Author: Mark Stone
Your organization may have the latest and greatest cyber security tools in place, but humans remain a persistently weak link in security programs. And as employee use of social media on the job and off rises, the security risks to your organization grow. A robust social media security policy can help mitigate the risks.
It's critical to understand that for most hackers and attackers, the best and often easiest way to compromise your company and its networks is through social engineering. Social engineering attacks were the second most common type of threat reported in Verizon's 2020 Data Breach Investigations Report, and phishing topped the list of specific threat action varieties among confirmed breaches.
We think of cyber criminals as technically savvy, but their use of persuasion can actually be more dangerous than any technological weapons and their uncanny ability to convince people to give up private information can be just as damaging as a nasty malware attack.
Social media risks
When it comes to social media use, it's not uncommon to believe the most significant risk to the enterprise is lost productivity.
With simple network monitoring tools, any organization can determine which employees are spending too much time (and company resources) on social media. Controlling what users post online is much more difficult. What's more, employees are often unaware of the risks associated with their online posts. Far too often, they are putting data—both personal and corporate—at risk.
In many cases, employees don't realize that even a seemingly innocuous personal post can be used against your company. For example, that team selfie in the boardroom taken after a successful strategic meeting might contain sensitive information in the background. You may be divulging confidential data, financial information or possibly valuable intellectual property.
What cyber criminals are focusing on in your employees' personal social media posts is personally identifiable information (PII). When employees divulge information like their place of birth, where they grew up, their mother's maiden name and even their birthday, attackers will use that information to their advantage.
With all this data in hackers' hands, the risk of hacking passwords or triggering a password reset for your corporate network can increase dramatically. Alternatively, they can use the information to launch other social engineering attacks. The more they know about your employees, the easier it is for them to get what they want.
In extreme cases, hackers can create fake social media profiles to fool employees into divulging confidential or sensitive information. This practice, called profile cloning, is cumbersome but not all that difficult.
Social media policy best practices
A social media security policy can either exist as its own directive or as an essential component of a broader security awareness program. How your organization enforces the policy is the key to success. To best mitigate the risks posed by social media threats, your employees need to feel empowered by the guidelines and involved in the process.
While managing what is posted from corporate accounts is crucial, employees must grasp that everything they post, even on personal accounts, should adhere to the company's social media security policy.
This means that forbidding social media use altogether is not an option. Compromises must be established, and those concessions are most successful when employees perceive the process as fair and inclusive.
Ideally, you should incorporate social media security policy best practices into security awareness training. Critical elements of awareness training should include identifying social engineering tactics, spotting fake accounts, and identifying scams and fraudulent posts, along with strengthening account security settings like passwords and multi-factor authentication.
From there, incorporating the following specific directives that apply to both personal and corporate accounts into your social media security policy can help manage employee behavior and protect the organization:
- Think twice before posting anything on social media. Even if you delete it, there's a good chance it can resurface (for example, in a screenshot). Without context, it may be perceived as even worse in the future.
- Whenever possible, adjust your privacy settings to match only the people with which you wish to share posts. Separate posts between those you can share with the general public and those meant for friends you trust.
- When away from home for extended periods, don't announce your location. Be careful not to reveal too much with people, landmarks or backgrounds in a photo.
- Use multi-factor authentication, do not have repeating passwords for multiple accounts and use different security questions/answers.
- Avoid sharing, retweeting or reposting existing content without verifying its authenticity or safety. So much content can be exaggerated or false—whether it's files, links, applications or games. This applies to content sent to you by anyone, including friends and family.
- Remember that what you say online has consequences. Other organizations, people and employers may have very different views from you and take offense.
Ultimately, the most successful social media security policy awareness among the workforce start at the top and work their way down the corporate hierarchy. Without executive buy-in, these best practices cannot be effective.
Remember, with some social channels, brand loyalty is directly related to what you post. You've spent the time, effort and money building it up—yet with one post, loyalty can be lost. A 2020 Arcserve survey of North American and European consumers reported that 59% of respondents would likely avoid doing business with a company that had suffered a cyber attack in the past year.
Not sure where to start or where the gaps are in your security program? Learn how Verizon's security program assessment can get you on track to reducing risk.