So who has access to your social media accounts? It’s a question that many CIOs probably don’t ask themselves very much or at all. However, we just experienced one of the most highly publicized and bizarre social media gaffes during the 2016 NFL Draft. Someone might say this is simply an isolated incident in the sports world, but a strategic CIO, thinking about the long-term security of his or her company or organization, should be looking long and hard at this event and reading between the lines.
Laremy Tunsil, a talented offensive tackle out of Ole Miss, was touted in the months leading up to the NFL Draft as a potential Top 5 pick, if not in fact, the No. 1 overall draft pick. Thirteen minutes before the draft started, a video of Tunsil smoking marijuana through a gas mask surfaced on his Twitter account. The news spread quickly, and it was reported that many teams who were thinking about drafting Tunsil went in another direction. He went from a potential top pick, to being drafted at No. 13. He wasn’t even the top player taken at his position. And it cost him millions in potential salary.
Now you might say that he didn’t fall that much; he’s still a first-round pick and at the end of the day, he’s still going to make millions of dollars.
But hypothetically, let’s change the scenario from a football player to a high-profile executive, and instead of the NFL Draft, the event is a product announcement or merger or acquisition. Right before that executive goes to speak to the press, a nefarious personal video appears online from one of the company’s social media accounts. The company’s reputation is negatively impacted. It is also possible that losses in company value can occur. The Board and shareholders are not happy. There may also be reputational damage to the executive and more importantly to the brand.
We’re also talking about a major piece of good company news turning into a PR nightmare.
It’s now being reported that the person who posted the Tunsil video had access to Tunsil’s Twitter account. But insider threats are often greater than external threats. CIOs need to be proactive about laying out a strong executive internal social media governance plan so this scenario doesn’t happen.
Before laying out a company-wide plan, a CIO should first look to the top and take these immediate actions:
- Understand which executives at the company are actively engaging in social media on behalf of the company and see what social media sites they post to, what social media identities they use to do the posting, what platforms they post from and what type of content they post.
- Determine who have access to these accounts. For instance, does someone in the marketing department run the CFO’s LinkedIn page? Do their teams or assistants have any passwords to their devices or accounts?
- Determine how regularly passwords have been changed.
- For people who have access to these accounts, determine whether any team members have left the company and whether the passwords have been changed.
- Determine what social media identities may be out there purporting to be the executive or the company and assess whether they are valid or whether they were set up by someone with an anti-company agenda.
- To the extent possible, understand the non-company related (i.e., personal) social media presence of senior executives. Ensure policies are clear on the use of personal social media accounts to disclose company business.
This isn’t a sports problem: it’s a general business problem. When reputation, revenue and jobs are on the line, regardless of the scenario, the outcome needs to be the same: locked down.