I was recently asked by Strategic RISK Asia magazine for my thoughts on the reputational threats arising from employees use of personal social media accounts. I was glad to share my views as it is a topic that comes up regularly with clients and prospects. It is also one I explored in my book Managing Online Reputation.
Below is my full response to the journalist; the published article is here.
Which risks are created for firms from employees’ personal social media accounts?
Research consistently shows the top risk of social media to companies is damage to reputation. Rank-and-file employees may be seen as the most trusted sources of information on, and credible advocates for an organisation, yet the flip side is equally true: inappropriate, offensive, unethical or defamatory behaviour by those seen as the most authentic embodiment of a company has a nasty habit of spilling into the broader public domain and bringing their employer’s name and image into disrepute.
Understandably, much of the focus concerning employee social media profiles is on internal threats. However, companies underestimate the external risks associated with these accounts, notably the increased risk of social engineering to access personal and/or company information, and greater opportunities for identity theft as a way to embarrass an individual – and perhaps their employer – in public.
Which types of posts from employees on personal social media accounts are the most damaging (political statements, unprofessional conduct, criticising the company etc.?)
The degree of damage depends on factors such as the nature of the post, the resonance of the topic, the credibility of the employee, whether the post is seen as accidental or deliberate, and the visibility and reputation of the company. It can be particularly damaging if it is seen to involve confidential or highly sensitive information, racist, sexist or discriminatory comments, the harassment or smearing of colleagues, customers or competitors, or which point to corporate hypocrisy or double standards – all of which will quickly attract negative coverage and can result in legal action, financial penalties, or lost sales.
Much hinges on the local political, social and media context. For example, political and social online activism across Asia is less widespread but certain topics are guaranteed to raise hackles and with civil society gaining ground and personal online activism on the rise, a loose statement can prove immensely damaging. And while smears are commonly regarded as below the belt in the west, in China and elsewhere there is a pervasive culture of trashing other individuals, companies and just about anything and everything else, many of which are surprisingly overt. Many die at birth, but others take on a life on a life of their own if the employee is trusted. It often also helps if the target is western.
How can firms mitigate these risks? Is employee training necessary, or does it need to go further into rules in contracts and disciplinary action?
The blurring of employees’ personal and professional lives online presents a tricky challenge for any organisation. While some companies continue to limit workplace access to social media, or to personal social media accounts during working hours, most accept that the great majority of their people have a personal presence on social media and understand it is unreasonable, and in some countries illegal, to clamp down on or to monitor personal online activities, particularly outside of working hours.
At one level, the risks of rogue social employees can be reduced by having strong values and culture, ensuring good behaviour across the corporate ecosystem, having a healthy working environment and fair compensation, and being open and honest whenever possible. Understanding that there is little to stop aggrieved employees sounding off on employer review sites such as Glassdoor, or taking to anonymous workplace communities like Blind, many companies are also strengthening employee reviews, complaint procedures, and putting in place more substantive and constructive exit interviews.
It is also essential to have strong social media governance, most obviously in the form of a corporate social media policy and a set of guidelines that spell out the expected parameters of online behaviour, highlights the link between poor personal behaviour and reputational damage on the company, and which threatens disciplinary action for breaches of policy. Many companies now refer to or embed these terms in employment, contractor and supplier contracts, and feature them in formal onboarding processes.
Of course, social media policies and guidelines must also be understood and lived, which is where training and communication come in. The challenge is often that these dry, rather formulaic policy documents have many grey areas. For example, is it appropriate for employees to talk about, let alone criticise, their employers’ activities on Facebook and, if so, when and how? Should they respond to third-party criticism of the company on their social profiles, or the open web? Are there any topics employees should expressly steer clear of, even in their personal lives? Should employees be talking up their company’s products on social media and, if so, how? In what circumstances (if any) should an employee use his employer as an online platform for his own personal activities and views? Smart organisations have training programmes that get into these awkward nooks and crannies, bring them alive, clearly spell out the dos and don’ts, and issue regular reminders.
Companies like L’Oreal have taken this educational approach a step further by hand-holding their people personally through the social media maze, showing them the merits and risks of different kinds of social media strategies, platforms and profiles, and teaching them how to segment users, limit access to their opinions and content, and keep their profiles secure. Corporate personal branding programmes not only help employees and their employers protect their reputations day-to-day, they also instil residual goodwill and help reduce the likelihood of alumni disparaging the company once they have moved on.
It would be great to know your thoughts on this necessarily messy and difficult topic. Is there anything you find particularly challenging about employees’ personal social media accounts? And what do you find are the best ways of minimising these risks?