Social media and its associated risks
rgb values:
blue:
0/51/204
gree
n:138/238/7
Sponsored by Grant Thornton LLP
cmyk values:
Blue100/40/0/0
Green 40/0/60/0
Contents
1 Executive summary
2 Research methodology
3 Interviewee profiles
4 The corporate value of social media
6 Social media risks
13 Social media policies
15 Conclusion
16 Appendix I: Respondent demographics
18 Appendix II: Sample social media policy
19 About the authors
Authors
Thomas Thompson Jr.
Senior Associate, Research
Financial Executives Research Foundation
Jan Hertzberg, CISA, CISSP, PCI QSA
Managing Director, Business Advisory Services – IT
Grant Thornton LLP
Mark Sullivan, CFE, CFI, CPP
Principal and Practice Leader, Forensic and Litigation Services
Grant Thornton LLP
Executive summary
How many tweets have you sent in the last month and how
many friends or likes do you have? These are questions you
would not expect most senior financial executives to concern
themselves with. However, with the increasing prevalence
of social media in business and the rapid, fluid nature of
these “sexy” new technologies, perhaps executives should be
concerned. In an article titled “Users of the World, Unite!
The challenges and opportunities of social media,”1 Andreas
Kaplan and Michael Haenlein define social media as “a group
of Internet-based applications that build on the ideological and
technological information of Web 2.0 . . . and . . . allow the
creation and exchange of user-generated content.”
For many companies, social media is the proverbial doubleedged sword. It offers both opportunities and risks. Social media
cuts across many areas of a company (including HR, marketing,
communications and legal, among others,); therefore any
policy surrounding it should be the result of a multidisciplinary
approach. Financial Executives Research Foundation, Inc.
(FERF), working in partnership with Grant Thornton LLP,
developed a 23-question online survey and conducted in-depth
interviews to produce this report, Social media and its associated
risks. The survey was conducted during August and September
2011 and was completed by 141 executives from public and
private companies. The interviews involved eight open-ended
questions and were conducted during September 2011. This
report is based on the findings of both the online survey and the
in-depth interviews.
Some of the key survey findings include the following:
• Almost half (48%) of the senior financial executives who
responded to the survey feel that social media will be an
important component of corporate marketing efforts
going forward.
• More than half (53%) of respondents see corporate use of
social media increasing significantly over the next 12 months.
• More than three-quarters (76%) of respondent companies
do not have a clearly defined social media policy.
• More than half (61%) of respondents indicated their
organizations do not have an incident management
plan to help them deal with instances of fraud and/or
privacy breaches.
Key interview findings include:
• The speed with which social media has grown in the last
five years caught many executives by surprise.
• Executives are allocating more funds to IT security overall,
though not necessarily to address specific risks associated
with social media.
• While many companies do have e-mail communication and
technology usage policies, very few companies have policies
that specifically address social media governance and risks.
For many companies, social media is the proverbial
double-edged sword. It offers both opportunities and risks.
1
Kaplan, Andreas M., and Haenlein, Michael. “Users of the world, unite! The challenges and opportunities of social media,” Business Horizons, pp. 59–68, Volume 53, Issue 1, 2010.
Social media and its associated risks 1
Research methodology
The Social media and its associated risks report is based on a
23-question online survey. In-depth follow-up interviews were
conducted with senior financial executives from both public
and private companies, and others. The online survey was
conducted during August and September 2011 and questioned
participants about the following areas:
•
•
•
•
•
opinions regarding social media
use of social media
concerns about the risks surrounding social media
social media policies
concerns about identity theft, and data security
The survey generated a total of 141 complete responses
from a variety of senior executives, the majority of whom
came from small to midsized companies, although nearly
all revenue ranges were represented. Almost all of the
respondent companies were located in the United States (the
remainder were headquartered in Europe). Excluding the
“other” category (which included responses from companies
in the aerospace/defense, business services, construction,
consulting, consumer marketing and products, consulting,
and private equity industries among others), financial services
(15%), manufacturing (14%), and professional, scientific, or
technical services (10%) were the best-represented industries.
2 Social media and its associated risks
A total of 12 in-depth interviews were conducted during
September 2011 and consisted of eight open-ended questions.
The interviews were meant as a follow-up to the survey to
uncover deeper insights into the corporate use of social media.
