Post on 04-Jul-2020
Social Media: An Internal Audit Reality
Presented by:Joe Schmidt, Manager
Stephen Chasser, Experienced Consultant
Moderated by:Sara O’Banion
TODAY’S PRESENTERS
Stephen Chasser Experienced Consultant
Columbus
Joe SchmidtManagerCincinnati
Agenda
Social Media – An operational perspective
•Overview
•Social media objectives
•Social media risks
•Internal audit response/approach
•Examples
Social Media’s Impact on the World
Overview – Social Media Impact
Social Network – a network of social interactions and personal relationships
Social Media – websites and applications that enable users to share content/participate in social networks
• Societal Impact• Increased transparency• Information availability
2018 Study, Pew Research Center
• Corporate Impact• Corporation Customer barriers• Platform economy• Social media linkages
2.62 billion global social media users
in 2018 (34% penetration)
By 2021; mobile e-commerce = 54% of all online sales
Facebook Ad revenue in the US
> total print ad spending by 2019
2018 Study, Forbes Magazine
Overview – Social Media Impact
Corporate Objectives
Corporate Objectives
A corporation’s social media objectives should be measurable and trackable.
• Brand Awareness• Number of consumers being exposed to the brand• Developing a brand reputation• Increase the size of social networks and communities
• Monitor consumer activity and feedback
• Social followers new business
Risks Inherent in Social Media Use
Social Media Risks
Brand and Reputational Damage• Speed of information and
organizational transparencyare main factors
Social Media Risks
Compliance •NLRA (National Labor Relations Act) Section 7• Gramm Leach Bliley Act (GLBA)• Financial Industry Regulatory Authority (FINRA)
Outsourcing Social Media Activity
Social Media Risks
Information Leakage• Sensitive and important information
open to the public• Customer information, intellectual
property, M&A, etc.
Lack of Governance
• IT oversight
• Corporate strategy
• Goal consistencyGreenfile Developments
Internal Audit Response & Corporate Social Media Policy
A Risk-Based Approach
• Develop controls to mitigate risks
• Educate personnel
• Periodically validate effectiveness of controls
A Risk-Based ApproachImportant Internal Audit responses
Brand damage• Help to develop an organization-wide social media policy• Policies should be established for personal and company
social media accounts• Crisis management plan(s)
Compliance• Educate personnel on applicable regulations and laws• Develop procedures consistent/perform gap assessments
A Risk-Based Approach
Important Internal Audit responses• Third Party Risk and Information Leakage• Loss prevention• Strict third-party selection criteria• Evaluation of third-party’s business and
control environment (SOC reporting)
Operational/Effectiveness Audit• Are objectives being met?•Utilize metrics (ROI/KPIs)
Overview – Drivers
Business Awareness
Business/ Employee Productivity
Employee Education
Acceptable Use
Business Awareness
What is Business Awareness?Visibility and security controls/ policies in place for all levels of business. In addition to company social media presence with access to those accounts.
What is the value?Prevention of phishing, posting and additional risk leading to exposure of company information exposed to the public.
What is the scope?Frequently viewed as though personal communication tool rather than a business platform, risk monitoring & governance, employee security awareness and corporate security policies.
What restrictions are used? A two sided approach, establishing user usage restrictions and company monitoring of social media platforms where there is a presence.
Business Awareness
Enterprise Social Media
Accounts
Administration Posting
Social Media Accounts
Management
Monitoring User Posts and
Comments
Monitoring Employees
Posting
Administrations Role
Security Administration
User Population
Controls & Restrictions
Social Media Account Administration
Single Point Posting
Company Endorsement
Controls & Restrictions
Social Media Account Administration
Company Endorsements
Company Responses
Removal of Defamatory Content
Monitoring Account Activity
Monitoring Account Activity
• Centralized promotion and sharing through the established social media account.
• Responding and resolving customer responses on social media.
Company Monitoring
• Having visibility to the employee user social media accounts.
• Controlling the content that is posted by the employee that may impact the company.
Employee Monitoring
Employee Accountability
Acceptable Use
• Having a clear and established policy for the rules and behavior of the employee
• Employee acknowledgment of the Acceptable Use Policy
Employee Education
• On going security awareness training, through annual classes or staging phishing attempts approved by management, internally
• Receiving a conformation that the training was successful
Accountability
• Empowering the employee to report any issues that are discovered
• Recognition of possible issues they notice or report
Exploits Through Social Media
• Social media hackers. Currently, according to in depth statistics, there are more than 3 billion active social network users worldwide. They use links on social media to direct you to download virus, these links may be disguised as ‘like’ buttons or links to other pages. Attempts are also made to acquire information through social media such as usernames and passwords
• Average time to detect a malicious or criminal attack by a global study sample of organizations was 170 days.
• 98% of tested web apps are vulnerable to attack.
• Only 38 percent of global organizations claim they are prepared to handle a sophisticated cyber attack.
Exploits Through Social Media
• Experienced DOS attacks
• Discovered malicious code and botnets
• Experienced phishing & social engineering attacks
• Percentage of companies that have experienced web based attacks
68% 62%
51%59%
Conclusion
How do we protect ourselves from Social
Media Exploits?
THANK YOU!
Stephen Chasser sechasser@clarkschaefer.com
Joe Schmidtjschmidt@clarkschaefer.com