Social Media and Your Organization: Risks vs. Rewards

Risk Advisory/Internal Audit

By Dan Desko

Recently, the Information Systems Audit and Control Association (ISACA) released a white paper on social media titled “Social Media: Business Benefits and Security, Governance and Assurance Perspectives,” which highlighted the benefits and potential risks of social media.

The definitions of social media vary, but many information technology professionals define it as an outlet to disseminate information and solicit feedback on a real-time basis. Social media outlets are highly interactive, and organizations can solicit feedback on new products, drive sales and enhance brand recognition.

Chances are your organization, or at least a department within your organization is using Facebook, Twitter, Tumblr or YouTube to build a social media presence.

With the openness of the Internet and the general ease of use of social media sites, this environment really is a web version of the “wild, wild west.”

Certain risks associated with social media include:

  • Employees or non-employees creating a social media page representing your company without management/IT consent or approval
  • Trade secrets or other business secrets being inadvertently or even deliberately shared
  • Dissatisfied customers or disgruntled employees voicing their opinions freely
  • Viruses, spyware and network vulnerabilities occurring due to the interactivity and open nature of social media architecture

Since no additional technology other than an Internet connection is needed to leverage a social media tool, the likelihood that these risks will affect your organization is relatively high. Organizations must consider controls to address these social media risks. There is no cookie-cutter list of controls that should be applied to every organization. Every organization should custom-build social media controls based on the unique mix of all risks versus the benefits of using each outlet (business/sales growth, brand recognition, etc.).

Controls to consider when building social media policy include:

  • The extent to which social media will be officially sanctioned by the organization
  • Who is allowed to use the social media sites
  • How users gain approval to use the social media sites
  • Standards/policy of social media use inside and outside of the workplace
  • Brand monitoring and legal involvement
  • How to report false pages

If you have any questions regarding social media and how to evaluate the risks versus rewards for your organization, or if you would like to review or audit your social media program, please contact Dan Desko at ddesko@schneiderdowns.com or Jim Yard at jyard@schneiderdowns.com

© 2011 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person any tax-related matter.


You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2019 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.