Interviewees came from a variety of industries, including
manufacturing, wholesale/retail, advertising, health care/life
sciences, academia and financial services. Further, one of the
interviewees was an attorney and certified information privacy
professional and another was an independent, international
marketing consultant. All interviewees were given the
opportunity to review the notes from their interviews and
could opt to be quoted directly or remain anonymous. To
minimize bias, the interviews were randomly arranged.
The research is not intended to cover a statistically
significant sample of the corporate population. However the
qualitative findings from both the survey and the interviews
provide a valuable look at current social media opinions and
trends. These findings offer indispensable insights into both
the benefits and the risks associated with the rapidly growing
use of social media.
To review the graphs related to the survey demographics,
please refer to Appendix I.
Interviewee profiles
The in-depth, follow-up interviews provided a much better
feel for where companies currently are in their adoption of
social media as a legitimate business tool. They also provided
real-world examples of how executives can benefit from the
use of social media and how they should plan to mitigate the
risks associated with these new technologies. The following
individuals were interviewed:
Mark Ferguson, CFO, Bench Tree Group LLC
Mark Ferguson has more than 20 years of finance and
accounting experience. He worked at companies such as Texas
Instruments, Honeywell and various venture capital-backed
startups before becoming the CFO at Bench Tree Group, a
manufacturer of equipment for the oil and gas drilling industry.
Melissa Krasnow, corporate partner and certified
information privacy professional, Dorsey & Whitney LLP
Melissa Krasnow is a partner in the corporate group in the
Minneapolis office of Dorsey & Whitney LLP. Krasnow is
a corporate, governance, compliance and M&A partner with
a privacy and social media practice. She is also a certified
information privacy professional and serves on the publications
advisory board of the International Association of Privacy
Professionals. She is a frequent speaker on privacy and social
media, often quoted in national media.
Morris McInnes, professor and associate dean for academic
affairs, Suffolk University’s Sawyer Business School
Dr. Morris McInnes is a professor of accounting and the
associate dean for academic affairs at Suffolk University’s
Sawyer Business School, where he has taught for the past 25
years. In addition, Dr. McInnes has taught at the MIT Sloan
School of Management, the University of Maastricht in the
Netherlands, the Harvard Business School, the Manchester
Business School in the UK and has been a lecturer for the
Greater Boston Executive Program. His expertise is in corporate
financial strategy and control.
Mark Scovera, president, Access Florida Finance Corporation
Mark Scovera is the president of Access Florida Finance
Corporation. In addition, he serves on the board of the Florida
Asset Building Coalition. Previously, he was the senior vice
president/CFO of the Florida Black Business Investment Board,
Inc., a public-private partner with the state. Scovera has 20 years
of experience in accounting and finance. He began his career at
Arthur Andersen LLP in the audit division and has served as the
controller and CFO for various companies in the Detroit area.
He is licensed as a CPA and is a member of the AICPA.
In addition to the aforementioned interviewees, eight
other executives from the retail, advertising, life sciences,
manufacturing, recycling, financial services and consulting
industries were interviewed. For privacy reasons these
individuals did not wish to be quoted directly and requested to
remain anonymous. Their roles included CFO, COO, CRO,
EVP, VP of finance, controller and consultant.
Social media and its associated risks 3
The corporate value of social media
Tweeting, blogging and friending are common terms used in
the world of social media, and they are becoming a part of
business vocabulary as well. Still, these terms are barely the tip
of the social media iceberg. Companies like Facebook, Twitter,
LinkedIn and YouTube are helping to rewrite the rules for
how companies are doing business in the 21st century. Social
media is changing our working lives, giving employees — and
employers — more flexibility and the ability to respond more
quickly and, in some instances, in real time. But is all this social
media technology good for business? Many companies are
just now starting to take a serious look at the benefits of social
media in business, and they are looking even more closely at
the risks involved, such as fraud, theft, defamation, cyberbullying and invasion of privacy among others.
Almost half (48%) of the senior financial executives
who responded to the survey feel social media will be an
important component of corporate marketing efforts going
forward and only a small percentage (5%) think social media
was a complete waste of time or had little to no value in the
corporate world. The chart at the right illustrates the opinions
of executives regarding the corporate value of social media.
While many senior financial executives see at least some
value in social media, they were also asked for their opinion
on how corporate usage of social media would develop over
the next 12 months. The chart at right reveals that 87% expect
corporate use of social media to slightly or significantly
increase next year.
