What can predict an epidemic and get a president elected? The answer – or so it is claimed – is social media. The US Centers for Disease Control (CDC), for example, have cottoned on to the fact that, when people are sick, the first thing they do is look up their symptoms using a web search and tell their online friends that they’re feeling ill. The CDC found that, by monitoring the incidence of the word “flu” on social networks, they could see an influenza epidemic coming two weeks before the data from GPs’ clinics and hospitals confirmed it.

In 2008 a cash-strapped nominee for the US presidency used social media to communicate with the people of America, mainly because he couldn’t afford conventional advertising. By creating Twitter and Facebook accounts, Barack Obama was able to interact with voters on a daily basis. Although the charisma of the candidate probably had something to do with it, his use of social media helped to mobilise young supporters in particular. Hence the 2008 election had the highest youth participation in history and saw the biggest turnout in a presidential poll since 1908. 

The role of social media in the Arab spring is well documented, as is its part in organising the London riots of 2011. It’s clearly powerful stuff. But what can it do for organisations – and is it safe to get involved?

Exposure – good and bad

Social media gives businesses the chance to talk to their customers and find out what they might be saying about their brands, according to Stephen Hill, managing director and data security specialist at Snowdrop Consulting. It also gives them a whole new way to harvest information about consumers. “But the main thing is that it exposes organisations to a much greater audience,” he says.

Indeed, as of May 2012 Facebook claimed to have 900 million active users – more than the total population of the Americas (about 859 million) plus that of Australasia (39 million). Twitter reckons to have about 500 million active users. 

Social media is also more powerful than advertising. As Hill points out: “People trust peer-to-peer recommendations more than ads. Something they’ve read on [holiday review site] TripAdvisor or on a friend’s Facebook page has a greater impact – and the corporate world is taking this on board.”

Ryan Rubin, UK director of security and privacy at global consultancy Protiviti, agrees about the value of social media, but points out a number of pitfalls for internal auditors to bear in mind. Social media is vulnerable to the same types of fraud as those affecting other information technologies. A typical scam is to compromise someone’s Twitter account then post a link from there that takes an unsuspecting user to a corrupt site. 

“A hacker on the outside can then come into your computer and bounce from there inside your corporate network,” Rubin warns. “These things are happening all the time.”

Criminals never stop trying to break through security systems, so users need to be warned about their tactics, while firewalls and anti-virus programs need to be updated continually. Social media sites also lay organisations open to security risks of another kind. Think of the MI6 chief, Sir John Sawers, whose wife posted personal details on Facebook, or of a chief executive who might casually tweet his location and inadvertently alert competitors to an impending merger or acquisition. Rubin also alludes to the “lonely hearts” scam, in which a new Facebook contact befriends a senior executive’s personal assistant to gain intelligence about their boss’s activities.

Word of mouth

The use of social media also poses a serious reputational risk. Customers, for example, can be brutally honest about a product or service, doing a lot of harm in the process. 

Even more damaging, perhaps, is when employees share their negative comments about an organisation. The number of cases is growing. Virgin Atlantic dismissed 13 flight attendants for criticising the airline’s safety standards and describing its passengers on Facebook as “chavs”. A worker was sacked by Waitrose for making obscene remarks online about the John Lewis Partnership. And an employee who posted “I work at Argos and can’t wait to leave because it’s shit” had his wish granted sooner than he’d expected. Meanwhile, 15 per cent of workers in the US told Deloitte’s 2009 ethics and workplace survey that, if their employer did something that they didn’t agree with, they would comment about it online. 

Of course, there have always been unhappy customers and jaded employees. The difference now is that the complaint can potentially be seen by millions of people and won’t ever be entirely removed. 

“You often hear that phrase ‘what goes online stays online’ – and it’s very true,” Hill says. “What people don’t realise is that what you post to Facebook belongs to Facebook. It’s very difficult to have them remove material unless, for instance, the police have had to get involved because criminal activities have occurred.”

Left to their own devices

An extra layer of risk is introduced when people use their own mobile communications tools for work purposes. The bring-your-own-device (BYOD) trend is strengthening because many IT manufacturers are focused on putting their best innovations into consumer products. Consequently, employees are acquiring more powerful devices than their employer can provide and they want to use these at work. According to e-learning specialist intuition.com, about 60 per cent of information workers already use their own devices for both work and personal purposes. Nearly three-quarters of these believe that BYOD increases their productivity, while four out of five use their devices to access their office network without their employer’s knowledge or permission. 

By their very nature these portable devices are highly vulnerable. About 70 million smart phones are lost every year and nearly one-third of their owners lose all the data held on them, because they haven’t stored it anywhere else. The security implications are clear.

Internal auditors need to stay aware of all the changes and provide assurance to management that the right safeguards are in place. These will include technical solutions that retain data in the network and prevent it from disappearing in mobile devices. Procedural measures are required, such as restricting access to customer data only to staff members who need it.

“Organisations need to have policies and procedures in place for their own protection,” Hill says. “They should already have an internet and email policy, so social media is an add-on, addressing the things that employees should and shouldn’t do.” 

Not that all the issues will be clear cut. Think of instances where an employee’s “friend” posts an injudicious picture of them online. How can they still be held liable? And when does conduct in an employee’s own time reflect on their employer? People have the right to a private life under the Human Rights Act 1998, while the Regulation of Investigatory Powers Act 2000 stipulates what can be recorded in terms of monitoring people’s activities. Organisations must tread carefully to protect themselves and explain clearly what they expect from their staff. 

But remember that, as well as the threats, there are opportunities. A generation has grown up with the internet and finds social media a natural and productive way to communicate. “Organisations need to embrace all the advantages,” Rubin says. “One of the biggest risks is to do nothing and then get left behind.”