Jagdeep Singh, Partner, Assurance, EY

The impact of COVID-19 has swept across global businesses, affecting all sectors and industries. Lockdowns of various degrees have disrupted the traditional way of doing business. Organisations have responded by moving to working from home (“WFH”), which has become a new normal. Interestingly, a recent media article highlighted that employee productivity has improved while working remotely.

Today, smartphones have become ubiquitous and have blurred the boundary between official and personal use. With “bring your own device” (BYOD) policies and a flurry of apps available, it takes only a tap or a swipe to launch into the realm of social media, while seamlessly switching between an official email or watching a video during nano breaks. Social media has become an integral part of our lives in some form or another. The apps available are used for business as well as personal stories—sharing everything from news and views, thoughts, and feelings, to opinions, points of view, and analyses. As per a report by the Bureau of Labour Statistics, an individual spends more time on social media than on everyday activities, which was approximately 144 minutes a day during 2019.

Many organisations do realize the value brought by social media and recognize that it’s a “way of life.” However, mixing business and personal usage, especially in a remote working set-up, may expose the individual, as well as their organisation, to several risks. Hence, it is important for organisations to build controls and safeguards around the use of social media, especially during these difficult times. The extent of monitoring or regulating and the approach to it would typically depend on the nature of the industry, demographics, and management style. For example, companies in sensitive sectors such as defence and aerospace tend to prohibit the use of social media, going to the extent of disabling social media apps and even WhatsApp when an employee enters the office premises. Others, such as the pharmaceutical industry, tend to have strict policies but do not prohibit it completely. On the other end of the spectrum are companies that are more liberal and have broad guidelines that are only perfunctory in nature. They would also differ in their approach toward social media monitoring and disciplinary action against errant employees.

There is no denying that social media is a very useful tool for companies because of its speed and reach. But it can also cause serious financial and reputational damage if there is a breach or confidential data is leaked. Many a times, employees’ actions that may result in these situations are inadvertent or unintentional. With the prevailing pandemic and lockdown across several countries, businesses have adapted to WFH, thereby multiplying the risks presented by social media. Some of the factors responsible for heightened risks are:

  • No physical supervision, leading to employees scanning social media apps and sites during office hours.
  • Easy access to social media, as handheld devices are being used for official purposes. These allow easy toggling between personal and work modes, making it easier to take a screenshot and subsequently share it on social media platforms.
  • Weak cyber and IT security, as many organisations are not equipped to handle a large-scale WFH situation and do not have robust policies and controls.

The ongoing uncertainties have sparked an emergence of several social media risks, including:

  • Phishing attacks, wherein unsuspecting users receive a bogus link intended to discreetly gather information from the device, have become fairly common. This means, a tap on the notification while simultaneously attending a call may allow a hacker to gain access to important and confidential official information.
  • Many employees have been posting WFH photos with an intent to highlight resilience and spirit within communities in these tough times. However, there have been cases of these photos revealing confidential information in the background—for example, visible network or device passwords on sticky notes or the name of an important client or project.
  • Overzealous employees may post various facets of their lives and jobs on social media without realizing the repercussions of their actions. For example, a screenshot from a work app posted without any malice may compromise client confidentiality.

Identifying and addressing these risks will be paramount as employees continue working beyond the physical boundaries of the workplace. Some of the leading practices for organisations as they embrace the future of work are as follows:

  • Revisiting and reassessing existing social media policies and guidelines, and tweaking them to be relevant and adequate
  • Strengthening training and awareness programs, with a focus on social media policies or guidelines
  • Considering an approval process before any content is posted, as some posts can be damaging to the organisation’s reputation
  • Engaging the IT department to institute adequate controls, as it is critical to protect confidential information and minimize breaches or other compromises
  • Monitoring social media platforms through listening tools to identify damaging content and taking corrective action
  • Considering use of data loss prevention tools, which can be beneficial not only for security but also for behavioural analytics (like time spent by employees on some websites/applications)
  • Considering a non-disparagement clause that would restrict employees from posting content that may negatively impact the organisation
  • Encouraging reporting by following the “if you see something, say something” rule in case a disgruntled employee posts undesirable and adverse content

Not very long ago, many companies still had policies restricting employees from taking any company data home. However, these uncertain times have shown that remote working, with access to relevant and useful data, and flexibility are possible and can even improve productivity. WFH is here to stay for the foreseeable future, and it is critical for organisations to have a clear risk mitigation strategy and institutionalise processes and controls to protect from the undesirable impact of social media. It is also important for employees to be included in social media risk mitigation measures and be constantly reminded of the vulnerabilities of social media.

About the Author:

Jagdeep Singh is a Partner with EY’s Forensic & Integrity Services based in Bangalore. He is a Chartered Accountant and a Certified Internal Auditor with around 22 years of professional experience. He advises clients on issues related to ethics, fraud, controls and governance and has led several investigations into suspected/alleged financial and behavioural misconduct, including bribery & corruption and data theft. Jagdeep has been a guest speaker at conferences and workshops related to Ethics, anti-bribery & corruption (including FCPA) and fraud prevention & detection.