Social media is now firmly embedded in our society, accompanied by a range of challenges. We explore two modern social media issues for councils: cyber-attacks and online public risk notifications.
Besides its questionable and somewhat ironic impact on the sociability of Australians, social media is increasingly part of our everyday life.
The latest data from Sensis illustrates just how prevalent social media consumption has become1:
- 79% of Australians use social media, including 99% of 18-29 year olds;
- 59% of social media users do so daily;
- 35% access social media more than five times a day; and
- 57% say it’s the first thing they do every morning.
It’s now acceptable to use social media just about anywhere; on the bus in the morning, when eating your lunch and while watching TV at home. It’s also become commonplace to use social media at work, widely perceived to be akin to making personal phone calls.
Organisations often disallow use of non-essential social media in the workplace, with some implementing a zero-tolerance policy. However, this measure is tough to track or control, especially with the proliferation of mobile devices.
In a local government context, the prevalence of social media presents an increasing number of risks. Here we look into two aspects of concern: social media as a popular target of cyber-attacks and the relevance of social media as a public medium for liability risk notifications.
Cyber-crime’s love affair with social media
Social media platforms such as Facebook, Twitter, LinkedIn and Instagram are now the preferred vehicle for cyber-attacks on organisations. Unsuspecting employees accessing personal social media accounts on work issued devices are often the targets.
Using Facebook as an example, here’s how these attacks can work: A seemingly innocent post will catch an employee’s eye while they’re scrolling through the usual stream of friends’ holiday pictures and funny memes. They’ll click on the post and malware, short for malicious software, becomes activated.
It’s that simple.
The attackers can then gain access to all the information on the employee’s computer – and possibly the organisation’s shared network. Quite often, the organisation isn’t even aware of the security breach.
Spear phishing statistics don’t lie
Known as ‘spear phishing’, attackers can use a victim’s publicly available personal information, hobbies, locations and user data to craft appealing posts. They can also pose as a friend within a social network. This dramatically increases the ‘clickability’ of such posts, at the same time making them attractive to share. The potential ‘viral’ effect of a cyber-attack is alarming.
Unlike the Nigerian prince email-based scams, most users aren’t nearly as suspicious of social media based cyber-attacks. It’s estimated that 30% of scam emails are opened, yet this increases to 66% of spear phishing messages sent through social media2.
In fact, a study conducted by international telecommunications strategic forecasters Stratecast indicates that 22% of social media users have fallen victim to a security-related incident3. In real numbers, that’s around 4 million Facebook users, 1.96 million Instagram users, 1.36 million Twitter users and 766,000 LinkedIn users in Australia alone4.
What does this mean for local government?
It’s unfortunate that we live in a world where no individual, business or organisation is safe from social media cyber-attacks.
Motivated by substantial financial gains, attackers seem to remain one step ahead. Experts agree that even the most advanced malware protection software isn’t enough to stop all attacks.
In consideration of this, social media users are urged to take additional precautions. These include:
- avoid using social media at work;
- use unique login details for each type of social media account and regularly change passwords;
- be selective about what friendship requests are accepted; and
- be cautious when clicking on links – for example, look out for language inconsistent with the norm.
Thankfully, most Statewide Mutual Members are covered for losses incurred through attacks on computer networks under the Crime Scheme – primarily through cyber cover. Cyber cover provides first party and third party protection for losses resulting from unauthorised access to a council’s computer network. Cover also extends to brand reputation damage and cyber extortion.
Protection against emerging risks through access to broad coverage is yet another benefit of Statewide Mutual membership.
Social media’s role in public risk notification
Picture this scenario: a section of footpath in your community displaces following heavy rain, exposing a shallow void below. A resident notices the damage and posts about it on Council’s Facebook page. The liability risk isn’t picked up and acted upon by Council’s risk department.
A few days later, another resident stumbles on the section of path while walking their dog at night. They land awkwardly in the exposed hole and significant injury results.
Such a hypothetical raises many questions. Was Council given appropriate warning of the risk? Why didn’t they fix the problem when notified? Does ignoring the liability risk potentially increase culpability in the eyes of the law?
What the experts have to say
Greg Daniel and Anthony Mason from KPMG’s Social Media Intelligence Group spoke on the topic at last year’s Risk Management Conference. They raised some interesting points in urging councils to embrace social media and treat it as a mitigation tool towards limiting risk exposure.
“Social media is a lead indicator of risk,” Greg observed. “Councils are now adopting a more strategic approach to how social media is used, both as a tool for risk management and as a tool for creating opportunity.”
No doubt ratepayers find hammering out a Facebook post much easier than emailing or calling Council with a complaint or risk notification.
“Local communities feel empowered by being able to access Council on social media,” Greg continued. “It makes local government more accessible to ratepayers” who have every reason to use social media platforms as another notification medium.
We’re unaware of any cases being tested in court involving risk notifications through social media. However, experts such as Anthony Mason believe, “Social media information is legitimate courtroom evidence.” He goes on to express the view that, “Someone posting on a Facebook page will be considered due warning [of an incident]… and the courts will say you should have known because it was within your digital infrastructure.”
Anthony believes there will be high profile cases in Australia’s near future where social media data changes culpability around an incident.
Tips for social media monitoring
Sound monitoring programs are vital in staying abreast of public discussion on Council’s social media accounts. This may include Council’s risk managers working with the traditional marketing and PR department to gain oversight of social media content.
Software tools are also available to create auto-alerts for keywords and phrases being used by the public on social media. Such technology aims to notify a council when their name is used in conjunction with words such as broken, collapse, danger or sue.
Like to know more?
Talk with your IT team for specific information on how to best protect Council from social media cyber-attacks.
Your Account Manager can put you in touch with KPMG’s Social Media Intelligence Group to address any queries regarding Council’s risk exposure through social media. You can also download KPMG’s ‘Social Media for Local Government’ fact sheet.
4 estimated at 31 March 2017 using data from https://www.sensis.com.au/asset/PDFdirectory/Sensis_Social_Media_Report_2017-Chapter-1.pdf