Digital Crisis Management – Social Media Edition

Ameca Jones 08-11-2023

While Legal Firms are focusing on the ‘typical’ digital cyber-risks, such as email hacking, phishing emails, potential website compromises and miscellaneous scams in their Business Continuity Plans, they may not be prepared to deal with a digital crisis in relation to their social media Accounts.

In this article, Ameca Jones, Social Media Manager for cpm21 discusses the potential risks that apply to a legal firm’s social media accounts and what procedures should be in place to deal with and minimise them.

Firstly, what is a social media digital crisis?

This can be considered as a destructive and unexpected event that happens on a firm’s social media Accounts. It can hurt an organisation’s reputation, or in worse case scenarios make it appear that it is guilty of a criminal offence. Crises often spread quickly on social media and cause major problems for firms.

To minimise the impact of such risks and react promptly, a firm must have a “digital crisis management plan.” Below are 6 sections that are considered as vital to include in such a plan.

Section 1- Risk Analysis.

The following is a non-exhaustive list of some of the risks that would be considered as most relevant to a legal firm:

  • Social Media Accounts being hacked.
  • Content posted was incorrect/offensive.
  • Trolling- False Reviews.
  • Cloning of Social Media Accounts.
  • Social Engineering – tricking clients into revealing specific information that can be used for criminal purposes.

Once risks are identified, firms should then assess the likelihood, on a scale of 1-5 that the above (and others) could happen to its Social Media Accounts. The consequences of each risk noted above should then be considered by rating their severity. This can also be expressed as a number on a 1-5 scale.

The two numbers should be multiplied to give a “risk priority number (RPN).” The bigger the number, the greater the risk posed to the firm. Once the RPN has been determined, any mitigating measures taken to reduce the risk should be factored in and the RPN recalculated. It is interesting to note here that while the likelihood of the risk may reduce, the severity is unlikely to.

When this “mitigation” step has been taken, then the remaining risk levels can be seen, and this is what the firm then needs to focus on in terms of priorities.

Section 2- Activation Protocol.

Who will be the person responsible for raising the alarm that a social media “meltdown” has happened and activate any of the firm’s contingency plans? This must be clearly set out for anyone in the firm to know who to contact.

Section 3- Chain of Command.

The chain of command is a contingency measure in and of itself. Firms must give consideration to the scenario of what happens if “Person A” in the chain of command for example, is on holidays? Who will be identified as Person B, Person C etc? Do all of these have access to the relevant Social Media Account passwords and administration rights in order to ensure swift reaction to any problem being raised through the protocol?

Section 4- Response Action Plan.

Based on each risk that has been identified by the firm in their order of priority (based on the RPN number) a ‘Response Action Plan’ should be generated. As an example, the following demonstrates a firm’s response to a Social Media Account being hacked;

If social media accounts are hacked, the best thing to do is go into full lockdown mode. Suspend all accounts and change the login details for them with strong passwords. Not just on social media accounts, but everything else which holds private data, too. It may not have been the social media account that was hacked initially, but via an email address linked to the company. That’s a gateway towards changing login details on other Accounts, therefore email information must also be updated. The firm’s security providers should also be contacted at this point.

Section 5- Training.

To ensure the firm is always improving and developing its protections for its social media accounts, training should be provided after the digital crisis to ensure continuous improvement in future responses.

Section 6 – Review.

Firms need to ensure that regular reviews of the plan take place in line with social media and digital technology updates to determine new emerging risks that may apply so that protocols can be updated.

So, if your firm doesn’t have a digital crisis management plan, you may want to start working on one now…