More than half the people in the world are on social media – that’s nearly 5 billion – and it’s not going anywhere. Most of us love it. Many of us actually need it. We use it to stay connected with family, friends and colleagues. To promote causes and share our positions on the day’s topics. For entertainment and information, to look for jobs, and to generate business. Unfortunately, this huge global online presence comes with a huge risk of cyber threats. And in cases where our posts and profiles are tied in any way to our work, the organizations we work for become equally at risk for the compromise of data. For this reason, both social media users and the businesses that employ them need to proceed with caution.
Security advice for employees
Paying attention to the following advice can help keep both the user and their organization safe from compromise:
By including personal information in your posts, you are tempting cybercriminals in many ways. By advertising where you live, work, and travel you are giving them information they can use to try and trick you and others on your staff. Spear phishing and whaling are types of phishing attacks that target individuals by using detailed information they have gathered in advance. Much of it can be collected (and even inferred) from employees’ social media posts and profiles. They can also use that information for spoofing, where they impersonate one employee – a boss, an IT staffer, someone in HR – to trick another into providing more confidential information, or even transferring money. This was exactly what happened recently in Las Vegas, where criminals impersonated an employee and the casino’s IT department took the bait. The result? Multiple millions of dollars lost…and the good faith of unknown numbers of customers.
Beware of the “fun and games”
We’ve all seen them: Those fun and often silly quizzes and games on social media. Unfortunately, not all these forms of entertainment are so innocent. Many are put there by cybercriminals to help them collect personal information without you even realizing they are doing so! Maiden names, pet names, the name of your high school mascot, your date of birth… This is information they can try out as potential passwords or use to answer security questions for account recovery…of your account! Even those quizzes and games that do not have such a level of malicious intent behind them are often still there to collect your data for targeted marketing purposes.
Check your settings
Every social media network provides you with controls that you can adjust for privacy. Make sure you know who has access to your information, including phone numbers, date of birth, location, gender, or personal and professional connections. Consider turning off geotagging information so that your location cannot be tracked.
Know your organization’s social media policy
It should go without saying to never share your organization’s confidential data. But take care not to overshare things about your company in general, even if they feel benign to you. For example, photos from office parties, meetings or gatherings may contain more information than you realize (e.g., writing on a whiteboard in the background). Some employees – or visitors — may not be happy with their image being shared, or their location being known. Make sure you are fully aware of your organization’s policies surrounding what you can and cannot share on social media.
A few other dos and don’ts
- Keep your portable device secure: Make sure your phone is always locked when you’re not using it
- Avoid public Wi-Fi: Using social media via untrusted, public Wi-Fi hotspots puts you at risk for having data intercepted by a hacker.
- Be cautious with friend/connection requests: Cybercriminals can send friend requests an authentic-looking account that has mutual friends, hoping users will accept to initiate a social engineering attack. They can also use compromised accounts to pretend to be someone you know. Always proceed with caution!
- Never trust unexpected messages or ads on social media that promise something that sounds too good to be true. This is particularly if they are using urgency to get you to make a quick decision.
How can your organization combat the threat?
The primary cybersecurity risks to any organization posed by social media are those related to social engineering attempts (phishing), identity theft, and the spread of malware. So, what can you do to limit those risks?
Limit social media access to a select few
Larger organizations often have teams that manage their presence in social media, from posting to messaging and responding to customers. Smaller organizations may consider having a single person, well-trained in social media cybersecurity awareness, oversee all social media. The fewer people with access to social media accounts, obviously, the smaller the attack surface and the more difficult to breach. Whoever is put in charge of social media should maintain close communication with the IT department to monitor and mitigate all risks. They should regularly monitor all reported threats and use tools to identify suspicious account activity.
Set up a social media policy
An organization-wide social media policy should be available to – and signed-off on by – everyone in the organization, including the top-level staff. This policy must include guidelines for both personal and professional social media use and be very specific about what is prohibited. It should also include clear instructions on what steps to take when experiencing or suspecting a threat. Beyond cybersecurity issues, the policy should also consider regulatory compliance, discrimination and harassment concerns, and a general code of conduct online.
Social media training
Build on the social media policy to ensure people are familiar with the best cybersecurity practices to increase social media security and have the necessary skills to follow them. Training should be interactive for best results and include all of the advice I provided earlier.
Make sure all office and remotely-based work computers and mobile devices are set up with – and regularly updated with – malware. If a hacker is able to get past the human element, anti-malware software might still be able to stop an attack.
Establish an official presence on social media
Many organizations have a presence on social media platforms like LinkedIn and Facebook. If your organization is smaller and this is not something you’ve yet done, it’s not a bad idea to set up an official account…even if you don’t use it. Why? Because cybercriminals can take advantage of your lack of presence and gather information from the internet – and from your staff’s personal accounts – to create a fake account in your organization’s name. They can even use your logo and other graphics from your website to create a very realistic looking fake profile. The danger this poses to your reputation should not be minimized.