With the growing entwinement of social media with our lives and our businesses, in 2012 we saw a number of social media crises hit, and there were many more that never hit the front page on CNN. Social media and other digital engagement and interaction channels will only continue to become more entrenched in how we go our days, our work, and our lives. Based upon the evolution of the risks and the attacks, 2012 saw the emergence of digital risk as a new and growing area of risk for firms and companies in 2013.
Threats will be come more sophisticated. In 2012, the types of threats we saw manifest in social ranged widely from the simplest of employee mistakes such as the tweeting error at Kitchen Aid to significant directed attacks by complex adversaries like Greenpeace’s digital hoax pulled on Shell. In 2013 we will still see the simple errors, but I expect that the sophisticated attacks will become even more intense and more sophisticated as opponents ranging from national government sponsored attacks to hacktivists use social as an attack and disruption vector.
Social engineering and spear-phishing will be the biggest risks. The simplest way to compromise any system or process is through a person – you are a door to your system. It is much easier to get someone to click on a link in an official looking email then trying to hack a system. Yet very few companies train their employees on how to defend themselves against social engineering and the targeted spear-fishing attacks. We has already seen detailed digital target analysis done against specific high value or key employees. Given the amount of information that is being produced in social media about is, very specific targeted attacks will increase substantially this year.
Mobility will become a larger threat vector. Though not the largest yet, the fastest growing threat to the enterprise is when employees bring their own device (BYOD) to work. This means that every employee who walks through the doors has the ability to take pictures, record videos, record meetings, tweet, post on Facebook, and other activities all without touching your network and outside of your control. Most employees aren’t out to get your company, but it only takes one innocent mistake or employee with a grudge to do significant damage to your company. Because of that, expect that more companies and newer technologies will be coming that focus on this vector.
Most companies continue to be unprepared. Most companies are simply not prepared for the underlying risks of social media whether they are listening or not – they haven’t done a risk assessment, they don’t have a triage map in place, and they don’t have a crisis management plan that addresses social media. A few weeks ago I was speaking with a firm and their CMO told me that he didn’t see any major risks in social media. I walked him through the Bank of America Debit Card fee crisis and the actual business impacts of that crisis, and then gave him three examples of how it could happen to his company. This example was enough that his New Year’s resolution was to get a social media risk management program in place.
But more and more will be investing in social media risk management. Even though there are a lot of hold outs like the CMO above, more and more companies are coming around to the fact that social media is not risk free and are asking for help. But they don’t know what to ask for and most agencies and consultancies do not have the expertise or experience to effectively counsel companies. It takes more then just a background in communications or PR and hanging out on different social media sites to become a digital risk expert. Crisis management is not risk management. So expect a lot of mistakes and bad advice to still be circulating in 2013.
Platforms will continue to be of limited help. When it comes to the managing the risks of social media, with platforms like Twitter, Facebook, and YouTube it is user beware. Yes, these and other platforms do provide a very low-level of security, but they leave it to the user to determine how they use the platform, who they connect with, what links they click on, and what information is shared across the platform. Platforms don’t want this responsibility and I don’t expect this to change in the near future.
New technologies will be stepping in to help shift the tide. There are new technologies coming out that will help companies better understand the risks of social media and defend against them. But these technologies are still nascent similar to what the email scanning applications were 15 to 20 years ago, and a solid wall of defense is still a ways off. Until these technologies mature some more, the best defense is still employee training.
2013 is upon us with all of the rewards and risks that it will bring. Make sure you and your company are aware of the digital risks that you face and then put a plan in place to make sure you are addressing them.