How to build a social media protection program: a 10-step guide

Building a social media protection program is a must have in the modern age. Business are increasingly exposed to risks — cyber, brand and physical — on social media and digital channels, all of which exists unregulated and outside of the business’ infrastructure. A social media protection program perfectly complements both a social media management and listening program, and provides the critical protections for where most modern businesses create a huge portion of their value: social networks.

The following 10-step social media protection program guide is relevant for anyone within an organization, be it information security, marketing, customer success, risk & fraud or corporate security. For a full dive on social media protection, download your free copy of Social Media Protection for Dummies.

1. Assemble a Task Force

Expect the kickoff meeting to be a lengthy, in-depth conversation. Marketing and information security teams generally lead this meeting, and they should plan to begin educating stakeholders about the purpose of a social media protection program before exploring possible goals and responsibilities. The key deliverable for this meeting are documented processes and policies. Consider educating these other departments or distributing resources before the task force assembles to ensure this first meeting and the task force itself can be as action-oriented as possible.

2. Assess & Prioritize Risks

Depending on your industry, the size of your organization, and your current presence on social media, the frequency and severity of the risks you face will vary.

The organization’s active social media users (typically marketing and customer success) should come prepared with information and examples of known risks. For a full risk profile of the organization, work with a social media protection vendor to create an initial assessment.

Most social media protection task forces assess the risk to the organization based on frequency and severity of risks. Account hijacking, for instance, has a low frequency but an incredibly high severity. Assigning some comparative qualifications for risk based on your organization’s tolerance allows for prioritization of risk.

Other organizations, especially those with more resources or more robust risk management protocols, can assess desired risk levels, existing risk levels, and methods of harmonizing the two. The more rigorous the approach, the better the company will be able to implement efficient, economical tools and policies to protect the organization adequately.

3. Decide on Roles & Responsibilities

At the initial meeting, the main objective is to collectively agree on roles and responsibilities. This entails identifying what risks exist for the brand, which are worth addressing, and which are the most urgent.

Based on this prioritization, it should become evident which stakeholder is tasked with identification and remediation. For example, it could be a customer success team’s responsibility to identify customers leaking PII or credit card information, but it may be up to fraud and legal to remediate the leak.

4. Establish Processes & Policies

The core initial deliverable for a brand protection task force is documented processes and policies.

• Processes describe workflows for each risk, stakeholder engagement, remediation and takedown, and review.
• Policies provide guidelines for key stakeholders and for active social media users at the company. They also lay out game plans for executive social media usage, training programs, and regulatory guidelines where applicable.

5. Train Relevant Staff

A critical component of a social media protection program is training for relevant staff on policies defined by the brand protection task force. When you train employees on internal policies, also include general education topics around social media protection, security and privacy.

This is especially critical for marketing and support staff who actively engage with prospects or customers. Ensuring that your support staff is engaging appropriately can be the difference between return customers or a social media catastrophe. Be sure to establish a process, update it regularly and develop an enforcement mechanism to ensure it’s being upheld effectively.

6. Monitor & Address Risk

This phase is the continuous enforcement of the policies and procedures. The most involved social media protection stakeholders—generally information security, risk & fraud, marketing and customer success—should use social media management, social listening, and social media protection tools to identify risks, assess sentiment, and manage & takedown threats accordingly.

The speed and efficiency of monitoring and damage control are critical, as risks can go viral in minutes. Stopping the bleeding as quickly as possible is crucial. Social media protection tools need to be set up in accordance with the priorities laid out in the initial meeting and deployed to the correct stakeholders. Content in violation of a social network’s Terms of Service can be flagged for removal or automatically requested for removal via a social media protection tool.

7. Watch for Trends and Update Policies & Processes Accordingly

Assign someone to stay abreast on social media topics, including emerging threats, changes in policies and regulations and evolving attacker tactics. These should be rapidly incorporated into the existing policies and procedures. In addition, deploy a tool that will auto-update with trainings and news for all users.

8. Schedule Recurring Check-ins

Schedule regular check-ins monthly or quarterly. At these meetings, review trends, discuss wins/losses, and update goals based on feedback.

9. Report & Review

Establish a framework for metrics and reporting to be circulated to stakeholders at a consistent cadence. Work with your social media management, social listening, and social media protection vendors on analytics and reporting. These metrics will guide the review process and should show where progress is being made, where is it not, and gaps in the program.

10. Regularly Complete the Ultimate Business Social Media Protection Checklist

1. Set up your organizationʼs social media pages – even if you donʼt plan to be active, keep them updated with the correct information so that you own the real, protected accounts.
2. Enable two factor authentication for all your business social media accounts. Have the two factor authentication linked to a corporate device that is locked down.
3. Ensure that the corporate email accounts that register for your social media accounts follow the same user access guidelines of any other critical system within the company – determine who needs to have access and grant accordingly.
4. Leverage one social media management platform and connect all your social media accounts. Or leverage the native apps and limit personnel access.
5. Change all passwords to corporate social media accounts, and your social media management platform every 90 days or per your corporate password policy.
6. Audit social media access and permissions once a quarter.
7. Create a corporate social media security policy – at a minimum, this should include the preceding security recommendations.
8. Create a corporate social media policy – general engagement policies that align with your business needs and goals, including rules of engagement for employees on their personal accounts.
9. Enable a technology with functionality to automatically lock down your accounts if they exhibit strange behavior.
10. Train your social media marketing personnel on social media security and privacy at least once a year.
11. When clicking on links in social media, verify that you know where they are actually taking you to.
12. Do not share, retweet, tag accounts or profiles you donʼt recognize. Do a little research – be a knowledgeable consumer of social media and your social ecosystem.
13. Keep consistent imaging and naming conventions across your accounts (Profile, Header, and Names) to easily direct customers towards your real accounts.
14. Monitor social networks for threats to your businesses, including but not limited to – impersonations, malicious links, fraud, spam, etc.