4 Social media and its associated risks
Corporate value of social media
Will be critical for all corporate
marketing efforts going forward
20%
Will be an important component of
corporate marketing efforts
going forward
48%
May have some value but will most
likely only have a peripheral value
to corporate marketing efforts
28%
Fine for personal use, but little to no
value in the corporate world
4%
Complete waste of time
1%
Responses do not total 100% due to rounding.
How will corporate use of social media develop over the
next 12 months?
Increase significantly 53%
Increase slightly 34%
Remain fairly constant 11%
Decrease slightly 2%
Across the board, senior financial executives think the
speed with which social media has grown over the last five
years has caught many of them by surprise. An anonymous
international marketing consultant wasn’t surprised by the
lag because, “social media hasn’t been the No. 1 priority for
companies and it emerged at a time of great economic turmoil.”
The CFO of a life sciences company pointed out, “For
most of us the explosion in growth outpaced our ability to
comprehend the new technology and adjust our strategies.”
Mark Scovera, president of Access Florida Finance
Corporation, echoed that sentiment: “It’s still a relatively new
phenomenon especially for business. Business needs to figure
out what [social media] can be and what we want to do with it.”
Dr. Morris McInnes, professor and associate dean of
academic affairs at Suffolk University’s Sawyer Business
School, expanded on the theme, saying, “It’s still so new that
people who make policy don’t fully understand social media.
There are generational issues.”
A controller from a wholesale company commented,
“I think the idea of social media is growing but there was
resistance at first because it was the ‘new thing.’ Some people
questioned whether it was a fad.”
For the interviewees, corporate use of social media ran the
full gamut. Mark Ferguson, CFO of Bench Tree Group LLC,
said, “Some of us do use LinkedIn but the company is not
specifically pushing social media.”
A vice president of finance at a manufacturer said, “I use it
professionally; I’m on LinkedIn. Our company uses social media
in two areas: HR and customer service/product support.”
A CFO and COO from a manufacturing company
commented, “We are not using social media at this time,
although it is under consideration.”
A vice president of finance for a recycling company said,
“We are not using it at the moment, although we are looking to
use social media [to] manage information and get the message
[out] about our quality of service. We’d also like to monitor
our corporate image.”
Meanwhile, some companies have already launched their
social media efforts. The CFO of an advertising agency declared,
“We use it as part of our industry. It’s part of our DNA.”
McInnes commented on social media as part of the
communication process. “We are using it to get our values
out there — the education we stand for and the idea of
transparency. Social media gives us another avenue of
communication.”
And Scovera said, “We use Facebook, Twitter and
YouTube. We use Facebook for detailed article analysis,
Twitter for quick ‘what’s happening’ alerts and updates, and
YouTube for video commercials.”
Social media and its associated risks 5
Social media risks
The majority of senior financial executives surveyed believe
there are potential risks involved in the use of social media;
however, many respondents think that the risks can be
mitigated or are outweighed by the benefits. The chart at right
illustrates the varying levels of concern.
There are a number of risks to be considered when using
social media. However, respondents were asked to prioritize
only five of them: negative comments about the company, outof-date information, disclosure of proprietary information,
exposure of personally identifiable information (PII), and fraud.
The chart at right depicts their risk priorities, with
1 representing the most important risk and 5 the least important.
While most executives have acknowledged the risks
associated with data security and social media, many have yet
to translate that acknowledgement into spending on security
protections related to social media. This observation has been
made in several previous documents, including the FERF
report CFO Quarterly Outlook Report: August 2011. The
report was created in the wake of several high-profile security
breaches at major multinational companies. It noted that 61%
of U.S. CFOs allocated more funds to data security, or at least
are considering doing so. An executive vice president and chief
risk officer at a financial services company pointed out, “We
have not allocated anything more for the specifically defined
purpose of social media security.”
How concerned is the company about potential risks of social media?
We are very concerned
11%
We are concerned but believe risks
can be mitigated or avoided
38%
We are aware of the risks but believe
benefits far outweigh them
25%
We don’t believe there are appreciable
risks
22%
4%
Other
What is the most important social media risk?
Ranked 1st
Ranked 2nd
Ranked 3rd
Disclosure of proprietary information
Negative comments about the
company
Exposure of Personally Identifiable
Information (PII)
Fraud
Out-of-date information
Responses may not total 100% due to rounding.
