Many people don't realize that social media is one of the biggest portals for data breaches, phishing attempts, and social engineering. Given that social media has many risks from many different vantage points and plays an outsized role in modern life, let's explore every angle of the risks in detail.
As a rule of thumb, when it comes to using social media within an organization, employees will feel secure for the most part because they believe that they're safe at work. From an employer perspective, organizations may be under the impression that by having a firewall they can stop access to some social media sites during work hours. Those who believe this have obviously not thought about the realities of living in an age of BYOD (Bring Your Own Device).
We all know BYOD has become very popular in recent years because we all do it. Many of us carry around two phones: a work phone and a personal phone. Inevitably, we bring both into the work environment. Perhaps we even bring our own laptop to the workplace, because we feel more comfortable on a device we purchased ourselves. BYOD means that any attempts to stop employee use of social media during work hours are probably dismal failures.
Social media use is inevitable, but the kind of oversharing that undermines your cybersecurity is avoidable. Your employees need to fully understand the risks involved in oversharing and how their innocent actions can have dire consequences.
When information is overshared, or privileged information is shared online, via social media, it typically falls under the non-malicious insider threat category. Management can attempt to monitor work accounts or handles, but in most cases they are unable to keep tabs on their employee's personal accounts. Much to the chagrin of cybersecurity professions, the vast majority of information leakage through social media comes from personal accounts when employees are on lunch break, weekends, or even on vacation.
Preventing oversharing
To prepare companies for this brave new world, I cofounded SecureMySocial several years ago. SecureMySocial is a technology-assisted self-monitoring tool for employers to give to employees, to help them self-monitor themselves across social media.
There is no big-brothering involved, with real-time warnings and auto-delete capabilities if authorized. You can group employee rules and notifications based on their section of the business, whether it's M&A, HR, Finance, and so on. Using that categorical information, rulesets are deployed that are applicable to them. Moreover, there are no false positives, and warnings are sent to the user's own choice of personal email or SMS.
The program reminds them, in real-time, if information was put out there that would cause data leaks or reputational harm to the organization. It then gives the employee the ability to rectify the situation all in real time, as rapidly reversing any type of leak as swiftly as possible is critical to minimize the risk and damage.
Remember that leakage of information is not typically malicious; it is a way of communicating and sharing. We live in a world where sharing is part of being present and belonging. The more we share, the more relevant we are, the more social we are, the more impact we have, the more we will be noticed and recognized, and the more we become part of the social community. Social media self-monitoring tools allow your employees to think for just a moment longer about what they're posting, and why; it doesn't take away their ability to use social media effectively. Constant sharing is a new area of social life, at the heart of Millennial and Gen Z culture, and it's not going away any time soon.
A real-life example of oversharing on Facebook
Some time ago, I came across an example of how someone can think they're engaging in harmless social media usage, when in reality they're oversharing, and creating an entry point for a breach. At the time, I was doing some consulting for a bank, which was implementing a new piece of internal security in its organization.
One of the bank's engineers, who was part of the implementation group, ran into some difficulty implementing the new security solution and getting it to flow through the organization.
How did he troubleshoot when he ran out of ideas? He did what he typically did when he had questions to be answered, or problems to be solved. He went onto Facebook, where he connected and communicated with a lot of his engineering friends. He posted his questions about the security issues and technological problems he was having while implementing the new security solution, and about the difficulty his team was having getting it to work. He asked if anyone worked with that particular security, and if they had, could they give him some pointers. To him it was an innocent act, merely asking his peers for advice, just so happening to use social media as his medium of communication. At this point, it's important that we don't just blame this guy for oversharing; the bank was not practicing proper cyber hygiene, and did not have appropriate security and communication protocols in place.
Take a moment and imagine the sheer size of the audience for this information, about exactly what new security was being put in place, and exactly what troubles the implementing team were having with it. In a moment, that information was made available to his friends, the friends of his friends, their family members, and so on. The number of people who now had access to all this information could be in the millions. It could have led to a devastating breach. To be clear, this security was never forward facing, and should never have been known by outside parties.
In this specific case, disastrous outcomes were avoided when the company was made aware of this serious breach of sensitive information. The company quickly decided to change the security being implemented, because of the nature of the information that was shared.
As you can see, oversharing can cause massive costs and inconvenience even if it's caught in time. In this case, disaster was averted at the last minute, but it certainly convinced the c-suite of the importance of cyber hygiene, and the tools and protocols their employees needed to use social media in a safer way.
Career-focused websites are conduits too
Another innocent example of oversharing on social media would be to give too much away on LinkedIn. You probably already know that LinkedIn is used as social media for professional networking, people looking for jobs, and organizations posting ads. In most cases, users of LinkedIn display their current job, their job history, schooling, awards, certifications, and current job description as well as a wealth of other information.
Most people like to be as descriptive as possible, sharing as much information about themselves as possible, for a number of reasons: networking, being relevant for headhunters approaching them for their next opportunity, socializing with the right groups, and so on.
In some cases, putting too much information about your current role in your LinkedIn profile can cause more harm than benefit. That's because identifying your exact role in a company can, in some cases, target you as a prime candidate for a phishing or hacking attack.
Bad actors scour social media, looking for the right tidbits of information to create profiles of the people that they think would most likely fall prey to an attack. They might gather information from similar accounts, and invite the target to be part of an exclusive networking group of like-minded individuals. Human nature means people want to belong, and even more so if it involves an exclusive invite-only club.
Another example would be for a bad actor to social engineer their way into the good graces of an employee. They can accomplish this by doing their homework on the company they are targeting, which is easily done on LinkedIn. Step one is to search the employees within the organization, get their names, information, job description, and title. From that information alone, our bad actor can then identify a few employees to social engineer.
Typically, the easiest route is for the bad actor to create a fake LinkedIn account, and make themselves an imaginary employee of the company they wish to infiltrate. Their job description and title would be a few levels up from that of the target.
They would then send the target a direct message saying something along the lines of "I've noticed your work on XYZ project (having grabbed that information from a little digging) and I would love to help you grow within the company," and then send then a LinkedIn request.
The targeted employee would likely approve the connection request, since they would be under the impression that the bad actor works for the same company, knows about project XYZ, and might be a person that they need to facilitate a move up the ranks of the organization. That paves the path to a breach that will greatly damage the organization.
One simple message on social media can lead to an avalanche
It all begins with one simple message that taps into the human factors of trust or want from the targeted employee. Once trust has been established, the bad actor can start requesting a bit more information each time they communicate, all with promises to help the employee move forward in their organization. These kinds of social engineering attacks and phishing attacks are very common; it's a simple use of social engineering, to find the weakest link in the security chain – the human – and use that weakness to break into an organization.
You can prevent a great deal of heartache by educating your employees about what's at stake. Have discussions with your employees about the dangers of phishing and social engineering, and teach them how to stay vigilant on social media. It is important to be clear in employee contracts about what they're allowed to list as their position within the organization, when they put it out there for public consumption on LinkedIn, Facebook, or any other social media.
For example, it's ok to say Director, Managing Director, or even VP, but getting too detailed may prove to be problematic. It's important to note that employees take their social media very personally even as it pertains to LinkedIn, so the best thing would be to make it part of an employee agreement when signing contracts, instead of trying to have a discussion with employees who have been working there for years.