Disaster Recovery Journal, Summer 2010

DRI INTERNATIONAL

Social Networking and BCP
By AL BERMAN, CBCP

Because of the buzz around it, you are aware that social networking has become the latest means of mass com- munication. MySpace was the first globally recognized and popular site used initially by young people to socialize with their friends online. This was quickly followed by the popularity of sites such as Facebook, LinkedIn, and Twitter. These sites are no longer limited to the young generation but used by people of all ages for both business and social networking.

However, do they have a place in your plan?

The initial thinking on this was “no,” but more recently that thinking has changed to a well-considered “maybe.” Like any other tool you would use to communicate, you must plan for how and under what circumstances you would choose to use this tool. Here are some things to consider:

u;Communications to your Customers

–;If;your;company;had;an;account;on;a social;networking;site,;you;could;use;it;to foster;conversations;with;your;customers.

u;Communication to your Employees;– If;your;company;manages;a;controlled group;on;a;social;networking;site,;you could;use;that;to;provide;instructions;and information;to;your;employees.

the adding and deleting of employees from an employee group as people join and leave the organization.

When choosing to use social networking systems, consider the following:

1);Will;the;information;be;one;direction;(only;from;you);or;multi- direction?

2);Should;it;be;linked;from;the;company;Web;sites;so;employees and/or;customers;know;to;visit;there;for;up-to-date;information?

3);How;will;you;moderate;blogs;with;vetted;information;from corporate;communications?

4);Should;you;post;company-specific;content;such;as;staff;hotline numbers;and;other;types;of;notification?

Sounds pretty good. The bonus is that many of these sites have on cost to the user. You can set up an account and use it to communicate to large numbers of people at no cost to the company. On the down-side: controlling what is said on these sites and by whom is a considerable challenge. For those of you who are in industries that require you to save any communications to your customers/employees archiving requirements may be difficult.

In order to make certain that people knew these sites existed and knew to check them when there was an event, you would need to establish these sites in advance of a contingency event. This requires you to establish control over who had the right to post information on a social networking site responsibility for monitoring and responding to any posts to your site or about your site by others. If you have a controlled group (such as is available through LinkedIn), you need to define who manages the group. Designated individuals have access to that group and control

The;very;nature;of;social;networking requires;an;openness;and accessibility;that;may;be;at;odds with;a;corporation’s;internal;security controls.;In;recent;months,;specific networking;vehicles;have;been exposed;to;a;variety;of;threats and;attacks;from;nuisance;level to;full-blown;identity;theft,;hacking and;“phishing.”;Some;outlets;may have;a;BCP;application,;but;not;all of;them;lend;themselves;to;the;level of;security;that;would;be;needed;to protect;the;data;and;reputation;of corporations.

“
“

The very nature of social networking requires an openness and accessibility that may be at odds with a corporation’s internal security controls. In recent months, specific networking vehicles have been exposed to a variety of threats and attacks from nuisance level to full-blown identity theft, hacking and “phishing.” Some outlets may have a BCP application, but not all of them lend themselves to the level of security that would be needed to protect the data and reputation of corporations.

The bottom line is to consider carefully whether these new means of mass communication fit into your corporate culture and whether sufficient controls can be implemented with them to enhance, not detract, from the communication needs of your organization. Reputations are hard to build and easily lost. Tread carefully.

While DRI International sees potential value in these tools due to the inherent security challenges in the near term, they are not yet a full replacement for traditional notification systems. DRI International does not endorse any specific tool or approach.

v

Alan;Berman,;CBCP,;is;a;member;of;the;ASIS;BS25999 technical committee, a member of the Committee of Experts;for;ANSI-ANAB,;a;former;member;of;the;NY;City Partnership;for;Security;and;Risk;Management,;executive director;for;Disaster;Recovery;Institute;and;the;co-chair for;the;Alfred;P.;Sloan;Foundation;committee;to;create;the new;standard;for;the;US;Private;Sector;Preparedness;Act (PL;110-53).