6 Social media and its associated risks
Ranked 4th
Ranked 5th
The CFO of a life sciences company commented, “We have
allocated more funds but that has not been driven by social
media. It was driven more . . . by the proliferation of hacking
and third-party data breaches. Intellectual property (IP) is one
of the most important assets we have. We’re looking at buying
a separate insurance policy for ‘cyber’ risks.”
Regarding cyber insurance, Melissa Krasnow, corporate
partner and certified information privacy professional at
Dorsey & Whitney LLP, said, “In considering cyber insurance,
a company should comprehensively review the insurance
coverage, company policies and information security practices
that the company has and consider the risks and regulations
it faces as well as understand the different types of cyber
insurance available to make sure that cyber insurance would
cover the exposures sought.”
Krasnow also observed, “Breaches and incidents are
[occurring] frequently and people are receiving breach or
incident notifications. The media is covering these, and [they]
are being made public through the Internet. Breaches are
occurring through social media and the Internet is publicizing
. . . social media incidents. Breaches and data security … are
[also] the subject of existing regulation, enforcement actions,
litigation and legislative proposals. In addition, cyber attacks
are happening frequently. As a result, there is more awareness
of the need for data security. Policies, practices and technology
can be used to help prevent or lessen the impact of breaches
and incidents.”
Social media and its associated risks 7
As the use of social media continues to grow, so too
does the risk of fraud involving social media. Most of our
survey respondents had not directly experienced social media
fraud. However, for those that had, it can be a costly and a
time consuming process to undo the damage. The following
three charts illustrate the percentages of respondents that had
experienced social media fraud, the nature of the fraud and the
estimated costs (including legal and investigative fees, and public
relations costs, among others).
Of the 43% who experienced a fraud other than identity theft
or a scam, only one respondent specified the nature of the fraud
— an HR issue.
Nature of fraud
Estimated cost of fraud
Under $50,000 75%
$50,000–$100,000 25%
Has company experienced fraud involving social media?
Identity theft 29%
No 79%
Scam 29%
Don’t know 18%
Other 43%
Yes 3%
Responses do not total 100% due to rounding.
8 Social media and its associated risks
None of the companies interviewed had experienced an
incident of fraud involving social media. Here again, Krasnow’s
experience provided great food for thought. “Social media
exposures are new and varied. One risk in social media
exposures is that there is a loss of control — one person’s or
company’s information is transmitted to a social media website
of another (i.e., third-party) company. The confidentiality
or privacy of that information could be breached, even
unintentionally, by submitting it to or posting it on a thirdparty social media website.”
She continued, “While no company can [foresee] every risk,
they need to anticipate and address significant known risks.
For example, how do you go about shutting down an impostor
account at a third-party social media website? This is something
companies need to plan for and be prepared to do should the
need arise. Time will be of the essence once an impostor account
is disseminating false information. Be ready, and be prepared.”
Many interviewees said they had not directly experienced
any confirmed data breaches, though a few have had to deal
with hacking attempts. Scovera observed, “We did have an email
hacking incident back in the spring. While no PII was lost, it did
lead to some pharmaceutical advertisement e-blasts being sent.”
A CFO from a life sciences company stated, “We’ve not
had any breaches that we are aware of. I did hear that a major
university hospital just had 20,000 names and [other] information
posted to a website through a third-party vendor. Every time
I hear things like this I shudder and go to speak with our vice
president of IT to make sure we are covered.”
“Social media exposures are new and varied. One risk in social media exposures is that
there is a loss of control — one person’s or company’s information is transmitted to a
social media website of another (i.e., third-party) company. The confidentiality or privacy
of that information could be breached, even unintentionally, by submitting it to or posting
it on a third-party social media website.”
Social media and its associated risks 9
A timely response to any fraud or breach is essential, but
prevention and early detection are perhaps even more critical. The
survey asked executives whether their companies regularly review
social media content to isolate potentially fraudulent activities and
who is responsible for identifying these activities. The pie charts
below illustrate their responses to these two questions.
As social media continues to grow, so too will the need for
adequate anti-fraud training. It is critical for management and
employees to learn how to use social media appropriately, how
to identify and respond to fraudulent activities, and how to
address the legal issues surrounding social media. The chart below
demonstrates that many companies have yet to provide anti-fraud
training that is pertinent to social media.
Does the company regularly review social media content?
Does the company train employees to identify and report
fraudulent activity?
