A request to audit social media is rarely confused with a pleasant sunny day at a picnic. It is fundamentally an audit of the organization’s marketing department, which comes with challenges as marketers are not always following best practices of internal controls. A social media audit is also not a true IT audit; it is an audit of a business function that happens to use tools based on the internet.
However, it seems to be a topic that management pays attention to; I’ve had more calls from executives on social media audit than any other topic. To maximize the impact of the audit, there are a few main actions that should be covered in the review.
The first concept that everyone who uses social media must understand is that they have signed up to a cloud system. Often, people in marketing, communications and human resources (HR) departments have not made this connection. But the truth is that all social media platforms have the characteristics of software as a service (SaaS), and yet, for those involved in social media, security appears to be a low priority. Many teams who sign an enterprise up for Twitter, LinkedIn or Facebook are unlikely to check to see whether the service is secure and has any form of internal control.
Social media sites do not enforce any kind of password complexity rules. For example, Facebook advises users that longer passwords are usually more secure, but it does not enforce any password criteria. This is the most commonly exploited vector, so it is surprising the social media sites have not addressed this issue. If they allow multifactor authentication (MFA), it may be beneficial for teams to ensure teams are aware and are using it.
In general, when installing an IT system, organizations would not send the vendor all its technical information on an ongoing basis, but that is what happens when signing up for social media platforms. Plus, they often do not review the privacy policy or the section of the contract on third-party service providers and data sharing.
When performing a social media review, it is crucial to include the marketing team to configure the best security and privacy parameters within the limits set by the social media site. The organization should provide only the level of data required to maximize the service, within the organization’s social media policy and strategy, without compromising security.
Possibly the biggest underestimated control weakness is users’ anonymity. No one knows who anyone really is on social media. Despite all the scrutiny social media has come under for trolling, fake news, fraud and hacking, it seems that social media platforms do not like to have a “know the customer” process.
So, how does the enterprise determine with whom it is interacting? Some enterprises use a step guide for obtaining information from initial engagement with the user, and then at certain points of interaction, additional data may be requested, along with appropriate forms of proof. This should always be reviewed in the audit process.
Fake sites are everywhere. And if any scams involving site impersonation occur, the legitimate organization is who must deal with the repercussions. Therefore, someone on the team should be responsible for checking social media for impersonation sites, including emerging, special interest or lesser-known social media sites anywhere in the world. Impersonation is much more likely to be a problem in countries in which the enterprise does not operate. There should also be regular monitoring of all postings and procedures in place to deal promptly with any spurious or dangerous postings.
The peak of folly is outsourcing social media management without careful controls. In doing so, an organization effectively outsources its control over internal controls. If an organization wants to outsource this function, the contract with the third party should be reviewed to ensure it specifies how often the sites will be updated, what sort of updates will be performed and what the quality of postings will be.
Your organization needs a well-thought-out-approach to social media and needs to know why it is being used, and adapt controls accordingly. These controls should be the focus for any auditor given the challenging task of a social media review. Many organizations such as the National Cybersecurity Alliance (CISA), the National Cyber Security Centre (NCSC) and the SANS Institute offer resources for leading best practices when it comes to social media audit. There is huge potential for a significant contribution from audit in this area.
Editor’s note: For further insights on this topic, read Robert Findlay’s recent Journal article, “How Do Organizations Control Their Use of Social Media?”, ISACA Journal, volume 4, 2021.
Don't forget—Members can earn free CPE from ISACA Journal quizzes!