Social Media: An Internal Audit Reality

Transcription

1 Social Media: An Internal Audit Reality Presented by: Joe Schmidt, Manager Stephen Chasser, Experienced Consultant Moderated by: Sara O Banion

2 TODAY S PRESENTERS Joe Schmidt Manager Cincinnati Stephen Chasser Experienced Consultant Columbus

3 Agenda Social Media An operational perspective Overview Social media objectives Social media risks Internal audit response/approach Examples

4 Social Media s Impact on the World

5 Overview Social Media Impact Social Network a network of social interactions and personal relationships Social Media websites and applications that enable users to share content/participate in social networks Societal Impact Increased transparency Information availability 2018 Study, Pew Research Center

6 Overview Social Media Impact Corporate Impact Corporation Customer barriers Platform economy Social media linkages 2.62 billion global social media users in 2018 (34% penetration) By 2021; mobile e- commerce = 54% of all online sales Facebook Ad revenue in the US > total print ad spending by Study, Forbes Magazine

7 Corporate Objectives

8 Corporate Objectives A corporation s social media objectives should be measurable and trackable. Brand Awareness Number of consumers being exposed to the brand Developing a brand reputation Increase the size of social networks and communities Monitor consumer activity and feedback Social followers new business

9 Risks Inherent in Social Media Use

10 Social Media Risks Brand and Reputational Damage Speed of information and organizational transparency are main factors

11 Social Media Risks Compliance NLRA (National Labor Relations Act) Section 7 Gramm Leach Bliley Act (GLBA) Financial Industry Regulatory Authority (FINRA) Outsourcing Social Media Activity

12 Social Media Risks Information Leakage Sensitive and important information open to the public Customer information, intellectual property, M&A, etc. Lack of Governance IT oversight Corporate strategy Goal consistency Greenfile Developments

13 Internal Audit Response & Corporate Social Media Policy

14 A Risk-Based Approach Develop controls to mitigate risks Educate personnel Periodically validate effectiveness of controls

15 A Risk-Based Approach Important Internal Audit responses Brand damage Help to develop an organization-wide social media policy Policies should be established for personal and company social media accounts Crisis management plan(s) Compliance Educate personnel on applicable regulations and laws Develop procedures consistent/perform gap assessments

16 A Risk-Based Approach Important Internal Audit responses Third Party Risk and Information Leakage Loss prevention Strict third-party selection criteria Evaluation of third-party s business and control environment (SOC reporting) Operational/Effectiveness Audit Are objectives being met? Utilize metrics (ROI/KPIs)

17 Overview Drivers Business Awareness Acceptable Use Employee Education Business/ Employee Productivity

18 Business Awareness What is Business Awareness? What is the value? What is the scope? What restrictions are used? Visibility and security controls/ policies in place for all levels of business. In addition to company social media presence with access to those accounts. Prevention of phishing, posting and additional risk leading to exposure of company information exposed to the public. Frequently viewed as though personal communication tool rather than a business platform, risk monitoring & governance, employee security awareness and corporate security policies. A two sided approach, establishing user usage restrictions and company monitoring of social media platforms where there is a presence.

19 Business Awareness Administration Posting Monitoring Employees Posting Enterprise Social Media Accounts Social Media Accounts Management Monitoring User Posts and Comments

20 Administrations Role Controls & Restrictions Security Administration User Population

21 Social Media Account Administration Single Point Posting Company Endorsement Controls & Restrictions

22 Social Media Account Administration Company Endorsements Company Responses Removal of Defamatory Content

23 Monitoring Account Activity

24 Monitoring Account Activity Company Monitoring Centralized promotion and sharing through the established social media account. Responding and resolving customer responses on social media. Employee Monitoring Having visibility to the employee user social media accounts. Controlling the content that is posted by the employee that may impact the company.

25 Employee Accountability Acceptable Use Having a clear and established policy for the rules and behavior of the employee Employee acknowledgment of the Acceptable Use Policy Employee Education On going security awareness training, through annual classes or staging phishing attempts approved by management, internally Receiving a conformation that the training was successful Accountability Empowering the employee to report any issues that are discovered Recognition of possible issues they notice or report

26 Exploits Through Social Media Social media hackers. Currently, according to in depth statistics, there are more than 3 billion active social network users worldwide. They use links on social media to direct you to download virus, these links may be disguised as like buttons or links to other pages. Attempts are also made to acquire information through social media such as usernames and passwords Average time to detect a malicious or criminal attack by a global study sample of organizations was 170 days. 98% of tested web apps are vulnerable to attack. Only 38 percent of global organizations claim they are prepared to handle a sophisticated cyber attack.

27 Exploits Through Social Media Percentage of companies that have experienced web based attacks Experienced phishing & social engineering attacks 68% 62% 59% 51% Discovered malicious code and botnets Experienced DOS attacks

28 Conclusion How do we protect ourselves from Social Media Exploits?

29 THANK YOU! Joe Schmidt Stephen Chasser