More than 58% of the world’s 7.9 billion people have social media accounts. And the average user has accounts with 8.4 different social media sites. That’s a lot of personal online activity.
Since cyberattackers have a penchant for social engineering, all that personal exposure online can have significant security consequences for your organization. That’s why I sat down with Berkeley Varitronics President and CEO Scott Schober and cybersecurity expert Shahid N. Shah to discuss the implications of social media for the cybersecurity community.
Q1: What cybersecurity risks do you associate with the personal use of social media?
A1 (Schober): Social networks offer a treasure trove of publicly available details on billions of individuals. This information is available for free—and the individuals themselves may not even be aware of everything they’re revealing.
Plus, the same network effect that powers these platforms also creates trillions of “breadcrumb trails” between all these users. Each of these trails can reveal even more personal information, which can directly or indirectly reveal user locations, passwords, medical conditions, associations, and more.
These exposures of information also extend from individuals to their employers, as well as other organizations and business relationships across markets and supply chains.
Q2: Organizations also have their own social media accounts. What about those?
A2 (Shah): Organizations are making increased use of social media because it’s such a powerful way to get the word out about your value proposition, to build relational lines of communication, and to boost brand awareness. But an organization’s presence on social media also generates risk, because that presence can expose a lot of information about the organization’s inner workings. For example, if you proudly announce you’ve brought on a new hire in your finance department, an attacker may see the “changing of the guard” as a window of opportunity for phishing and/or spearphishing.
Q3: What do you recommend we do to mitigate the cybersecurity risks created by social media?
A3 (Schober): Organizations can help protect themselves and their employees by promoting best practices for the use of social media. These practices include:
- Understanding that our actions on social media can be amplified, manipulated, and abused by bad actors to harm others in real life.
- Using a strong and unique password for every social network.
- Using 2FA/MFA whenever the option is available.
- Never tagging, doxing, or posting any information about any other individual or organization without their prior consent. This is for both security reasons and social etiquette—and it obviously includes the company you work for and your fellow employees.
- Performing regular searches on yourself to confirm that your identity has not been compromised or targeted by bad actors.
- Being mindful that the same morality clauses that define appropriate behavior in the workplace can also be applied to one’s presence on social media.
Q4: What about our corporate social media teams? How do we make sure they don’t accidentally expose us to risk?
A4 (Shah): First and foremost, corporate social media teams need to be mindful of the risk their work poses as a whole. They’re measured on engagement, so they can be tempted to overshare in order to appear “authentic.” But they obviously need to temper that impulse., and with some solid education about how cybercriminals mount attacks through social engineering—and a large dose of common sense—you should be able to prevent them from posting anything too risky.
You also want to treat access to social media accounts with the same kind of controls you use for bank accounts—i.e., implementing zero trust with multifactor authentication. Also, be extra diligent about terminating access rights to social media accounts whenever you offboard an employee. Dormant accounts are low-hanging fruit for malicious actors.
On the upside, your social media team can be helpful if and when you experience a security incident. They can help alert customers, suppliers, and others who may need to know about their own potential exposure. You can also help serve the community by letting everyone know when you become aware of a potential vulnerability that could affect others.
Q5: Are there any other upsides to social media from a security perspective?
A5 (Schober): Actually, a healthy base of followers on social networks can act as cyber watchdogs who can offer real-time warnings about account takeovers, brand imposters, and other malicious content from threat actors all over the internet—including the Dark Web. Plus, when properly cultivated, your organization’s social media connections can help you foster cybersecurity awareness, promote security as part of your organization’s brand (for example, explaining why you lock accounts after a couple of failed password entries), and even assist you in your seemingly endless search for new cybersecurity talent to add to your team.
Infiltrating an organization through social media is only one way attackers are able to breach an organization’s cyber defense strategy.