive leadership paves the way for cross-functional collaboration and resource collaboration, along with contributing to building a culture that is aware of the value of its brand and the dangers that threaten this valuable corporate asset in the age of Internet threats. Finally, the Team leader marshals the necessary resources to ensure that on a dayto-day basis the brand is safeguarded and that the appropriate processes are established and in place to address issues as they are encountered. Setting up an Internet Reputation Management Council is a collaborative process and a company should instill a philosophy of internet reputation management by: 1) Identifying key internal stakeholders and inviting them to participate in a meeting to establish the guidelines of internet reputation management within the company Internet Reputation Management Guide 7

8 2) Planning to meet regularly to keep abreast of industry and technology changes as well as emerging forms of Internet-based threats 3) Establishing goals and targets such as building a structure and policies to set up a Best of Breed Governance Policy ; setting metrics to track performance from the outset 4) Establishing emergency response protocols 5) Implementing training policies and communication within the organization 6) Reviewing, measuring, evaluating and managing progress against objectives Developing policies and procedures By building in a defined set of response procedures, it is possible to minimize the amount of damage that an online incident can inflict, whether it is a simple case of brand abuse, or a sophisticate attack using phishing, social media and rogue websites. A defined set of procedures can also greatly reduce the amount of time the Call Center staff spend on the telephone, or provide your Investor Relations and/or Public Relations department(s) with documentation (key messages/talking points, press release templates, etc.) that are prepared in advance so as to minimize public response times. And since employees may unknowingly infringe on disclosure requirements by accidently revealing information that is either sensitive or not in the public domain, having internet reputation management processes and policies in place can help create a structure and culture of corporate awareness, to allow employees to be better able to detect brand infractions on their own, as well as to proactively minimize the risk of their occurrence. Examples of some policies usually needed within an organization include: Policy towards employment listing security in conjunction with Human Resources Develop and police cross-site-linking agreements via contracts and channel management Maintain and manage master lists of authorized users of corporate trademarks Establish, communicate and enforce on-line advertising standards and protocols Establish, communicate and enforce a written corporate disclosure policy Establish and continuously refine a crisis communications plan Set policy on how, where and if employees should conduct discussions online Set policy for domain name registrations Establish, communicate and enforce blogging and micro-blogging standards and policies While creating these strategies and processes will take some time, once completed, they will help to minimize the frequency of incidents caused by careless communications or disclosures. In addition, Internet Reputation Management Guide 8

9 they will reduce response times to security breaches and fraudulent activities. This saves your organization tremendous time and money on recovery procedures and enables a focus on moving forward. Furthermore, implementation strategies will assist the corporation in adopting a culture of corporate asset management and protection. Training and communicating with staff The best intentions and plans will not result in success without the understanding and collaboration of the extended organization, including partners. The extent of internet threats is such that only through marshalling the collective efforts of the entire organization and extended organization in finding, assessing and determining the steps to take when issues are encountered, can a company truly achieve its goals. This requires involvement of stakeholders in both the development and rollout of plans, as well as ongoing solicitation of their views and communication to them of actions and progress. Measuring progress against objectives The best program implementations benefit by having clearly stated objectives in place. These can be both quantitative (e.g. reduction in the number of identity theft incidents, number of defamatory issues, etc.) or more qualitative in nature. They can also be split between external and internal goals, the latter being of particular importance in larger, less cohesive organizations. Determining a select set of objectives to achieve, and monitoring progress, should be a priority for the Internet Reputation Management Council. Internet Reputation Management Guide 9

10 Monitoring Effective internet reputation management is dependent on the ability to gain visibility into your internet presence. This requires understanding the particular internet ecosystem involved. The diagram below depicts the variety of ways brands are represented online, from its website, through to the presence of associated marks on non-corporate sites, through to how they are being discussed in social media. These are the areas to be monitored for true coverage. And while it tempting to try to monitor online activities using basic tools like Google Alerts, or other online search tools, the time required to use these tools is prohibitive. In addition, ad hoc monitoring programs do not provide comprehensive coverage of various online threat channels that must be monitored to ensure awareness of the widest possible set of potential brand-related incidents. Large enterprises need comprehensive coverage that requires an advanced automated solution in order to be able to adequately search and parse relevant data and do so in a timely fashion. Internet monitoring specialists like BrandProtect, can simplify and make more effective any monitoring effort, usually at a fraction of the cost of any comparable internal effort. Internet Reputation Management Guide 10

11 Analysis Processes need to be put in place to help in determining priorities for addressing the massive volume of information obtained through any monitoring of the internet. And while companies are often tackling internet reputation management in different ways in different parts of the organization, in doing so they are not able to benefit from a more coordinated effort, as many of the issues encountered can have an impact on a variety of stakeholders, as depicted in the diagram below. The Internet Reputation Management Council plays a crucial role in coordinating efforts across the organization; in effect becoming, or at least supporting, the Chief Reputation Officer s role. Crucial to its success is the ability to have access to data that has been sufficiently filtered for accuracy and relevance, as well as having the tools in place to assist with the interpretation and reporting on findings. Access to BrandProtect s secure portal and its features provides for such capabilities. Internet Reputation Management Guide 11

12 Mitigation Processes need to be defined based on the type of threat observed. Broadly speaking, these break down into the three areas associated with threats to customers, to the company s assets and threats to reputation association with community perception. These will require processes to address the following, in particular: 1) Brand Abuse what constitutes a trademark violation, traffic diversion or other unauthorized association; who within the organization needs to be contacted; how to respond to an attack 2) Pre-determined response strategies to attacks on your reputation for your Public Relations, Investor Relations, Marketing and Call Center functions 3) Security & Fraud response to Identity Theft attacks, both from a process and resources standpoint, as well as those from interaction with Investor Relations and/or Public Relations Through the implementation of a formal monitoring system, threats to rights, revenues and reputation can be reported to the appropriate stakeholders in a timely fashion. The key benefit is to alert them to the impact of brand infringements on their respective functional areas. This alert should act as a trigger for an intervention, either at the policy, process, or technology level. Rules of engagement need to be in place and understood in order to then ensure such intervention is conducted effectively. To this end, BrandProtect offers the following services: Incident Response: o Rapid response to deal with all forms of identity theft attacks Cease and Desist capabilities: o Automated system tailored to address specific infractions Social Media Engagement: o Subject matter expertise in-house and via partner Education Support: o For employees and customers Forensic development: o Capturing of necessary data to assist with litigation support Further, key internal stakeholders should meet on a regular basis (monthly recommended) to discuss relevant internet reputation management issues. These internal stakeholders should be prepared to drive internal training and implement internet reputation management policies within the organization. Internet Reputation Management Guide 12