Some of the things they should consider and develop policy, standards and contingency plans could include the following:
- what social Media sites and services will you use, and what will you share and accept back? Do you want to set up a youtube channel? will you accept people re-mixing your video posts, what is going too far, how will you respond? Do you want to set up a twitter account? How will you respond to "trolling" and mocking copycat accounts (see @BPGlobalPR for a case study). If you set up a facebook company profile or user group, what will you put on there? Will you allow/respond/remove advertisers/head hunters etc.
-consider if the social Media platform can leak information about your personnel or systems to an attacker. Consider if personnel should be individually identifiable? Could someone who is mentally disturbed trace a person from a corporate social media account to their personal one and retrieve information as to their location, appearance etc. that could lead to a physical security problem.
- Consider if the target demographic are vulnerable or targeted by another group. For example consider the case study of when internet miscreants raided an epileptic web forum and posted scripts and images intended to give viewers a seizure. Is your target audience elderly, a persecuted minority, subject to foreign or domestic government monitoring/intimidation etc.