In the early days of social media, organizations were primarily concerned with employees wasting their time online when they should have been working. While there is generally a more sophisticated understanding of the various social media platforms now, that is not to say that they aren’t without risk, especially from a cybersecurity perspective.
For instance, professional networking site LinkedIn has been the subject of repeated hacks. In 2012, hacker Yevgeniy Nikulin was convicted to 88 months in prison for a hack that was originally thought to have seen 6.5 million user accounts compromised. This figure was later updated after it emerged in 2016 that a more accurate figure was over 100 million.
For many organizations, the security problems with social media begin with the fact that employees are often one step ahead of their managers.
Even the IT department, in the networks they use, and the way they engage with these networks.
This can be problematic, with the LinkedIn hack highlighting the risk of the data we reveal about ourselves online being used for all manner of social engineering by hackers who wish to gain access to core systems.
Similarly, malignant links shared via social media can easily compromise systems, especially if delivered via mobile apps that may be harder to assess for reliability. This can make phishing and malware all too real a threat.
Securing social media
Author Ajay Singh advocates five ways in which organizations can make sure that when their employees use social media, they are doing so in a secure way:
1. How is social media being used by the organization? A good start point is to fully understand the benefits you want to get out of using social media as an organization. Being clear on what you want to use social media for, and indeed how it’s being used at the moment, is a vital starting point.1
2. What are the possible risks from this current usage of social media? Conducting risk assessments is hopefully a standard part of your cybersecurity process, so the act of identifying, prioritizing, and addressing the risks associated with social media should be a natural extension to this. “While risks from malware attacks, human errors, and social engineering are the obvious sources of threat, there may be others like unattended social media accounts and privacy settings that are less obvious,” Singh warns. “Unattended social media accounts can become easy targets for hackers to start posting mischievous content using people’s social media identities.”
3. Who are the employees who use social media platforms for organizational purposes? While it’s highly likely that the majority of the workforce will be on social media in some way, shape, or form, Singh argues that the use of social media for direct business purposes should be limited to a select group who can then be given cybersecurity awareness training. Given the widespread usage of social media sites, such as LinkedIn, this may be somewhat harder to achieve, and may even be ill-advised to attempt. It does nonetheless, however, highlight the importance of good digital hygiene for all employees.
4. What are the policies and guidelines for them to follow? For a long time, it was rare to find deliberate and specific policies outlining what employees were permitted to do on social media at all, much less policies specifically targeted towards cybersecurity. Nonetheless, Singh argues that such policies are vital in setting the norms and providing guidelines for the online behavior of employees. He suggests that social media security policies should include:
- Any regulatory and legal requirements that may be applicable to social media
- Acceptable use and a code of conduct
- Training and awareness-building program
- Review, content authorization, monitoring, and reporting
- Incident response
- Auditing of social media accounts
5. Is there a dedicated person who is responsible for oversight and is accountable for business practices on social media? Having a senior executive directly accountable for the organization’s social media activity helps to ensure that those activities are coordinated in a safe and effective manner. Having such senior oversight will help to ensure that the coordination between departments that will be required to ensure safe usage is undertaken and facilitated.
“Social media usage, like other technologies, can bring favorable as well as unfavorable consequences for both organizations and individuals, as it has both benefits and risks,” Singh explains. “Adopting a security-first posture can help mitigate threats and risks from social media enabling organizations to leverage the opportunities and advantages it offers.”
As with so much in the cybersecurity world, adopting a proactive approach helps organizations retain their security while also capitalizing on the significant opportunities presented by new technologies.