Don’t know 44%
No 58%
No 29%
Yes 21%
Yes 27%
Don’t know 21%
Who is responsible for identifying and addressing fraud?
IT 24%
Office of general counsel 24%
Corporate security 7%
Human resources 7%
Other 37%
Responses do not total 100% due to rounding.
10 Social media and its associated risks
The vice president and chief risk officer of a financial
services company noted, “We have employee training around
security and recently did a company-wide phishing test.
Unfortunately, the results were not stellar. More of the upper
management failed the test compared to lower level employees.”
The executive added, “I’ve asked that social media be put
on the agenda for our next risk committee meeting. I want to
bring social media and its risks to management’s attention.”
Having a plan in place for dealing with instances of fraud
and/or privacy breaches related to social media is crucial
should the company ever find itself a victim of either. Sadly,
more than half (61%) of respondent companies do not have
such a plan. For those that do, we asked who within the
company is responsible for managing the fraud or breach
event. The charts below show their responses.
Does the company have a fraud management plan?
What department is responsible for managing fraud/privacy breaches?
No 61%
Office of general counsel 24%
Yes 22%
Corporate security 19%
I don’t know/Unsure 18%
Human resources 14%
IT 14%
Other 30%
Responses do not total 100% due to rounding.
Responses do not total 100% due to rounding.
Social media and its associated risks 11
So how confident are senior executives that sensitive,
confidential information is adequately protected in their social
media platform? The verdict seems to be split: Based on the
survey results, 51% of respondents are confident or extremely
confident, while 49% are either unsure or not confident. The
chart below depicts these findings.
With many risks to be considered, several of the interviewees
expressed some concern that the use of social media on the
job may negatively impact productivity. As in the early days
of the adoption of the Internet, many companies wrestle with
the tradeoff between the added benefit of social media and the
potential for lost productivity due to abuse by employees.
How confident are you that sensitive or confidential information is
adequately protected on social media platforms?
Extremely confident 9%
Confident 41%
Not confident 23%
Don’t know 26%
Responses do not total 100% due to rounding.
12 Social media and its associated risks
The controller of a wholesale company noted, “The main
[concern] is internal productivity. We are looking to flesh this
out now in our strategy moving forward. We operate very lean
so it is important for everyone on our team to be clicking on
all cylinders.”
“We do worry from a productivity point of view; similar to
[the] Internet and email, there is always concern about abuse,”
said the vice president of finance for a manufacturer.
Ferguson agrees that social media can be a drain on
productivity: “The expectation is that people will only use
social media at work if it’s business-related. As a general rule,
I’ve found that if people are using Facebook at work they are
goofing off; if they are using LinkedIn it’s more work-related.”
Social media policies
So how should employers approach social media and social
networking tools in the workplace? A good place to start
is with a social media policy. However, as was discovered
through the survey and follow-up interviews, many companies
simply do not have a social media policy in place, even
though the use of social media has grown considerably over
the last few years. The survey asked executives whether
they had clearly defined policies regarding social media at
their companies. The chart below shows that only 23% of
companies had social media policies.
Does your company have a social media policy?
No, and no plan to develop one 41%
No, but one is being developed 35%
While many companies do have policies regarding e-mail
communication and technology use, very few companies have
policies that specifically address social media governance and
risks. Krasnow pointed out, “Many companies’ e-mail or
electronic communications policies do not specifically cover
social media.”
She went on to say, “Increasingly, companies are adopting
or at least considering social media policies. A company
might not need a social media policy where another policy
covers aspects of social media and that policy could be
amended and updated instead of preparing a stand-alone
social media policy. For example, many companies have an
electronic communications policy to address appropriate uses
of the company’s computer system and to reduce employee
expectations of privacy and a company’s risk. Often, an
electronic communications policy is amended to address the
use of social media. Regardless of which approach is taken, a
policy covering social media should be drafted to be consistent
and integrated with other company policies (e.g., electronic
communications policy, employee handbook, insider trading
policy and disclosure policy) . . . . If there is any inconsistency
between the policy covering social media and another company
policy, the one that will govern should be noted.”
Yes 23%
Responses do not total 100% due to rounding.
Social media and its associated risks 13
Given the rapid growth of social media, we inquired why
so many companies do not have social media policies. Two key
points were repeated by nearly all interviewees: the innovation
and speed of social media growth, and a generational gap. For
those companies surveyed that do have a social media policy,
we asked who monitors compliance. The chart below shows
the responses.
Responsibility for monitoring compliance against
policy within the organization appears generally diffuse and
distributed. Forty-two percent of the respondents stated that
their organizations had not identified anyone for this role.
Seventeen percent identified “other,” and only 8% stated that
the compliance department was responsible. There has not yet
emerged a coherent governance strategy in most organizations
around social media compliance and risk management.
Without a specific individual or group taking responsibility
for risk management, it is unclear how effective compliance
monitoring efforts can be.
So which department has overall responsibility for driving
social media strategy and implementation in the organization?
More than one-half (54%) of survey respondents cited the
marketing/public relations department, as shown in the
chart below.
Many organizations are unclear on how they should
measure the effectiveness of their social media strategy and
efforts. The controller with a wholesale company said, “We
are still in the infancy stage at this point with . . . social media
usage in our business. We monitor Facebook joins and likes.
We also run promos through our Facebook page. I think
there needs to be a cross-pollination of our e-mail files with
our Facebook and Twitter followers in order to gauge the
productivity of [our relationship with] those followers.”
Scovera mentioned, “The most important measure for us
now is friends and followers. We want to start engaging them
in a two-way conversation although we don’t really have any
metrics for this yet.”
Another respondent noted that, “friends and followers were
a crude measure.” He went on to say that the key performance
indicators depend on what industry the company is in and how
the company plans to use social media. “I know of companies
that use LinkedIn to qualify candidates and Facebook to
disqualify candidates.”
Who monitors compliance with social media policy?
Responsibility for social media
No one 42%
Marketing/Public relations 54%
Marketing/Public relations 21%
Company does not use social media 19%
Compliance department 8%
No specific group takes the lead 11%
IT 7%
Business development/Sales 7%
Chief risk officer 3%
Other 9%
Business development/Sales 1%
Other 17%
Responses do not total 100% due to rounding.
14 Social media and its associated risks
Conclusion
In addition to the key survey and interview findings that were
presented above, noticeable themes emerged from the research.
First, social media is a growing market and will continue to
grow for the foreseeable future. While some companies have
already established a strong social media presence, the reality
of social media is that the next Facebook or Twitter is likely
in the development stage right now, and further change in this
space is inevitable.
Second, research showed that governance regarding
social media remains very fragmented. Each company has its
own opinions about social media and its potential uses, risk
management strategies, etc. As social media use continues to
grow in the business world, we may see a more uniform and
standard approach.
Finally, the awareness of the risks around social media
is fairly low. Many executives do acknowledge there is risk
involved in social media; yet this risk has not been well-defined
for them. Governance structures to monitor compliance and
manage risk are still very nascent. As the risks associated
with social media begin to receive more public attention,
organizations may respond more forcefully to perceived risks.
Social media and its associated risks 15
Appendix I:
Respondent demographics
The 23-question online survey generated a total of 141 complete
responses from a variety of senior financial executives, the
majority (46%) of whom were CFOs. Ninety-seven percent
of respondents’ companies were headquartered in the United
States (those not located in the United States were headquartered
in Europe). Below are the graphs depicting the respondents’
current title and company headquarters location.
While the majority (86%) of responses came from companies
with less than $1 billion in annual revenue, nearly all revenue
ranges were represented in the survey responses. Additionally,
the majority of respondents were from private companies.
Company annual revenue and company type are shown in the
charts below.
Title
Annual revenue
Chief financial officer 46%
Less than $25M 27%
Vice president of finance 12%
$25M–$99M 30%
Corporate controller 11%
$100M–$499M 20%
Business owner, principal or partner 7%
$500M–$999M 9%
Director 6%
$1B–$4B 6%
Management consultant 3%
$5B–$9B 4%
Managing director 2%
$10B–$24B 2%
Other 14%
More than $25B 2%
Responses do not total 100% due to rounding.
Company headquarters
Company type
United States 97%
Private 67%
Other 3%
Public 22%
Not-for-profit 10%
Government 1%
16 Social media and its associated risks
Excluding the “other” category (which included responses
from companies in the aerospace/defense, business services,
construction, consulting, consumer marketing and products,
consulting, and private equity industries), financial services
(15%), manufacturing (14%), and professional, scientific,
or technical services (10%) were the most representative
industries. The chart below shows all the industries represented
in the survey responses.
