In December 2020, SafeGuard Cyber polled 600 enterprise leaders to learn more about how businesses are approaching digital executive protection. We learned a lot. The survey shed light on the degree to which companies are pursuing a secure executive social media strategy and where their biggest cybersecurity fears lie.
We also learned a great deal about executive social media risk management. There is much work to do in terms of how risk is owned, distributed, and managed across departments. On the whole, risk management roles seem unclear or poorly defined. Companies need much more collaboration than we are currently seeing.
Companies Know the Risks
Executives are targets — much bigger targets than standard employees. They have access to sensitive and valuable information, control over critical systems and operations, and a major influence on brand value. Bad actors know this, which is why 84% of execs have been the target of at least one cyber campaign. In addition, 78% of IT experts believe that bad actors will likely intensify their campaigns against corporate executives in the coming months and years.
Companies know that their executives are targets. In our digital risk survey, we found that 25% of enterprises cite executives' personal social media as a major risk factor to the company's overall security. And they know that the consequences of an executive cyberattack would be severe. In our poll, 70% of respondents said their company would suffer brand or reputational damage. Half of the respondents predicted potential risk to shareholder value.
One in three enterprises are most fearful of impersonation or fake accounts. One in four are most worried about the possibility of an account takeover.
However, despite awareness of the threats, the sophistication of executive social media risk management is lagging.
The Challenges of Social Media Risk Management
Email security doesn't require a complex risk management approach. You onboard the right software, with the right filters, and you apply it to every company inbox. You're set.
The new generation of cloud channels is very different. Tools like Twitter and LinkedIn live across multiple devices. They cross between professional and personal spheres. They generate interactions at unprecedented volume and velocity — and out of the box, security teams have no visibility. Today, all executives leverage social media, and they are bombarded by social media cybersecurity threats.
Security teams know that banning these tools isn't an option. Why? Because people will use them anyway. Companies know this; our digital risk survey revealed that 52% of businesses rank the use of unsanctioned channels as their main business security challenge. In one report, 76% of CEOs admitted to skirting their organization's security protocols to accelerate their tasks. Only 45% of CEOs say they are actively engaged in their company's cybersecurity management.
This means that to develop effective social media risk management, companies need a clear plan. However, right now, there isn't even a consensus on where responsibility for cybersecurity lies. Our digital risk survey discovered this when we asked about the organizational level at which security and compliance are a critical concern:
- 70% of enterprises cite their IT department.
- 46% cite a director or manager.
- 37% say the C-level is responsible.
- 30% say the CISO is the one in charge.
- 18% say the board is the level where the responsibility lies.
This doesn't bode well for executive social media protection in general. It shows that risk is understood in a variety of ways, with no industry standard. Our poll confirms that roles seem unclear or poorly defined with regard to social media risk management:
- At 29% of enterprises, the CISO owns the risk.
- At another 28%, marketing or communications owns the risk.
- At another 19%, an external agency shoulders the burden.
Worst of all? Almost 10% don't even know who owns the risk.
Collaboration Is the Key
In a sense, this distributed approach to risk gets at a truth: Social media risk management cannot belong solely to one department.
Cloud channels touch every department: Marketing, sales, HR, even recruitment. Digital risk in this space is complicated, and different departments may need to own different forms of risk. Cross-team responsibilities must be clearly defined, even before developing a robust strategy for protecting executives on platforms like Twitter and LinkedIn.
Companies need to realize that social media risk management is a collaborative effort that must be carefully developed before it is put into action. Teams also need tools that can provide visibility into potential threats, such as detection of bad actors trying to forge social connections and spear-fishing (or whaling) attacks on executives.