Early Alerts Spur Action

Why corporate security teams rely on social media for real-time information

Social media is transforming information distribution. Increasingly, it is where breaking news first appears. It’s where high-profile politicians make announcements, share opinions and shape public debate on the issues. It’s instantaneous, pervasive and truly global.

And social media is deeply embedded in popular culture. Social media users number in the billions (2.46 billion in 2017), and they’re doing more than just sharing jokes. In fact, many individuals use the medium primarily to share what they are experiencing at any given moment. When news happens, these eyewitnesses can post a description or share a video instantly.

New tools exist which allow practitioners to harness the power of publicly available social media and deliver real-time alerts to corporate security teams across the globe. In the age of real-time information, pressures on security teams are rising considerably. Influenced by an incredibly fast-paced news culture, stakeholders across the enterprise expect security teams to know everything immediately and develop strategic responses faster than ever. Of course, social media also gives corporate security teams an edge they’ve never had — the ability to detect and understand critical events sooner.

To study these dynamics more closely, Dataminr interviewed corporate security leaders from a range of industries. These stakeholders represent five firms, ranging in size from 2,150 to 300,000 employees and from $260 million to $8.6 billion in annual net income. Our objective was to learn how these companies handle the flow of information to and from the global security operations center (GSOC). We also wanted to see how real-time alerts generated from social media were changing the way these companies responded to breaking news.

The results were informative. Here are some of the key takeaways:

• Social media alerts arrive earlier, giving security teams extra time to respond.
• Efficiency depends more on established processes than a specific organizational structure.
• There is not a direct relationship between team size and scope of responsibility.
• Well-established GSOCs excel at cataloging events for future analysis and trend detection.

Security Without Reservation

This hospitality company has more locations than any other company we interviewed. With thousands of properties in its domain, the company’s corporate security team must use resources wisely and maintain an efficient flow of information.

It does this through a GSOC established more than a decade ago, staffed by a team of 25 analysts who share a wide range of security responsibilities. Open source data feeds and finished intelligence assessments from subscription vendors provide the bulk of their security information.

The hospitality provider is currently focused on dealing with rapid growth and scaling robust processes. Another top priority, with which any corporate security team can identify, is demonstrating its value internally as lines of business compete for limited budgets.

Favoring a centralized flow common in large organizations, this company has all information arrive at its GSOC. Depending on the initial assessment, the regional security director is notified of a relevant event or crisis, along with a designated executive. Then locations in the affected area are notified. Security analysts develop an appropriate response, adjust the threat posture, and notify the relevant head of operations.

Interestingly, security communications are distributed widely. On all communications, the “cc” list includes the PR crisis team, fire and life safety team, medical personnel, and the claims and insurance team. This partnership helps each team maintain awareness and carry out their own efforts as necessary, while supporting a coordinated response across the company. All incidents and GSOC actions are recorded for subsequent analysis.

Social media played a critical role in the company’s response to the Brussels airport bombing in 2016. An alert sourced from social media informed the GSOC of the rapidly unfolding incident 20 to 30 minutes prior to any other information source. This early tip spurred analysts to perform additional research on social media to corroborate and contextualize the event.

While this research was performed, local facilities were notified along with the European security director. As a clearer picture emerged, the company sent a report to key stakeholders via email so they could carry out their own notification responsibilities. Later, a second social media alert provided a similar time buffer when a second coordinated attack hit the city’s metro station.

Banking on Reliable Information

This leading global bank’s security operations team provides security for tens of thousands of employees as well as the brand’s reputation. As the largest company we interviewed, with the largest security team, the bank demonstrates how a complex global organization can streamline information flow in the GSOC with a well-defined process fueled by real-time, open source information.

The bank’s security team is seasoned, having been assembled before 9/11. It includes approximately 100 people, plus contractors, and most of work is focused on dealing with alarms and physical security. The GSOC receives information from several subscription services, as well as a variety of news feeds.

These sources can trigger an event analysis, which follows a rigorous process designed to distribute important details to local resources as quickly as possible.

1. Information arrives from various open sources.
2. Analysts at the GSOC perform preliminary vetting.
3. If the information is valid, analysts create a spot report.
4. If the event is critical (such as a terror attack) analysts call stakeholders directly.
5. The spot report is emailed to a select group of decision-makers.
6. Analysts perform a deeper dive, sharing details with affected regional managers.
7. In an emergency, the GSOC notifies all employees and security centers in the affected area.

Analysts catalog events in a historical database so they can be referenced during similar future events. This is a popular tactic with many applications. For example, a string of social media alerts can be used in training modules to help security teams understand how conflicting reports emerge during a chaotic event, such as a natural disaster or active shooter. This can help teams resist the urge to disseminate information too rapidly in a crisis, risking false positives.

Stakeholders outside of corporate security can also use this historical database to inform business decisions. For example, when deciding where to locate a new office, the risk management team can use the frequency of proximate security incidents to assess the relative physical security risk.

When asked to share an example of how social media has changed its information flow, the bank volunteered its experience dealing with the Las Vegas shooting in October 2017, when a gunman opened fire at concertgoers, killing 58 and wounding more than 500.

According to the bank, a real-time alert from social media provided the first indication that something was wrong. The alert arrived within a minute of the first shots being fired. The team immediately pulled up a map to visualize its local facilities and determine whether any employees were traveling in the area. Analysts put the essential details together in a spot report and distributed it to the first tier of stakeholders, including the Las Vegas regional manager.

