Learning from Incident Response — Get the latest insights from the cyber trenches
The Risks of Social Media Threats on Your BusinessQ&A with cybersecurity experts By: Stacy Leidwinger, VP of Portfolio Marketing
More than 58% of the world’s 7.9 billion people have social media accounts. And the average user has accounts with 8.4 different social media sites. That’s a lot of personal online activity.
Since cyberattackers have a penchant for social engineering, all that personal exposure online can have significant security consequences for your organization. That’s why I sat down with Berkeley Varitronics President and CEO Scott Schober, cybersecurity expert Shahid N. Shah, and DataOps pioneer Lenny Liebmann to discuss the implications of social media for the cybersecurity community.
Q1: What cybersecurity risks do you associate with the personal use of social media?
A1 (Schober): Social networks offer a treasure trove of publicly available details on billions of individuals. This information is available for free—and the individuals themselves may not even be aware of everything they’re revealing.
Plus, the same network effect that powers these platforms also creates trillions of “breadcrumb trails” between all these users. Each of these trails can reveal even more personal information, which can directly or indirectly reveal user locations, passwords, medical conditions, associations, and more.
These exposures of information also extend from individuals to their employers, as well as other organizations and business relationships across markets and supply chains.
Q2: Organizations also have their own social media accounts. What about those?
A2 (SHah): Organizations are making increased use of social media because it’s such a powerful way to get the word out about your value proposition, to build relational lines of communication, and to boost brand awareness. But an organization’s presence on social media also generates risk, because that presence can expose a lot of information about the organization’s inner workings. For example, if you proudly announce you’ve brought on a new hire in your finance department, an attacker may see the “changing of the guard” as a window of opportunity for phishing and/or spearphishing.
Q3: Can attackers really exploit these tiny needles of information, given that the total haystack of social media content is so monumental?
A3 (Liebmann): Security-by-obscurity is not viable. There is a plethora of tools that now enable threat actors to capture massive volumes of social data, sift through that data for material of potential value, and correlate datapoints to optimize that value. I mean, look at the personal quizzes that people share all the time online. All it takes is a matching hometown address or pet’s name—and malicious data miners are off to the races.
Q4: What do you recommend we do to mitigate the cybersecurity risks created by social media?
A4 (Schober): Organizations can help protect themselves and their employees by promoting best practices for the use of social media. These practices include:
- Understanding that our actions on social media can be amplified, manipulated, and abused by bad actors to harm others in real life.
- Using a strong and unique password for every social network.
- Using 2FA/MFA whenever the option is available.
- Never tagging, doxing, or posting any information about any other individual or organization without their prior consent. This is for both security reasons and social etiquette—and it obviously includes the company you work for and your fellow employees.
- Performing regular searches on yourself to confirm that your identity has not been compromised or targeted by bad actors.
- Being mindful that the same morality clauses that define appropriate behavior in the workplace can also be applied to one’s presence on social media.
Q5: What about our corporate social media teams? How do we make sure they don’t accidentally expose us to risk?
A5 (SHah): First and foremost, corporate social media teams need to be mindful of the risk their work poses as a whole. They’re measured on engagement, so they can be tempted to overshare in order to appear “authentic.” But they obviously need to temper that impulse., and with some solid education about how cybercriminals mount attacks through social engineering—and a large dose of common sense—you should be able to prevent them from posting anything too risky.
You also want to treat access to social media accounts with the same kind of controls you use for bank accounts—i.e., implementing zero trust with multifactor authentication. Also, be extra diligent about terminating access rights to social media accounts whenever you offboard an employee. Dormant accounts are low-hanging fruit for malicious actors.
On the upside, your social media team can be helpful if and when you experience a security incident. They can help alert customers, suppliers, and others who may need to know about their own potential exposure. You can also help serve the community by letting everyone know when you become aware of a potential vulnerability that could affect others.
Q6: Are there any other upsides to social media from a security perspective?
A6 (Schober): Actually, a healthy base of followers on social networks can act as cyber watchdogs who can offer real-time warnings about account takeovers, brand imposters, and other malicious content from threat actors all over the internet—including the Dark Web. Plus, when properly cultivated, your organization’s social media connections can help you foster cybersecurity awareness, promote security as part of your organization’s brand (for example, explaining why you lock accounts after a couple of failed password entries), and even assist you in your seemingly endless search for new cybersecurity talent to add to your team.
Q7: Should we be on the lookout for any issues with emerging social media trends?
A7 (Liebmann): Absolutely. As social media becomes more immersive—think about virtual reality in particular—users are going to interact with strangers in entirely new ways. The probability of them exposing personal information will become much greater, because they’re going to be doing more than just posting pictures and comments. They’re going to be engaging in longer conversations and more interactive ongoing relationships. Going forward, we all need to keep an eye on these engagements and their likely exploitation by cyber criminals.
Infiltrating an organization through social media is only one way attackers are able to breach an organization’s cyber defense strategy.