Endpoint

9/25/2018
10:30 AM
Dr. Sam Small
Dr. Sam Small
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

The Human Factor in Social Media Risk

Your employees need help recognizing the warning signs and understanding how to protect themselves online.

Experts agree: The greatest cybersecurity risk modern businesses currently face comes from people — not from a lack of firewalls or security policies. In one survey, 77% of respondents indicate that despite training and corporate policy, mistakes by employees remain the most likely source of a cybersecurity attack. This risk is especially apparent on social media, where brand reputation and personal relationships play a strong role in the level of trust users place in shared content.

Not All Forms of Engagement Are Equal
Inherently, social media is about engagement — and liking, sharing, and commenting are typically among the primary features offered by social networks. Actions like these are baked into the very fabric of the networks themselves through features designed to drive users to engage with media through notification, suggestion, and promotion of various kinds.

With a push toward engagement comes an inherent level of trust that content posted by colleagues or other trusted organizations and communities is truthful and safe to view or engage with. For years now, we've educated employees about the dangers of scams, phishing attempts, and malicious content delivered via email (e.g., "Don't click that link!"), but when it comes to social media, organizations struggle to effectively deliver the same message.

For instance, your employees may assume at times that they are engaging with customers in need of assistance or prospects who are requesting information when in reality, bad actors often use fake accounts to target your staff on platforms such as Twitter, LinkedIn, and Facebook. Without proper training and tooling to secure social media accounts and identify these risks, users often fall prey to a host of issues that threaten not only themselves but their employers as well.

Whether via account takeover attempts, personal and corporate data leaks, cybercrime, or malware delivery, social media risks pose a material threat to organizations, and your employees need help recognizing the warning signs and understanding how to protect themselves online.

Your (Un)intentional Brand Ambassador
Although social media engagement is an explicit aspect of some employees' job responsibilities, most organizations will find that — whether intentional or not — a larger swath of employees represent their brands online. With no more than a quick Google or LinkedIn search, employees can be traced back to your organization, and employees’ shared content and personal views have the potential to reflect poorly on your brand when in conflict with your organization’s core values and principles.

In recent years, you may have even noticed an increase in proclamations and account descriptions containing phrases like "views are my own" or "retweets are not endorsements." While such statements may seem like a solution to the issue of separating corporate and personal personas, public perception will inevitably continue to associate your employees and their (potentially controversial) viewpoints with your brand. This is especially true for high-level executives; and, while we may like to think that corporate executives have the ability to understand that personal expression and corporate attribution are easily entangled, history has repeatedly proven otherwise. Regardless, employees of all types should be cognizant of the impression they make on social media and its influence on corporate perception.

Beyond employee-driven risks lie additional dangers. Bad actors often target employees on social media as a first attempt to access your organization at large. Imposters have disguised themselves as customers, executives, prospects, and colleagues to encourage employees to click malicious links and share confidential information. This can be detrimental to your overarching brand, particularly if it leads to a breach or account takeover. In the past, we've seen this result in the termination of business contracts, levying of fines, and other immeasurable impacts to trust, opportunities, and revenue.

Protection vs. Privacy
A simple mistake on social media can leave a lasting impression; however, when it comes to protecting employees, employers often cite privacy concerns. Trading privacy for security is a classic tussle and undesirable compromise, and it’s relatively safe to assume that most employees are uncomfortable with the notion that their employer may be monitoring their personal social media activity. This "Big Brother" concern often leads to inaction on the part of an employer, causing an unnecessary level of risk on the books. To combat this issue, it's important to empower employees to take social media protection into their own hands — without compromising privacy.

Put Your Employees in the Driver's Seat
As participants in social media, your employees' actions online shape and contribute to the perception and messaging of your brands and organization. Despite the blurring of lines that exist between professional and personal accountability, you have the ability to empower your staff to make smart decisions on social media and help protect all parties involved. Here are a few tips for getting started:

● Assemble a Social Media Task Force: Loop in marketing and information security teams to assess and prioritize risks, establish a set of processes and policies, and decide on roles and responsibilities.

● Train Relevant Staff: A critical component of a social media protection program is training relevant staff on policies defined by the task force. When you train employees on internal policies, also include general education topics around social media protection, security, and privacy. At the very least, ensure employees are comfortable with two-factor authentication, identifying malicious posts, and recognizing when credentials have been leaked.

● Watch for Trends and Update Policies & Processes Accordingly: Assign someone to stay abreast on social media topics, including emerging threats, evolving threat vectors, and changes in policies and regulations (these should be rapidly incorporated into existing policies and procedures).

By taking these steps, organizations can reduce risk and bolster corporate confidence while simultaneously keeping your employees safe and in control of their own social media. With some additional research, you will also find that many resources — including training, discussion, and documentation — are available online to help with this initiative.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dr. Sam Small serves as the Chief Security Officer of ZeroFOX, helping its customers implement world class social-media protection programs and supporting ZeroFOX to continuously advance its role as an innovation leader in social-media and collaborative-technology security ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
byrnes4security
50%
50%
byrnes4security,
User Rank: Apprentice
9/26/2018 | 1:39:30 PM
Let's equip our users so they're actually our strongest line of defense.
Indeed today users are a vulnerable attack vector and a weak link but, more education is not the answer. It's important, but rather than burdening users with "thou shall not" and security that creates ridiculous friction, infosec leaders can take a more reliable and user friendly approach. Modern tools that leverage including mobile, biometrics and analytics protect users while being virtually transparently so they can focus on business rather than rules. Identity based security can transform your uses from the weakest link into the strongest line of defense.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
9/26/2018 | 10:07:08 AM
Echoing the Sentiment
In-line with the message of the article. Limit the scope. If the risk vector is social media restrict social media outlets via web security to only allow those with specific business need to access it (HR, Marketing, potentially ELT) Then set up the appropriate security training for those groups. By limiting the pool to that subset you can drastically cut down onthe potential risk that Social Media can have on the organization.
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.