Don't let social media become the go-to platform for cybercriminals looking to steal sensitive corporate information or cause huge reputational damage.

Guy Bunker, CTO of Clearswift

April 22, 2019

5 Min Read

Social media has become the No. 1 marketing tool for businesses, with 82% of organizations now using social media as a key communication and promotional tactic. It has become the window to a business, enabling companies to build a following, engage with clients and consumers, and share news and updates in a cost-effective way.

While social media can be a great tool, there are also a number of associated security threats. Just by having a presence on the platforms, organizations of all sizes put themselves at risk.

There are four main ways that social media threatens businesses:

1. Reputational Damage
High-profile individuals, brands, and organizations are regularly caught out for saying the wrong thing or posting something inappropriate. For example, last year, Jeff Bezos, CEO and president of Amazon, tweeted an image of himself dog sledding in the Arctic Circle while on vacation. This was amid a wave of criticism around the company's wages, causing a huge backlash from employees and high-profile individuals about its insensitivity and the pay gap within the organization. 

These incidents can happen via the corporate account itself, or via employees who are associated with the company. Businesses must understand that the networks created on social media act as the face of the company. If an employee, director, or owner posts pictures of themselves drinking excessively or discussing views that aren't held by the company, behavior or sentiment is often attributed to the company itself, with the reputational damage faling on the organization rather than the individual.

2. The Slip of a Finger
With 64% of marketers confirming that social media is just one aspect of their job, it's clear that many employees cannot always dedicate the time needed to properly manage corporate accounts. This is where mistakes happen and have the potential to ultimately cost businesses.

A common occurrence of this happening is when an employee accidently responds to the wrong message. An employee might be responding to one customer enquiry but actually sends their reply to a totally different customer — meaning sensitive information about a customer is shared with an unintended recipient.

A further threat is when a private message is instead shared via the corporate social media feed. While an employee thinks they're replying privately, they actually share the entire message — again, containing sensitive information relating to a customer — publicly. While the message can be removed from the timeline, anyone could have taken a screengrab of the information. In this public setting, companies must be conscious of the fact that this is not only a compliance breach but a reputational issue as well.

With General Data Protection Regulation compliance fines of up to €20 million (or 4% of global revenue), a small mistake like this can have big consequences. For example, if Google were to share customer data accidentally on its corporate Twitter account, this could mean a fine of $1.4 billion.

3. Social Phishing
Phishing is a prevalent cyberattack method, often carried out via email as a way to steal sensitive information from businesses or to infect corporate networks with malware. However, cybercriminals use social media to trick employees into allowing access to sensitive information about the company for which they work.

LinkedIn, in particular, has the biggest challenge with this because some employees use it a lot. Salespeople use the platform every day to find new business, track down information about people they're going to meet, and look for new job roles. Salespeople quite frequently receive incoming messages asking them to a click a link, and links can be malicious. Furthermore, those using LinkedIn tend to go to the site via a laptop during working hours, so cybercriminals know they're more likely to reach the corporate network because laptops often offer the quickest route to the company server.

4. Lack of Awareness 
Social media use has become a part of our everyday lives, both personally and professionally. However, there are some simple steps that businesses should take to ensure everything stays safe on company social accounts:

  • Employees should be trained on corporate social media policies and be given a "best use" guide, demonstrating what they can and can't do on corporate social media accounts.

  • Information about cyberattacks via social platforms should be circulated so employees know what to look out for and how to prevent a potential attack from happening.

  • Having simple practices in place, such as internal reviewing of content, means no tweet goes live without multiple approvals, reducing mistakes that have huge reputational impacts.

  • Limited access to the social corporate accounts should be in place. Not all employees should be given the passwords for the accounts; instead, the individuals that require access, or have been granted access, should have the login details sent to them privately and confidentially.

  • Passwords should be changed regularly and most definitely changed when an employee who had access leaves the organization.

Social media is a great marketing tool for businesses. However, if companies continue to ignore — or misunderstand — the threat that it poses, it will become the go-to platform for cybercriminals looking to steal sensitive information or cause huge reputational damage when silly mistakes are missed.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

About the Author(s)

Guy Bunker

CTO of Clearswift

Guy Bunker is an internationally renowned IT expert with over 20 years' experience in information security and IT management. He currently holds the position of CTO at data security company Clearswift, and was previously the Global Security Architect for HP. Prior to that, he was Chief Scientist for Symantec and CTO of the Application and Service Management Division at Veritas (acquired by Symantec). He has recently authored a paper on security for the Elsevier Information Security Technical Report and co-authored the European Network and Information Security Agency (ENISA) report on cloud security.

He is a frequently invited speaker at conferences, including RSA, EuroCloud, and InfoSec. He has made many appearances as a data protection expert on television, including BBC Click, as well as radio and in the press. Guy is a board adviser for several small technology businesses and has published books on utility computing, backup, and data loss prevention. He holds a number of US patents and is a Chartered Engineer with the IET.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights