The Risks of Social Media: Developing a Social Media Crisis Response Plan

By now, we have seen it so many times: a company faces a crisis that was created entirely through social media. There are certainly many activist campaigns launched through Facebook, Twitter and blogs that bring negative attention to companies. But what really makes the most headlines is when companies bring a fiasco upon themselves. We’ve discussed this previously, calling it “self-inflicted reputational damage” and it consists of a company either conjuring a crisis out of thin air or making a bad situation worse.

Take Kenneth Cole. Back in the early days of the Arab Spring, the company’s founder tweeted something insensitive that made light of the violent revolution that was taking place. “Millions are in uproar in #Cairo. Rumor is they heard our new spring collection is now available online,” tweeted Mr. Cole. The response was outrage from people worldwide on social media platforms and even the mainstream press detailing how the company had goofed.

Now, the fallout from this reputation wasn’t as financially damaging as, say, the PR nightmare following Toyota’s poor handling of its massive recall in 2010. But plenty of others have felt the increasingly influential power of social media. Social Media Influence highlights the recent bad press Carnival Cruises and McDonalds have received.

Fortunately, they also have some advice for companies who suffer such a fate. Enter the social media crisis response plan. They have created the flow chart below to help guide your decision making after the worst occurs. Click here for a larger version then print it out, laminate it and put it on your wall.

The Deadliest Car Bombs

On the 10-year anniversary of September 11, we took a look at some of the deadliest terrorist attacks in history. Those attacks that have been most spectacular in nature — such as the unique means used in 9/11 and the U.S.S. Cole bombing and horror of rampages such as those in Mumbai and Norway — have been the most memorable in recent times. But a majority of the deaths that have ever been attributed to terrorism have come during old-fashioned car bombs.

To illustrate just how deadly some of the worst car bombs have been, created an infographic that catalogs the devastation. Above is a snapshot of the image. You can find the full version after the jump.

Continue reading

The Anatomy of Data Risk Management

As we posted yesterday, Saturday, January 28, is Data Privacy Day. Keeping with that theme, we think it’s important to focus on data risk management. Brian McGinley, senior vice president of data risk management at Identity Theft 911 offers this well-written piece on the timely topic.

Think of data as a living organism.

Just like a human body, data has various components and life support systems that must be maintained to ensure the whole thrives and survives. You can think of a data risk specialist as a doctor trying to keep the organism healthy through its various life stages.

Data, our hypothetical patient, (you’re welcome Star Trek fans) needs a safe and healthy environment, a supportive lifestyle and good hygiene. Just as a doctor has to consider external threats (“do you smoke?”) so does the data risk manager.

Let’s look at what this all means, and how this philosophy can be applied to your businesses policies and practices.
Data, our hypothetical patient, has three basic forms: paper, electronic and human memory.  A good data risk management plan must consider all three.

Controlling paper and electronic data is what we think of most when considering data security. This is your standard (or what should be standard) security policy, access controls procedures, system audits, and the like. It’s where security planning meets IT.

Human memory is a little more elusive. Education, security training and a reward-demotion plan can help control human errors, as can confidentiality agreements, and project-specific security contracts. These are the tools of teachers and lawyers. Generally speaking, there are four key rules to protecting data in all its forms:

  1. Be stingy with sensitive data, internally and externally;
  2. Provide access to data on a need-to-know basis;
  3. Provide access only to that specific data, rather than entire data sets;
  4. Be deliberate in how data is handled, used and shared.

Data has a life cycle. If your data doesn’t, it should. Whether it’s government secrets or an online shopper’s credit card number, data is received or created within your company’s computer systems. It is used, maintained and stored. It is archived or destroyed. That data, in all cases, has three basic states: in action, in motion or at rest. Take the credit card number example: that information can be used, the card charged, or moved to another computer system, or archived. Use, motion, rest.

There are four fundamental rules regarding the life cycle of data:

  1. If the organization doesn’t need it, don’t collect it.
  2. If data must be collected, collect only what is needed.
  3. If data is needed, control it and encrypt it.
  4. When data is no longer needed, get rid of it – SECURELY.

Now that we know what data looks like (paper, electronic, mnemonic) and how it lives (in action, in motion, at rest) we should consider those external threats, namely data breaches. A data breach is an incident (or series thereof) in which sensitive, protected or confidential information has potentially been viewed, stolen or used with unauthorized access. This can be a hacker attack, an internal company mistake that results in exposed information or, in some cases, corporate or government espionage. A data breach can be anything that jeopardizes data.

These threats range from simple user negligence, operating or systemic issues, all the way to highly complex criminal attacks launched against your organization. As anyone who follows the tech news knows, sensitive consumer and business information has become a criminal commodity.
With this hostile environment in mind, it is imperative for the business to plan and prepare not only for the protection of their information, but also for the response and recovery of their data and business in the event of a data breach. For a data manager or security professional to fail to issue such a warning would be akin to that doctor not asking about smoking.

At the end of the day, data as an organism is more than an extended metaphor. It’s a means to look at your company’s data products in an abstract way and understand how it operates. This, in turn, will allow you to develop the proper health plan. Just like with our health, there is no single wonder pill. But there are data doctors out there who can analyze your businesses’ risk posture and recommend ways to get it in shape.


The Emerging Risks of 2012

In our February issue of Risk Management magazine, we highlighted seven of the key risks that companies will face in the coming year. These, we claim, are the risks that “if they don’t keep you up at night, might bring down your company.”  We have no delusions that this list is comprehensive or that all its elements are even applicable to everyone. But it provides a good overview of some major trends that all risk managers should at least think about. (Subscribers should receive their print issue any day now, the rest of you can catch it online February 1.)

Of course, we weren’t the only ones to come up with a list of 2012’s top risks. Among others, one organization that did was insurance broker Willis. Its subject experts did write ups on 18 different areas of risk. There are links to each in their “WillisWire Emerging Risks Round-up.”