Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/17/2021
10:00 AM
Jim Zuffoletti
Jim Zuffoletti
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Enterprises Wrestle With Executive Social Media Risk Management

Survey indicates enterprises have a lot of work to do reduce cybersecurity risks around executive social media use.

In December 2020, SafeGuard Cyber polled 600 enterprise leaders to learn more about how businesses are approaching digital executive protection. We learned a lot. The survey shed light on the degree to which companies are pursuing a secure executive social media strategy and where their biggest cybersecurity fears lie.

We also learned a great deal about executive social media risk management. There is much work to do in terms of how risk is owned, distributed, and managed across departments. On the whole, risk management roles seem unclear or poorly defined. Companies need much more collaboration than we are currently seeing.

Related Content:

Multivector Attacks Demand Security Controls at the Messaging Level

Special Report: How IT Security Organizations Are Attacking the Cybersecurity Problem

New From The Edge: Cybercrime 'Help Wanted': Job Hunting on the Dark Web

Companies Know the Risks
Executives are targets — much bigger targets than standard employees. They have access to sensitive and valuable information, control over critical systems and operations, and a major influence on brand value. Bad actors know this, which is why 84% of execs have been the target of at least one cyber campaign. In addition, 78% of IT experts believe that bad actors will likely intensify their campaigns against corporate executives in the coming months and years.

Companies know that their executives are targets. In our digital risk survey, we found that 25% of enterprises cite executives' personal social media as a major risk factor to the company's overall security. And they know that the consequences of an executive cyberattack would be severe. In our poll, 70% of respondents said their company would suffer brand or reputational damage. Half of the respondents predicted potential risk to shareholder value.

One in three enterprises are most fearful of impersonation or fake accounts. One in four are most worried about the possibility of an account takeover.

However, despite awareness of the threats, the sophistication of executive social media risk management is lagging.

The Challenges of Social Media Risk Management
Email security doesn't require a complex risk management approach. You onboard the right software, with the right filters, and you apply it to every company inbox. You're set.

The new generation of cloud channels is very different. Tools like Twitter and LinkedIn live across multiple devices. They cross between professional and personal spheres. They generate interactions at unprecedented volume and velocity — and out of the box, security teams have no visibility. Today, all executives leverage social media, and they are bombarded by social media cybersecurity threats.

Security teams know that banning these tools isn't an option. Why? Because people will use them anyway. Companies know this; our digital risk survey revealed that 52% of businesses rank the use of unsanctioned channels as their main business security challenge. In one report, 76% of CEOs admitted to skirting their organization's security protocols to accelerate their tasks. Only 45% of CEOs say they are actively engaged in their company's cybersecurity management.

This means that to develop effective social media risk management, companies need a clear plan. However, right now, there isn't even a consensus on where responsibility for cybersecurity lies. Our digital risk survey discovered this when we asked about the organizational level at which security and compliance are a critical concern:

  • 70% of enterprises cite their IT department.
  • 46% cite a director or manager.
  • 37% say the C-level is responsible.
  • 30% say the CISO is the one in charge.
  • 18% say the board is the level where the responsibility lies.

This doesn't bode well for executive social media protection in general. It shows that risk is understood in a variety of ways, with no industry standard. Our poll confirms that roles seem unclear or poorly defined with regard to social media risk management:

  • At 29% of enterprises, the CISO owns the risk.
  • At another 28%, marketing or communications owns the risk.
  • At another 19%, an external agency shoulders the burden.

Worst of all? Almost 10% don't even know who owns the risk.

Collaboration Is the Key
In a sense, this distributed approach to risk gets at a truth: Social media risk management cannot belong solely to one department.

Cloud channels touch every department: Marketing, sales, HR, even recruitment. Digital risk in this space is complicated, and different departments may need to own different forms of risk. Cross-team responsibilities must be clearly defined, even before developing a robust strategy for protecting executives on platforms like Twitter and LinkedIn.

Companies need to realize that social media risk management is a collaborative effort that must be carefully developed before it is put into action. Teams also need tools that can provide visibility into potential threats, such as detection of bad actors trying to forge social connections and spear-fishing (or whaling) attacks on executives.

Jim Zuffoletti has been a founder of startup organizations as both an entrepreneur and an intrapreneur for the past 25 years. Jim is CEO and founder of SafeGuard Cyber, a digital risk protection company securing brands, VIPs, and team members in the new world of social media ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30481
PUBLISHED: 2021-04-10
Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.
CVE-2021-20020
PUBLISHED: 2021-04-10
A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.
CVE-2021-30480
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
CVE-2021-21194
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-21195
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.