A keen new starter shares a photo of their desk. A board member posts about their upcoming talk. A customer clicks on your company’s link in their feed. All signs your company is winning at social media. Right?
Well, maybe. But they might also make security managers wince. That desk pic could show a confidential document or a username, opening a weakness for hackers to probe. The talk might offer personal details that could help a scammer worm their way into an executive's confidence. And that link could be seriously damaging if it leads to malware or a spoofed website. As social media use continues to rise, hackers are getting more and more opportunities to ply their trade.
Social media is here to stay
Around four in five people in Australia and New Zealand are active social media users, and that figure is growing each year. Which has been great for companies; platforms such as LinkedIn, Facebook, Instagram, Twitter and TikTok can help organisations grow revenues, talk to customers and engage their employees. But they also offer a ready supply of low-hanging fruit for cybercriminals to pluck:
-
Posts may give scammers details (from job titles and associates to personal hobbies) that they can leverage to make phishing emails more believable
-
Social engineering attacks – a scammer might impersonate a work contact or reach out via a dating site to get an employee’s trust
-
Posts may inadvertently give away clues to user credentials, locations or other confidential information
-
If employees use the same password for social media accounts as they do for work logins, a successful hack on one platform can open up others
-
Links in third-party messages may direct unaware users to malware, bringing ransomware into your network
-
Other accounts may impersonate your business or even take over your account, allowing them to direct your followers to spoofed websites (an increasing problem for many companies) or spread more malware
-
Information shared via social media (even in private messages) is outside your control: it may be stored anywhere in the world, and is vulnerable if the platform itself is hacked
These incidents can lead to major breaches, compliance issues and reputational damage. So how can you stop them?
Best social media practice for organisations
To cope with these dangers, cybersecurity must work closely with social media teams and ensure that risks are factored into day-to-day use. A demonstration of the impact that social media can have on cybersecurity and your organisation’s bottom line will help, and you should work to ensure the relationship is ongoing.
-
Key measures at a company-wide level include:
-
Set up and share a social media policy for all staff that makes keeping people and data safe a priority
-
Set up and verify accounts on all major platforms – owning verified accounts reduces the danger of spoofed accounts
-
Use training and tools to guard your assets
-
Ensure official accounts are monitored, with a clear process for revoking access and recovering hijacked accounts
-
Block or blacklist malicious URLs found on social media
-
Set up multi-factor authentication for corporate accounts, and ensure passphrases are secure
-
Make sure manual sign-in is set up as default on shared devices
How to create social media guidelines for staff
The advice given by the Australian Cyber Security Centre and New Zealand’s National Cyber Security Centre, as well as frameworks such as the Essential Eight, can offer context to anyone building a social media policy. Areas to cover for staff members include:
-
Rules detailing what can and cannot be shared on corporate or personal accounts
-
The importance of caution in who you befriend (beware of unsolicited requests) and what you write (it may be hard to delete)
-
Guidelines on personal social media use at work
-
Who individuals should speak to if they’ve a security concern or see sensitive data being shared
-
How to set up, access and sign out of accounts on company and personal devices
-
General dangers, such as scams or suspicious links
-
Lists of trusted apps, and any specific risks associated with individual platforms
-
Tips on less obvious risks, such as sharing images or location data, or filling out “fun” information-gobbling quizzes
Crucially, your policy should not be set in stone or tied to a specific platform. New threats will emerge, platforms will change their privacy policies and employees will come and go. Quarterly meetings with stakeholders are a helpful nudge to these discussions, and can help ensure dialogue continues once policies have been set.
Any policy should be backed up by tools and training
Your social media policy should be supported with training. Sessions can reinforce messages and give employees the chance to engage with issues. Flagging recent threats can be a great way to make a set of guidelines feel relevant and real, especially for less technically minded staff. Phishing tests and other gamified training are other ways to spark interest. Just as humans are often the ones to make the social media mistakes that let criminals in, they can also be the ones to spot risks and threats. Listen to them and engage them, and your employees can play a crucial role in safeguarding.
Automated tools have a part to play too. Defences such as firewalls and VPNs, as well as data management approaches such as zero trust, can help secure assets. Screening tools can review social media posts and the comments beneath them, looking for spam, scams, threats and malicious links. Some solutions can detect takeovers and automatically shut compromised accounts down, leaving your hardworking team with one less problem on their plate.
How to manage the risks of social media
Social media is everywhere – and its risks are just as pervasive. Phishing attacks, links to spoofed websites, leaked data and compromised passwords are just some of the problems associated with its use. A clear policy and effective training can limit cybercriminals’ gains while leaving your company and staff free to reap the rewards of social media.
Comments:0
Add comment