Threats to corporate social media are evolving along with perpetrators' social engineering skills at a blistering pace. Sometimes their techniques reach such a high level that even the tech-savvy administrator of a corporate network can't tell the difference between a scam and the truth. Since so many businesses use social media, these threats are relevant to an extremely large number of companies. To help them stay safe, here are a few points of advice to mitigate the cyber-risks associated with today's social media landscape.
Use Caution With DMs, Drafts, Old Messages
Companies should be careful about keeping sensitive information in direct messages — it can pose cybersecurity risks. People often use corporate social media to write directly to brands, asking for help with the account holder's product or service. Also, some partnerships, such as those with bloggers, can be negotiated in direct messages. Sometimes personal or financial information is shared during these conversations, which could remain in the messages folder long after the interaction, vulnerable to intruders.
To avoid this risk, company representatives should make it a habit to delete irrelevant messages when the dialogue is finished and the information it contains is no longer relevant. It's also worth regularly reviewing what's saved in the drafts folder for old posts.
Review Old Posts, Minimize Reputational Risks
If sensitive or embarrassing information resurfaces from an old post, it can hurt a company's reputation or even result in financial losses. Spend some time reviewing old posts, as they might contain information that doesn't fit into the current reality. That might be anything from inappropriate jokes to controversial advertising campaigns.
The Potential Downside of Success
Having signed a lucrative contract or deal, we often want to post about it. But we also want to avoid unwanted attention from cybercriminals. If a potential attacker knows who your suppliers or contractors are, they could conduct an attack impersonating them or breaching their accounts and acting on their behalf.
The more clearly you reflect your company's structure and working methods on social media, the easier it is for perpetrators to organize an attack. For example, if it is possible to trace who is responsible for finance, an attacker can pretend to be this person's supervisor and try to lure them into urgently transferring a large sum of money to a fake account to close a deal or purchase equipment.
New Hires and Risks With New-Job Posts on Social Media
Once hired, newcomers usually share the news on social, but they may not yet understand company cybersecurity processes, like how identification works or with whom they can share sensitive information.
Imagine a perpetrator tracks this person on social media and then writes them a malicious letter on behalf of the company's IT administrator, asking to share the password to set up a technical account. The newcomer may not know that the administrators would never write such a letter. They may also hesitate to ask their colleagues if the letter is authentic.
To mitigate the risk, offer newcomers a course on information security immediately, and tell them to be extremely careful when posting about their job.
Control Account Access, Especially When an Employee Leaves
Logins, passwords, and email addresses used to create a social media account are just as valuable as other internal corporate documents. If an employee who has access to these accounts leaves the company, it is useful to apply the same rules as when blocking their access to the corporate network. Change the password for the email account linked to the corporate social network; then unlink the ex-employee's mobile phone number.
Don't Ignore Other Protections
Any account on a social network, not to mention a corporate one, must be securely protected. Two-factor authentication is an absolutely necessary setting for any type of account.
The email address linked to the account should be as protected as the social media account itself. Often the attack begins with an initial access to email. After breaching an account, an attacker can configure filters in the mailbox settings to delete all support emails from the social network. Therefore, a user will not be able to restore access to their account.
It is best to register a corporate social media account using a corporate email address, since it can be better protected than a personal one.
It's equally important to conduct training for employees on information security, phishing, and other threats. According to recent cyber skills training statistics, just 11% of nearly 4,000 employees demonstrated a high level of cybersecurity awareness in 2022, while 28% could not prove sufficient cybersecurity proficiency.