Ten years ago, Facebook claimed 20 million users. Now, that number has blown up to nearly 2 billion. For comparison’s sake, the United States population currently sits around 300 million people.
While some of the personal pitfalls associated with social media use are widely known, there are also many potential risks for businesses that are less understood. In my first installment of a series aimed at exploring cybersecurity facts versus fiction, let’s explore three related to social media.
Fact or Fiction? What your employees do on their personal social media poses little to no risk to your organization.
Fiction: Social media is a place where people let their guard down. It’s what your employees check on their lunch break; it’s what they do when they arrive home from work and before they go to sleep at night. On sites like Twitter and Facebook, where the atmosphere is casual, the tendency to let certain information slip is greater, which brings risk.
The information your employees freely post to social media can (and probably will) be used against them. Many times, attackers will use social media as a reconnaissance tool to socially engineer their targets. Suddenly, the fact you publicly tweeted that you went to a leadership conference can be used to craft a targeted phishing email containing a malicious link. While the Nigerian princes of yesteryear might instantly raise eyebrows, if an email is customized to the recipient, the likelihood of the intended response (in this case, a click-through), increases.
LinkedIn is also being used to mine employees’ email addresses, so a phishing email containing a link to a malware-infected site or ransomware could very well be directed at your organization.
Solving the Problem: First, be pragmatic and realize that social media will always be attractive to attackers. But there are ways you can reduce the attack surface. Educate your employees on how much they should expose on social media as well as how to make the best use of available privacy settings. For example, Facebook recently made it much easier for people to implement more intense privacy settings on past posts.
Fact or Fiction? It’s best to have one person tasked with maintaining, monitoring and acting as an administrator for your various social media accounts.
Fiction: In theory, this is a best practice – especially for smaller organizations that may lack a dedicated social staff. However, there are security risks with having one person with all the social media tribal knowledge. This risk is amplified when the social media manager mixes personal with professional. For example, if your sole administrator has their personal account attached to your corporate accounts, and their personal account is hacked, you will land in some hot water by extension. Not only does this threaten security, but it also has the potential to threaten your brand image as well. If even a few incendiary tweets come from your corporate account, it could push clients away and lead to negative media attention.
Another argument against the one-person holding all the “keys to the kingdom” is off-boarding. In cases where an employee puts in their notice or it’s known that they are out the door, you can plan accordingly and transition access. But should an employee suddenly quit, access to your social media accounts may go away too.
Solving the Problem: While the reasoning behind a one-person social media team can seem logical, there are better methods available. Designate one person as the “main administrator,” but make sure that other employees – key executives, human resources, or the marketing department – have access to the social media information available. Furthermore, store the passwords to all your corporate accounts in a shared password manager. No employee should be able to easily prattle off any password, and none of your corporate social media passwords should be simple. A password manager (such as LastPass) can keep your passwords secure as well as help generate stronger ones. Additional tools like identity and access management are also a good investment – IAM can authenticate a user’s identity, so if their email is hacked, there is less likely to be a system breach.
Strongly discourage your employees from attaching their personal accounts to professional accounts. And if it must be done (as is the case on a site like LinkedIn), educate them on some basic security hygiene – they may already be aware of this, but a refresher never hurts.
Fact or Fiction? Social media is keeping pace with advancements in security.
Fact: It is, but don’t let this lull you into a false sense of safety. The responsibility for security does not rest with the social media sites. At the end of the day, this isn’t Mark Zuckerberg’s problem (he’s preoccupied with armies of fake profiles), it’s your problem to own. The controls only work as well as they are used.
Solving the Problem: You can stay ahead of the threat by implementing (and enforcing) a social media policy at your organization. While social media policies traditionally are often concerned with how employees should conduct themselves and how they should associate themselves with the organization, security needs to be part of the equation as well. A robust social media policy will incorporate security concerns – password guidelines as well as who can access the account – alongside more guidelines that are geared toward brand standards.
Social media may not be at the forefront of your organization’s security radar, but there are certain aspects – your employees’ willingness to possibly overshare, access to corporate accounts and security controls – that demand a level of scrutiny. A social media policy (and training) will be the best tools in your arsenal as these platforms become even more of a cornerstone of our modern existence.
By: Christie Terrill