![The Edge Logo The Edge Logo](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt530eb1f4e672eb44/653a71690e92cc040a3e9d6d/Dark_Reading_Logo_TheEdge_0.png?width=700&auto=webp&quality=80&disable=upscale)
Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
7 Steps to a More Secure Social Media Policy
Social media accounts must be viewed as part of the IT and security infrastructure. Follow these tips for developing a workable social media security program at your company.
![Shows the range of social media apps. Shows the range of social media apps.](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt84a9286ec25d3908/64f14f104652454911fb4f65/Slide1CoverArt.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Aleksei via Adobe Stock
Hacked social media accounts can cause more damage than just harming a company's reputation. Exposed credit card information, ongoing phishing schemes, and ransomware attacks result in financial damage. It takes years to develop a solid brand, and all that work can be undone in less than 24 hours if a corporate social media account falls into the wrong hands.
Yet based on Twitter’s recent study that only 2.3% of all active accounts have enabled at least one method of two-factor authentication (2FA) during the second half of last year, it’s clear that security teams need to take a closer look at securing their social media accounts.
“Social media should not be left out of the network security discussion,” says Heather Paunet, senior vice president at Untangle. “Hackers can access social media accounts through unattended accounts, third-party apps, fake coupons, and suspicious URLs concealed by using a shortener. Just recalling the infamous 2020 Twitter hack that affected accounts belonging to Apple, President Joe Biden, and Elon Musk shows the importance of having a security policy for social media.”
Here's a seven-step checklist companies can use to focus on the security of their social media accounts. Jim Zuffoletti, co-founder and CEO of SafeGuard Cyber, points out that the widespread use of corporate and personal social media accounts at businesses means companies have to start thinking of these accounts as part of their IT and security infrastructure.
There are three layers to a social media footprint: branded corporate social media pages that clearly represent the company, executive pages (typically LinkedIn or Twitter accounts) used for advocacy and thought leadership, and rank-and-file employees using social media for advocacy.
Companies have to identify the most vulnerable employees, says SafeGuard Cyber's Zuffoletti. While top executives are always vulnerable, the person who switches the power on or off at an energy company can be a bigger target than the CEO, he says.
John Bambenek, threat intelligence advisor at Netenrich, adds that social media managers at companies are also highly targeted individuals by hacktivists. “Those users need to have strong protection and detailed security training to deal with the increased risk they are under from being targeted by cybercriminals,” he says.
Make sure employees use unique, strong passwords for their social media accounts, as well as a password manager, says Kevin Dunne, president at Pathlock.
Quite often, he says, personal social media accounts can become a backdoor to a corporate account and thereby the corporate network. In the case of LinkedIn, if a personal account gets breached and the employee has been granted corporate account access, attackers can abuse the personal account to post on behalf of that corporate account.
Untangle's Paunet advises to train staff on best practices, spotting phishing attempts, monitoring, and appropriate use of social media accounts.
Security teams must manage access to all accounts and enforce 2FA. It’s also important to remove employees who leave the company from branded, corporate accounts.
Netenrich’s Bambenek underscores the need for 2FA for any access to social media accounts or social media management platforms. “More than a few instances of account takeovers were made possible due to not having strong MFA in place,” he says.
Determine who owns the account and who has responsibility for each social media account, says SafeGuard Cyber’s Zuffoletti. In the event of an incident, it’s good to know, for example, that marketing owns the account, the specific person responsible for the account, and the security or IT person to call when something goes wrong with the account.
“Social media is super-easy to adopt, so marketing can often just move into social media without having a sense that it’s part of the IT infrastructure of a company,” Zuffoletti said. “It’s part of the IT infrastructure and it’s also part of the security infrastructure.”
Organizations also have to know when and where people will post, says Pathlock’s Dunne. Especially for publicly traded companies, he says, the timing of social media posts can generate stock market volatility, which can introduce scrutiny from a compliance perspective.
“Posting information about company performance can invite scrutiny and investigation from regulators,” Dunne says. “And knowing where these social media accounts reside can help security teams pinpoint suspicious and unusual logins, which often occur from unknown, foreign IP addresses.”
Cybercriminals have realized that social media accounts are very easy to launch attacks from, mainly because there are so many entry points. Think about it: LinkedIn, Twitter, Facebook, WhatsApp, Snapchat, the list goes on – and opportunities abound for hackers.
