An employee at a company training event uses their smartphone to post a team photo to their Facebook or LinkedIn account, mentioning that it’s great to be working offsite for a few days, and they geotag the hotel hosting the event. This happens all the time across multiple social platforms, and we rarely think twice. But for a potential threat actor, this post offers valuable information.
Immediately, it tells them many company and personal devices will be using a public network and may therefore be more vulnerable. It also identifies employees, shows where these people are, and even indicates who might have an empty residence back home. With names and faces at hand, a threat actor can easily comb profiles for valuable personal details that could be used to access passwords and socially engineer an attack.
An Evolving Landscape
Initially, social media was simply a fun way to connect, interact, and share with others. Then, smartphones allowed us to take social networks with us wherever we went, increasing our ability to share content in the moment. Today, Internet of Things (IoT) devices are triggering another change by enabling people and companies to communicate in exciting new ways with each other and the devices themselves. However, while many of these changes and connections have been positive, the darker side of technology is showing itself, and it’s become clear all of these connections are opening new paths for threat actors.
It’s tempting for businesses to think internal security practices offer adequate protection, but that’s often not enough. Even outside of work, employees on social media could be posing a risk to your company without realizing what’s happening.
How Real Are the Risks?
It’s not a stretch to say everyone’s on social media. The Facebook family of apps alone – Facebook, Instagram, WhatsApp, and Messenger – boasts 2.7 billion monthly users, with a staggering 2.1 billion users active every day. With more than 25% of the global population connected this regularly on only four platforms, the risks are significant. And threat actors are exploiting this new territory.
Verizon’s 2019 Data Breach Investigations Report found that, from 2013 to 2018, social threat actions increased 18% and people as the affected asset of cyberattacks increased 20% during that same period. This means every organization in the world should be aware of the risks associated with social media, smartphone, and IoT device use and the ways they can keep these risks at bay.
Professional Social Media Use
Initially, social media was dominated primarily by consumers, but many businesses – both B2C and B2B – now maintain a regular social presence on various channels to interact with customers and strengthen their brand. There isn’t one right way to manage your social media, but there are necessary operational considerations that will help ensure safe use.
Assigning one person to manage all social content as the only gatekeeper sounds appealing, especially for businesses entering the space, but it’s risky. If the employee leaves, your social channels will go quiet or, in a worst-case scenario, if they leave under negative circumstances, they may lock you out entirely or post defamatory content.
The best approach is to assign one primary administrator to manage the details while also authorizing other users, including executives, marketing, and even human resources. Additionally, all account credentials should be stored in a password manager, so this information is owned by the company rather than an individual. Fortunately, these changes are easy to implement and completely in your control; however, the biggest risks are likely employees’ personal accounts and the information they’re willing to provide.
Personal Social Media Use
Social media is unique because it’s often the users themselves, rather than the platforms, who amplify potential risks. The casual nature of most social networks makes it easy for users to drop their guard and not consider potential consequences. If users aren’t careful, and company guidelines are nonspecific or absent, these consequences may affect your organization as well. You can’t prevent employees from using social networks on their own time, but you can set parameters and educate on best practices.
Employees at every level should understand how and if to attach themselves and their personal accounts to the company. With that, most platforms, including Twitter, LinkedIn, Facebook, and Instagram, offer security in the form of privacy settings. Employees should be educated on these features and encouraged to use them, but security settings are only part of the challenge. Many users are not aware of the information that can be gleaned from their seemingly trivial accounts and the content they post.
A mother sending a simple “Happy Birthday!” message on Facebook can give threat actors valuable information, including the mother’s maiden name (a common security question on many websites) depending on privacy settings. Similarly, sharing things such as old school photos or pictures of the family may reveal where the user attended a school or, buried in the photo’s metadata, things such as geographic location.
Threat actors follow these “bread crumbs” and engage in social engineering to access accounts, mine company email addresses, and create targeted attacks such as phishing campaigns that leave the employee and/or company exposed. Social media sites themselves have even become gateways for malware that once relied primarily on email click-throughs. The accessible information depends almost entirely on the user and the content they provide – though we’ve certainly seen what can happen with a broad data breach or two on the platform side – and the value of that information depends on the target. Not surprisingly, executives are increasingly at risk because of the knowledge and access they carry.
Just as we’ve become more connected via social media, so too have our devices. This, of course, makes everything more convenient, but also creates another stumbling point for users. Mobile phones allow us to do just about anything on-the-go and that often means users are doing many things at once. This distracted state makes people more likely to click malicious links or post information that may put them at risk. Being mobile also allows them to share their location without a second thought. Even simple IoT devices – anything from a smart thermostat or security system to a WiFi speaker – can leave you and your organization exposed.
As with everything related to technology, education is critical. What we don’t know can, in fact, hurt us, but simple precautions can keep you and your company safe one tweet, post, or message at a time.