Industry
Financial services
15%
Manufacturing
14%
Professional, scientific or technical
10%
Insurance
6%
Health care
5%
Wholesale distribution
5%
Higher education
4%
Retail
4%
Telecommunications
4%
Energy
3%
Software
3%
Transportation
3%
Life sciences
2%
Agriculture, mining and construction
1%
Government
1%
IT services
1%
Media
1%
Utilities
Other
1%
17%
Social media and its associated risks 17
Appendix II:
Sample social media policy2
Be smart. Be respectful. Be human.
Guidelines for functioning in an electronic world are the same
as the values, ethics and confidentiality policies employees are
expected to live every day, whether you’re Twittering, talking
with customers or chatting over the neighbor’s fence.
Just in case you are forgetful or ignore the guidelines
below, here’s what could happen. You could:
• be fired (and it’s embarrassing to lose your job for
something that’s so easily avoided);
• get the company in legal trouble with customers or
investors; or
• cost the company the ability to get and keep customers.
What you should do
What you should never disclose
Disclose your affiliation: If you talk about work-related matters that are within
your area of job responsibility, you must disclose your affiliation with the company.
The numbers: Non-public financial or operational information. This includes
strategies, forecasts and most anything with a dollar figure attached to it. If it’s
not already public information, it’s not your job to make it so.
State that it’s YOUR opinion when commenting on the business. Unless
authorized to speak on behalf of the company, you must state that the views
expressed are your own. Hourly employees should not speak on behalf of the
company when they are off the clock.
Protect yourself: Be careful about what personal information you share online.
Act responsibly and ethically: When participating in online communities, do
not misrepresent yourself. If you are not a vice president, don’t say you are.
Honor our differences: Live the values. The company will not tolerate
discrimination (including age, sex, race, color, creed, religion, ethnicity, sexual
orientation, gender identity, national origin, citizenship, disability, or marital status
or any other legally recognized protected basis under federal, state, or local
laws, regulations or ordinances).
Offers and contests: Follow the normal legal review process. If you are in the
store, offers must be approved through the retail marketing toolkit.
Promotions: Internal communication regarding drive times, promotional
activities or inventory allocations, including: advance ads, drive time playbooks,
holiday strategies and Retail Insider editions.
Personal information: Never share personal information regarding other employees
or customers. See the Customer Information Policies for more information.
Legal information: Anything to do with a legal issue, legal case or attorneys.
Anything that belongs to someone else: Let them post their own stuff;
you stick to posting your own creations. This includes illegal music sharing,
copyrighted publications, and all logos or other images that are trademarked by
the company.
Confidential information: Do not publish, post or release information that is
considered confidential or top secret.
Basically, if you find yourself wondering if you can talk about something you
learned at work — don’t. Follow the company’s policies and live the company’s
values and philosophies. They’re there for a reason.
Remember: Protect the brand, protect yourself.
2
This social media policy has been adapted, with permission, from Best Buy Co., Inc.
18 Social media and its associated risks
About the authors
Thomas Thompson Jr.
Thomas Thompson Jr. is a senior associate,
research, at Financial Executives Research Foundation
and the author of more than 20 published research
reports. Thompson received a BA in economics
from Rutgers University and a BA in psychology from
Montclair State University. Prior to joining FERF,
Thompson held positions in business operations
and client relations at NCG Energy Solutions, AXAEquitable and Morgan Stanley Dean Witter.
Thompson can be reached at tthompson@
financialexecutives.org or 973.765.1007.
Jan Hertzberg
Jan Hertzberg, CISA, CISSP, PCI QSA, leads
Grant Thornton’s Business Advisory Services IT Audit,
Security and Privacy practice located in the Chicago
office. He has more than 25 years of experience
and has held leadership positions with Fortune 100
companies, including IBM, Abbott and Ernst & Young.
As an audit and security consulting practice leader in
the United States and Latin America, he has managed
teams that provided guidance and support to
clients that are integrating IT controls into advanced
technology solutions. Hertzberg has led numerous
information security and privacy risk assessments,
external and internal vulnerability scans, social
engineering and war-dialing engagements, and
HIPAA/GLBA privacy reviews. Hertzberg is a frequent
speaker and moderator on information security
and privacy topics and has written and lectured
extensively on information security assessments,
IT, staff development, and convergence between
information and physical security. He received his
MS in computer science and his MA in history from
Northern Illinois University.
