When deploying security controls we need to consider
prevention, detection and response, and this case is no different.
Prevention.
There are a significant number of people - many of them
in very senior roles - who wear as a badge of honour that they don't have any
social media accounts. Saying "I
don't understand this new-fangled social media" may sound reasonable
today, but 100 years ago the same people would have been saying "I don't
understand this new-fangled electricity", and then gone on to sink their
fortunes into steam power.
I'm not suggesting that everyone become Facebook
addicts. However I am definitely
recommending that all companies and anyone with a senior role go out and
register accounts on all of the major social media sites, as a prevention
against anyone else doing it in their name.
There is no validation of who registers an account, and due to an
interesting bootstrapping problem it really is impossible for the social media
providers to confirm the identities.
Twitter's blue tick isn't the answer.
We did this with domain names a decade ago, and we have
to do it all over again with social media now.
Detection.
Search for yourself on the search engine of your
choice. While it might be vanity, it
also will allow you to determine if anyone else is pretending to be you. Most of the major search engines allow you to
set up alerts on new pages that they find with a given term, and you can use
this as a detection mechanism against imposters.
This may be practical if you have a distinctive name, but
is going to be quite difficult for the John Smiths of the world. Even my name isn't unique in my own city, so
getting in first and registering early becomes very important.
Response.
If and when someone does register a social media account
in your name, there are a limited number of things that can be done about
it. It is always possible that they
really do have the same name as you, and you got in late, in which case unless
they are committing fraud by pretending to be you specifically you have no
comeback. Consult your lawyer on
defamation laws in your jurisdiction as your only response.
Just like the domain squatters of the last decade, we now
have social media squatters. They can be
dealt with in similar ways: (a) pay them what they ask to get the identity
back; (b) raise a complaint with the social media provider; or (c) call the
lawyers. The difference here is that the
social media providers are for profit companies, rather than not for profit
organisations, and they don't have the same social responsibilities.