SafeGuard Cyber’s Zuffoletti says managing social media accounts is very different from managing email servers. “There’s a choke point for email, typically a Microsoft Exchange server, and there’s not really a choke point for any of the social media accounts because they are all separate entities,” he says.
Security pros must also track which and how many company social media accounts exist and across what platforms so they can be monitored for any unusual activity and inventoried for access, Pathlock’s Dunne adds. As for access, he says security teams need to make decisions about how users will log in and post to the accounts. Will the company manage them through a privileged access management solution with a password vault? Or will it use a social media platform like Hootsuite?
More and more, phishing and spyware attacks are launched through social media apps like Facebook and WhatsApp, says Pathlock’s Dunne. Once compromised, attackers can use these apps as a backdoor into sensitive company information living on employees' mobile devices.
Bad actors also set up phony recruiting sites on LinkedIn, says SafeGuard Cyber’s Zuffoletti, trying to get victims to respond to what looks like a request for a job interview or a more enticing business opportunity. They also will send messages similar to a business email compromise email asking for a wire transfer or a small favor ostensibly from a top manager or CEO.
“Understand that they want to induce the victim to do something,” says Zuffoletti. “The human is the last line of defense. Teach them how social media has become one of the massive vectors for social engineering and phishing. The employees have to be really sure that before they connect with somebody it really is that person. ”
If the security team has a handle on LinkedIn, Twitter, and Facebook, it’s only just the beginning, says Zuffoletti. As employees expand their use of social media, security teams will also have to apply all these best practices to the new accounts.
“Today the team is worried about Facebook, but tomorrow it might be WhatsApp,” says Zuffoletti. “For an adversary, any way they get into the corporate network works for them.”
Pathlock’s Dunne agrees that companies need to be aware the social media landscape will continue to expand.
“The list of social media properties is always increasing, so security and compliance teams should continually audit where employees and the company has a presence from a social media perspective,” Dunne says.
Employees don’t like being told how to use social media. SafeGuard Cyber’s Zuffoletti points out that if the company puts a new interface in their way, employees will find a way around it or use another app that the company hasn’t put control on.
Companies also have to find ways to use machine-driven analysis that’s transparent to the user versus employees feeling that people from HR are reading their emails and watching their every keystroke.
“Think about the antivirus software on a PC,” Zuffoletti says. “Most people are comfortable with the AV, they know it’s looking for patterns and anomalies and not tracking them. Any social media protection has to respect a user’s need for privacy.”
Employees don’t like being told how to use social media. SafeGuard Cyber’s Zuffoletti points out that if the company puts a new interface in their way, employees will find a way around it or use another app that the company hasn’t put control on.
Companies also have to find ways to use machine-driven analysis that’s transparent to the user versus employees feeling that people from HR are reading their emails and watching their every keystroke.
“Think about the antivirus software on a PC,” Zuffoletti says. “Most people are comfortable with the AV, they know it’s looking for patterns and anomalies and not tracking them. Any social media protection has to respect a user’s need for privacy.”
Hacked social media accounts can cause more damage than just harming a company's reputation. Exposed credit card information, ongoing phishing schemes, and ransomware attacks result in financial damage. It takes years to develop a solid brand, and all that work can be undone in less than 24 hours if a corporate social media account falls into the wrong hands.
Yet based on Twitter’s recent study that only 2.3% of all active accounts have enabled at least one method of two-factor authentication (2FA) during the second half of last year, it’s clear that security teams need to take a closer look at securing their social media accounts.
“Social media should not be left out of the network security discussion,” says Heather Paunet, senior vice president at Untangle. “Hackers can access social media accounts through unattended accounts, third-party apps, fake coupons, and suspicious URLs concealed by using a shortener. Just recalling the infamous 2020 Twitter hack that affected accounts belonging to Apple, President Joe Biden, and Elon Musk shows the importance of having a security policy for social media.”
Here's a seven-step checklist companies can use to focus on the security of their social media accounts. Jim Zuffoletti, co-founder and CEO of SafeGuard Cyber, points out that the widespread use of corporate and personal social media accounts at businesses means companies have to start thinking of these accounts as part of their IT and security infrastructure.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024