Relevant stakeholders and senior executives received the security team’s initial assessment of the incident before the event appeared on mainstream news channels.

Essentially, this spot report provides all stakeholders with a “single version of the truth,” eliminating the risk of discrepancies and confusion during a chaotic event. With a common report in hand, the team confirmed the details and produced follow-ups as more news reports emerged. Fortunately for the bank, none of its employees was affected by the shooting.

Driving Toward Decentralization

This company built its corporate security team in 2014. Its team of 100 professionals spends much of its time on executive protection and threat assessment because threats to the company’s drivers are frequent. Unfortunately, threat assessment is a manually intensive task.

In fact, the team’s top priority for the next five years is to increase automation and relieve this pressure.

In addition to these priorities, the GSOC handles intelligence analysis, crisis management, and engineering response, events that require the company to rapidly implement changes to its app or online properties.

The company uses a variety of open source feeds, as well as select online forums and social media platforms. Information flow is decentralized, with regional managers responsible for relaying information and executing the response. It’s important to note that this approach works very well because it aligns with the company’s highly distributed business model.

1. Regional security managers receive incoming information.
2. Information of interest gets forwarded to the GSOC.
3. GSOC analysts vet the information and return it to the regional security manager.
4. If action is required, the regional manager coordinates with relevant teams.

Just like the bank, this company catalogs every event within an incident management platform with more than 70 categories. Detailed records help identify trends and inform security planning and process development. Because this team is relatively new, its second priority for the next five years is developing resiliency through more well-established processes, including event-specific playbooks and procedures.

The company indicated that social media played a key role in its response to the London Bridge terror attack of June 2017, which killed seven and injured 50. Social media provided the first indication of the event, with subsequent real-time alerts providing details and confirmation from increasingly credible sources. The social media alerts prompted the security team to notify employees in the area, and to begin working with communications to coordinate public messaging.

Building a Culture of Security

This fast-growing biotech company established its GSOC in 2015. It is the smallest team we spoke with and has just three full-time employees plus contractors. Its GSOC is staffed by two team members 24/7 and a third during weekday business hours for additional support.

As both a new and small team, this GSOC demonstrates how the size of a team does not necessarily indicate the scope of responsibility or the size of the daily workload. The biotech’s security team, for example, takes full advantage of technology to cover its global locations with limited resources. The centerpiece of the GSOC is an impressive common operating picture used to maintain awareness of events. The display includes open source information feeds and a mix of local and global news outlets.

What’s more, the company’s growth accentuates the GSOC’s focus on efficiency because it must continually cover new sites without increasing its staff. To do this, the GSOC uses subscription social media analytics software to help automate coverage of wider geographic areas. Standard operating procedures — an absolute essential for efficiency — expedite incident response times by delineating clear responsibilities. The core team triages and contextualizes incoming information before disseminating to relevant stakeholders, often including site security leaders, communications, and senior executives. Subsequent updates are provided proactively.

The April 2017 terror attack in Stockholm, Sweden, illustrated the effectiveness of the team’s reliance on automated real-time social media alerting and standard response procedures. A subscription social media alerting service detected the event and provided imagery from the scene several minutes before other information sources. Early notification allowed the security team to execute their response procedures before the incident appeared across major news services.

Dealing With Crisis

The GSOC function for this very large manufacturing concern is fulfilled by a dedicated crisis management team based in Europe. It was established in 2012 and involves four professionals whose sole focus is reacting to crisis events in concert with the larger corporate security apparatus. The bigger group includes three regional teams, each with its own regional security director.

Like the other teams we interviewed, the crisis management group uses a mix of open source feeds, OSAC reporting, major news feeds, Twitter and an in-house travel management system.

One of its top priorities for the next five years, however, is improving its approach to data streams. According to our interview respondent, filtering high volumes of incoming information is a significant challenge.

Social media inputs are a key part of the crisis team’s information flow. Specifically, the team uses real-time alerts driven by social media to access event data within a 10-miles radius of each property. The combination of automated social media event monitoring and tight geofencing reduces inbound noise and increases efficiency. This is another example of how a relatively small team takes on a large responsibility by taking full advantage of available technology, including social media.

The team’s process was put to the test in July 2017 when a train accident in Barcelona, Spain, injured 56 people. A real-time social media alert notified the team of the crash before mainstream news outlets, giving the team extra time to react. The company has hundreds of employees who work in the city. Fortunately, only a small number were traveling that day and none was affected. With the early notification, however, the team could quickly review the available details, and confirm to senior leadership that none of their employees needed assistance.

Preparing for a Social Future

Social media is changing what corporate security teams are expected to do, as well as helping them meet these new expectations. It is clear from these interviews that social media is becoming a standard source of information in the GSOC, across industries and among both new and more experienced teams. In many cases, real-time alerts sourced from social media content can give security organizations valuable extra time during critical events.

Social media has other built-in advantages as well. When cataloging events for future reference, teams can easily refer to specific alerts (or a series of posts) for images, video and other contextual details. Social media content lends itself to analytics that can help teams understand how information travels during common high-risk events.

The utility of social media data for corporate security teams will increase as these public platforms assume a larger role in modern life. Teams armed with the best social media services and standard operating procedures will be well positioned to respond optimally to diverse and unexpected threats. 

Dillon Twombly is vice president and head of corporate risk and PR/corporate communications in sales at Dataminr.