By Jim Benlein, CISA, CISM
Simple. Direct. Effective. Fast. If asked, many credit unions will point to these as key reasons they use Twitter to connect and communicate with members. The fact that Twitter is simple, direct, effective and fast also points to why some CUs are using it to communicate with their employees and have included Twitter as a connection point for employees in their business continuity plans.
Twitter provides options to create private (protected) accounts/tweets. With a protected/private account, only approved subscribers receive (e.g. can view) tweets, and re-tweets are limited. Using these tools, your credit union can create a Twitter account specifically tied to its continuity plan to provide employees with updates on important information.
The content of tweets during a disaster would depend on the nature of the incident, but could include meeting reminders; information on relocation or rally points; and status updates on recovery efforts. As with member Twitter communications, the credit union should develop a communication plan detailing the whats and whens of the tweets that will be sent during a disaster.
Because tweets may contain sensitive or confidential information on operations during a disaster, the credit union needs an individual to keep up-to-date subscriber (employee) information (e.g., adding/removing employees who will get disaster recovery tweets and validating/updating contact info). Depending on the credit union’s size and staffing, this could be the same or a different person from the one responsible for actually sending tweets. The person sending tweets should be a designated member of the CU’s incident response or business continuity team.
As with many things “social,” the credit union should work with employees to create separate accounts for access to the credit union’s disaster recovery Twitter feed. Twitter allows you to maintain separate accounts, so employees can keep their personal Twitter account separate.
When sending Tweets, a credit union needs to remember that while the use of a protected list limits the authorized recipients of tweets, it doesn’t completely protect against unauthorized viewing of those tweets. It’s not impossible to “hack” access to someone’s account or view their tweets over their shoulder. Because of this, the CU should be careful of the information it sends--and how it sends it. For example, I'd prefer this tweet: “…Due to the recent incident, alarm codes have been reset…” over this one: “Due to the recent incident, alarm codes have been reset to 1793 …”
As the ongoing hijacks of Twitter accounts have shown, a credit union needs to secure administrative logins and passwords for the Twitter account. The CU should implement and use Twitter's newly available two-factor login authentication system (for this and all official CU Twitter feeds).
To determine how well using Twitter for employees may work at your CU, consider a pilot program with a limited number of employees. You won't be sending incident-specific tweets, but you can send helpful information as part of the test. Every once in a while, send a question requiring a response, such as "When you read this, call John in IT." If your pilot program shows employees are viewing and responding to tweeted information, you can work on adding a Twitter feed to the employee contact and communication aspect of your incident response/business continuity plan.
Jim Benlein, CISA, CISM, is the owner of KGS Consulting, LLC. KGS Consulting provides policy and practice consulting and auditing services on information technology governance and information security for CUs.