What would you do if you discovered that one of your sales staff had been making disparaging remarks about your company on Facebook or Twitter?
What would you do if a disgruntled customer creatively vented his or her anger with your company in several online forums, quickly gaining you nationwide negative media exposure?
Would you know what to do?
Incidents like these have become more prevalent as social networking and other Web 2.0 applications have made their way into everyday life and into the workplace, with or without company approval. Because Web 2.0 incidents are relatively new threats, many companies lack solid policies and procedures for responding, as well as clear internal guidance about who is accountable for each part of the response.
The Security Executive Council has recently developed a report that explores the threats posed by Web 2.0 applications and what security can do to help prepare the company for, and protect it from, a Web-based event that threatens brand reputation.
According to the report, security should play a specific role related to mitigating brand-related Internet crises – a role that leverages security resources and capabilities in the context of an evolving threat to corporate well-being.
Specifically, the corporate security department is well positioned to:
• Coordinate responses such as fact-finding, public-private liaison, interviewing, and addressing criminal and civil court issues, including restraining orders, prosecution, search warrants, chain of custody and law enforcement involvement if an event has any criminal elements.
• Access and bring to bear resources related to various parts of the company, specifically based on familiarity with corporate and information technology (IT) interests.
• Marshal outside resources and contacts – such as investigators, law enforcement, profilers and technicians – to help with a response.
• Tap into knowledge based on existing areas of responsibility related to protecting the brand, including planning for and responding to natural disasters.
• Work in cross-functional teams, a capability previously demonstrated in cases of workplace violence, counterfeit products, major investigations and executive protection.
• Anticipate the need for any response to involve civil litigation, investigations, documentation, etc.
• Access and bring to bear resources related to various parts of the company, specifically based on familiarity with corporate and information technology (IT) interests.
• Marshal outside resources and contacts – such as investigators, law enforcement, profilers and technicians – to help with a response.
• Tap into knowledge based on existing areas of responsibility related to protecting the brand, including planning for and responding to natural disasters.
• Work in cross-functional teams, a capability previously demonstrated in cases of workplace violence, counterfeit products, major investigations and executive protection.
• Anticipate the need for any response to involve civil litigation, investigations, documentation, etc.
Security executives should take steps to assess the relevance of Web-based incident risk to their organization. For example, in a branded food business, the possible damage is huge. Assessing the risk could include reaching out to colleagues in other industries who have experienced similar incidents and asking corporate communications to monitor social networking sites.
After assessing the risk, security should determine ways to detect when an Internet-based brand attack has occurred and how the company should respond (and how fast).
Communicating with management is part of security’s role. As part of the emergency and crisis team, security should always be reviewing business-critical scenarios with upper management to manage risk. Tabletop exercises are useful tools to demonstrate how and why a risk situation might be addressed. When an incident occurs, there is no time to develop processes, roles and responsibilities. These things need to be already in place. A company’s crisis management and business continuity policies may need to be modified to address this new kind of threat.
Crisis management teams should go through tabletop exercises three or four times a year to make sure processes work. The exercises can include strategies related to addressing Internet crises. Companies need designated hitters ready to get on Facebook or other social media sites and respond right away.
Research from Aberdeen Group suggests that companies have every reason to want to catch issues related to the viral effect of social media at the first possible moment and to take appropriate action. Aberdeen Group finds that today only 30 percent of “laggards,” compared to 65 percent of “best-in-class” companies, are satisfied with their current ability to identify and reduce risk to the brand. At the same time, using online monitoring as an early warning system, best-in-class companies are 12.5 times more likely than laggards to experience year-over-year increases.
At the end of the day, any corporate crisis communications effort is a work in progress. It will always be a work in progress because the rules are changing so quickly. Furthermore, every company has its own culture – whether conservative, moderate, open, closed, pyramid or flat – and how a plan of action plays out can be impacted by those variables. The most important thing is to have a plan.