Mark Sullivan
Mark Sullivan, CFE, CFI, CPP leads Grant Thornton’s
Forensic Accounting, Investigations and Litigation
Support Services for the Midwest Region. He is
also the firm’s National Service Line Leader for
Investigations. Sullivan specializes in corporate
investigations, fraud prevention and detection, and
litigation support. For more than 25 years, he has
worked with companies and their counsel worldwide
to investigate frauds, develop and implement
anti-fraud programs, and identify organizational
vulnerabilities. His advanced interviewing skills and
his experienced team of forensic accountants and
e-discovery and computer forensics professionals
provide an unparalleled response to data breaches,
complex investigations and litigation matters.
Sullivan can be reached at mark.sullivan@us.gt.com
or 312.602.8110.
Hertzberg can be reached at jan.hertzberg@
us.gt.com or 312.602.8312.
Social media and its associated risks 19
rgb values:
blue:
0/51/204
gree
n:138/238/7
Pm s
values:
blue
= 2935| gree
n=375
cmyk values:
Blue100/40/0/0
Green 40/0/60/0
About Grant Thornton LLP
The people in the independent firms of Grant Thornton International Ltd provide
personalized attention and the highest quality service to public and private clients
in more than 100 countries. Grant Thornton LLP is the U.S. member firm of
Grant Thornton International Ltd, one of the six global audit, tax and advisory
organizations. Grant Thornton International Ltd and its member firms are not a
worldwide partnership, as each member firm is a separate and distinct legal entity.
In the U.S., visit Grant Thornton LLP at www.GrantThornton.com.
20 Social media and its associated risks
About Financial Executives Research Foundation, Inc.
Financial Executives Research Foundation (FERF) is the non-profit 501(c)(3) research
affiliate of Financial Executives International (FEI). FERF researchers identify key
financial issues and develop impartial, timely research reports for FEI members
and nonmembers alike, in a variety of publication formats. FERF relies primarily
on voluntary tax-deductible contributions from corporations and individuals, and
publications can be ordered by logging onto www.ferf.org.
Acknowledgements
Platinum Major Gift | $50,000 +
Silver President’s Circle | $5,000 – $9,999
Exxon Mobil Corporation
Microsoft Corporation
Apple, Inc.
Comcast Corporation
Corning Incorporated
Credit Suisse
Cummins Inc.
Dell Inc.
Duke Energy Corporation
E. I. du Pont de Nemours & Company
El Paso Corporation
Eli Lilly and Company
GM Foundation
Halliburton Company
Hewlett-Packard Company
IBM Corporation
Johnson & Johnson
Lockheed Martin Corporation
Maple Leaf Foods, Inc
Medtronic, Inc.
Motorola Solutions, Inc.
Pfizer Inc.
Procter & Gamble Co.
Safeway Inc.
Sony Corporation of America
Tenneco
The Hershey Company
Tyco International Management Co.
Wells Fargo & Company
Gold President’s Circle | $10,000 – $14,999
Abbott Laboratories, Inc.
Cisco Systems, Inc.
Dow Chemical Company
General Electric Company
The Boeing Company
The views set forth in this publication are those of the authors and do not necessarily represent those of the
FERF Board as a whole, individual trustees, employees or the members of the Advisory Committee. FERF shall
be held harmless against any claims, demands, suits, damages, injuries, costs or expenses of any kind or nature
whatsoever except such liabilities as may result solely from misconduct or improper performance by FERF or any
of its representatives.
Content in this publication is not intended to answer
specific questions or suggest suitability of action in
a particular case. For additional information on
the issues discussed, consult a Grant Thornton
client service partner.
International Standard Book Number 978-1-61509-080-8
Authorization to photocopy items for internal or personal use, or for the internal or personal use of specific
clients, is granted by FERF provided that an appropriate fee is paid to the Copyright Clearance Center, 222
Rosewood Drive, Danvers, MA 01923. Fee inquiries can be directed to Copyright Clearance Center at 978-7508400. For further information please visit the Copyright Clearance Center online at www.copyright.com.
rgb values:
blue:
0/51/204
© 2011 Grant Thornton LLP
All rights reserved
U.S. member firm of Grant Thornton International Ltd
gree
n:138/238/7
cmyk values:
Blue100/40/0/0
Green 40/0/60/0
Pm s
values:
blue
= 2935| gree
n=375
© 2011 by Financial Executives Research Foundation, Inc.
All rights reserved. No part of this publication may be reproduced in any form
or by any means without written permission from the publisher.