NEW YORK—Lenders use FICO scores to determine credit worthiness. Feedback ratings on eBay indicate whether a seller or buyer may be reputable. But someday could—and should—employers use a person’s “cyber reputation score” to determine his or her “insider threat rating” and whether that person is a risk to the company and its brand?
Some attendees at a recent cybersecurity conference balked at the notion, but the idea may not be too far-fetched and will have big ramifications for HR, one speaker said.
In the future “there will be a cyberrating of an individual that employers, one day, will look at and be able to say, ‘How much of a threat to my brand, my company and my data are you?’ ” predicted Rick Geritz, CEO of LifeJourney, a company that allows students to test-drive cybersecurity and STEM careers.
The score would be based on an analysis of things like the person’s workplace e-mails and LinkedIn, Facebook, Twitter and other social media traffic.
Speaking Sept. 25, 2013, on a panel about social media risks at the Cyber Security Summit, Geritz said such tools, if implemented broadly, would mean big “changes in the HR practice and the way that we hire people.”
During a Q&A, some attendees expressed concerns with the idea, particularly if job candidates were “harshly graded” on social media criteria and there was no way to repair their records. One attendee who did not provide his name said the concept gave him an Orwellian “1984” feeling and would create a “very, very dangerous precedent” that could eventually result in discrimination lawsuits.
Geritz, who is also chairman of the CyberMaryland initiative, said he understands such concerns, but he pointed out that many employers already casually check social media for information about potential hires.
Geritz added that companies such as RedOwl Analytics, a Baltimore startup, already offer tools to help determine risk. RedOwl software uses behavioral analytics to look for potential problems and illicit behavior by analyzing trends in a worker’s e-mails, phone records, BlackBerry Messenger and services like Bloomberg chat, used by the global financial community.
Meanwhile, Geritz’s company encourages students to keep their online record clean by activities such as allowing students to apply for a mock security clearance for a cybersecurity job and then showing them what social media information might prevent them from getting the position, he explained.
Overview of Risks
Because social media is a critical way for companies to advance business goals and corporate branding, many organizations are increasingly using employees as evangelists to communicate with potential or existing customers.
But do they know how to spot bad actors—people who position themselves as employees when they never were or are no longer with the company?
Polly Morton Wood, director of special projects for Reputation.com, an online reputation management and digital-privacy-protection firm, said organizations should monitor their online reputation to guard against incidents like a social media manager accidentally tweeting an inappropriate personal comment on the company Twitter feed.
They should also hold mock social media drills for crises like a product recall, particularly since many businesses are unprepared in such cases and find themselves scrambling. The key is knowing how and what to communicate without missteps.
“There’s a tension with social—you’re supposed to be on it, maybe giving information extremely fast, sometimes ahead of when you know it,” Wood noted.
Another risk is failing to have a consistent voice and to manage it. Many brands have several people overseeing company communications on social media platforms. Companies should make sure they’re acting as one cohesive entity, representing the organization in a positive way, and understand how easy it is to cause a problem for the brand.
“People managing social for companies basically are given the keys to what we refer to internally as our digital kingdom; so you really need them to respect that,” Wood said.
Speakers shared these other thoughts on social media risks:
Realize that risks will increase. Because social media is a relatively new technology, the dangers will only “grow proportionally over the next few years,” observed James C. Foster, founder and CEO of threat-management company Riskive.
Google, Twitter, LinkedIn and Facebook are sites many people hear about, but there are hundreds more, in different languages and in different countries, that companies probably have never heard of.
“If you don’t embrace how to get your arms around risk management of social media, social marketing and social-based software systems, you’re in a lot of trouble,” Foster warned.
Be positive and proactive. It may be difficult to get something deleted from the Internet, but there are ways to bury negative posts so they don’t show up at the top of search results. The key is controlling and influencing search and discovery mechanisms.
Create good will and content ahead of time so that news or comments that are negative or that “are misrepresenting a story don’t stick as much,” Wood advised. Search engines constantly record and recalibrate information. But without a strong online presence, it may be too late to push negative content down.
“Having a superstrong presence can be your best defense,” said panel moderator Michael Kaiser, executive director of the National Cyber Security Alliance. That’s particularly true when an organization’s followers come to its defense: “It’s basically crowdsourcing.”
Pamela Babcock is a freelance writer based in the New York City area.
Protect Your Business from Cyberthreats, SHRM Online Safety & Security, December 2012
Cybercrime 2012: Malware Threatens Social Media, Cloud Services, SHRM Online Safety & Security, December 2012
SHRM Online Safety & Security pageKeep up with the latest Safety & Security HR news