Skip navigation

BLOGViewpoint: Risky Business

by Randall CraigFiled in: Blog, Make It Happen Tipsheet, Social Media, Strategy, ViewpointTagged as: ,

Picture this scenario: An employee gets charged with a serious offense and the company’s name gets mentioned repeatedly in the news reports.  The reporters found the connection to your organization by scanning through Social Media.

Or this scenario: A subcontractor tweets (or posts pictures) celebrating the conclusion of a major, confidential project. This alerts competitors, customers, and suppliers, resulting in millions of dollars of lost sales.

Or this one: Someone looks at your Facebook (or LinkedIn) profile, peruses your “friends” to determine your mother’s maiden name, then grabs your birth date and other freely available personal details. Then they call your cell phone provider and gain access to your account by “verifying” your identity.

Too often, we (or rather “people”) rarely think about digital risks, let alone how to protect against them. As individuals it is caveat surfer, but at an organizational level, the responsibility for protecting corporate assets, including customer information, trade secrets, and ultimately the brand, falls to IT security professionals. They sometimes even have the job of protecting us from ourselves.

Sadly, they are inadequately equipped to do this job, for many reasons:

  1. IT departments are stretched, and often don’t have the resources to stay ahead of every possible new security threat.
  2. More technology comes through the door each day via smart phone, and these devices are completely beyond the control of the IT department.
  3. Many managers assume that 100% of the responsibility for information security sits with IT staff, particularly in the area of employee productivity. (Technology can help, but productivity is a management issue; risk reduction is really the responsibility of everyone.)
  4. Innovation in Social Media is happening so quickly that many (both marketers and IT) have outdated assumptions about what appropriate Social Media usage looks like. Poor assumptions cause poor decision-making.
  5. Many organizations still don’t even have a comprehensive Social Media risk policy. With no standards, everyone makes their own rules about what is right and what is wrong. It is impossible to police, let along protect.
  6. Rarely are staff trained in how to use digital, and particularly, how to use it responsibly so both the organization – and themselves – are protected.

Clearly, for an organization to manage digital risk effectively it needs to delegate information security responsibility well beyond the IT group. Yet this is a challenge when many managers cannot even identify more than a small handful of potential problem areas.  (Test yourself: without reading onward, how many can you name?)

Here is a basic Social Media risk list; note that some are marketing risks, some are HR risks, some are technology risks, etc:

  • Identity theft
  • Mistaken identity
  • Brand hijacking
  • Bandwidth contention / denial of service attacks
  • Social Media venue consolidation / data loss
  • Privacy / confidentiality breaches
  • Phishing and other online scams
  • Legal and regulatory breaches
  • Intellectual Property theft
  • Productivity loss
  • Human rights violations
  • Libel / slander
  • Contest fraud
  • Trojans and malicious code
  • Unwanted publicity
  • Inappropriate recruiting practices
  • Social engineering

With such a broad range, how might one embed a digital security mindset within an organization?

Consider the following five step process:

  1. Executive Briefing: Senior management must be educated both on digital strategy, but with an embedded risk management context.  It is no longer acceptable to propose a strategy without acknowledging – and protecting against – the risks.  Senior managers ask great questions; an executive briefing gives them the data points to do so.
  2. Develop a digital risk policy to reduce risk, and particularly Social Media risk. Going through the discussions and knowledge transfer that occur as the policy is being formulated is far more powerful than merely adopting a generic off-the-shelf policy.
  3. Develop a Digital strategy: Usually done concurrently with the risk policy work, the strategy binds the organizations goals to specific activities at an individual or departmental level.
  4. Communication and Training: This is the mechanism to connect the policy to the people. It’s not possible to manage (or measure) without first letting people know what’s expected of them, or how to actually use the tools.
  5. Monitoring: Monitoring fulfills the dual objectives of evaluating the effectiveness of strategy, while at the same time surfacing risks.


Where are you in this process as an organization? This week, assess where you are and commit to doing one thing to reduce your organization’s digital risk level. And while you’re at it, check your own Social Media profiles and remove any information that might be used by a fraudster to impersonate you.

Does this topic resonate? Reach out to Randall: he can present it to your group.  (More presentation topics)
Download Randall’s professional credentials: Speaker credentials one-sheet or Management Advisory credentials.

Content Authenticity Statement: 100% original content: no AI was used in creating this content.

@RandallCraig (Follow me for daily insights) Professional credentials site.



Randall Craig

Contact us for more on Randall’s topics, availability, and audience fit.

Back to top