Social media has radically transformed how people receive and send information, creating a democratized communication infrastructure unlike any of its predecessors. But, with the powerful innovation has come several serious security risks for both individuals and businesses. Among other problems, for example, social media provides a significant unprotected channel for data leaks, it incents people to overshare confidential information, it provides hackers with information that greatly assists them in breaching organizations, and it allows for the dissemination of lies in the form of misinformation or impersonation.
A changing landscape
Just a few years ago, businesses seeking to prevent data leaks could utilize data loss prevention systems and filter at the firewall (physical or logical) all data leaving the organization; many compliance systems sported similar functionality. Today, however, employees using personal electronic devices discuss all sorts of work-related topics on social media — both during and outside of work hours and locations. As a result, data can leak directly — for example, by people sharing internal email addresses, information about technologies in use at work, or details about upcoming products — but the danger extends to other forms of leaks as well: people sharing non-business information such as vacation plans, their personal cellphone numbers, etc., put themselves and their employers at risk. In fact, social engineering tactics that exploit overshared information on social media have become common mechanisms for criminals to breach organizations — a single post can ultimately yield a massive hack attack.
Furthermore, the proliferation of social media usage has also caused people to become accustomed to sharing much more about their personal and professional lives than ever before; younger folks who have used social media during the entirety of their adult lives often have a totally different concept of privacy than members of earlier generations. Of course, any cultural shift that conditions people to freely share information with outsiders exacerbates the risk of data leaks.
False content and phony profiles
Another security concern about social media — which made headlines during the presidential election last year — is that criminals can exploit social media to rapidly disseminate “fake news” and other forms of misinformation. Such devious tricks impact more than just politics: they can be used to manipulate stock prices, harm personal or business reputations, or even cause people to take actions that harm innocent parties while helping criminals.
Besides allowing the distribution of false content, social media platforms typically do little to prevent the creation and use of phony social media profiles. By impersonating legitimate businesses and real people, criminals can trick unsuspecting parties into providing personal or business details that can be used for financial crimes or identity theft, or into taking actions that give criminals other benefits at the expense of victims. While the various social media platforms’ verification programs have helped ameliorate the situation, the risk remains that most people and businesses are not verified, and, in any case, many folks do not check for verification marks before acting upon, quoting or re-sharing information posted by others on social media.
It is important to understand that being “smart” and hiring “smart” people will not eliminate social media risk: even smart people make many mistakes regarding what to post on social media and fall prey to scams. Furthermore, consider that it is not just bad decisions that lead to problematic posts — technical mistakes can do so as well. People have, for example, inadvertently cut-and-pasted content into the wrong window, and others have posted private material on social media after a device’s autocorrect feature replaced harmless text with sensitive information learned during the user’s earlier typing of private emails or text massages. Likewise, many folks do not fully comprehend social media permissions, and have erroneously made a public post when trying to send a private message; according to published reports, the CFO of Twitter himself did this when discussing a potential mergers and acquisitions deal.
How can you protect yourself from these risks? Businesses should establish governance programs for their official social media accounts and a formal social media policy for employees — and utilize both training and technology to ensure that policies are translated into reality. (Never rely on policies alone to suffice — there is a reason that we do not do that for other areas of security.) Act quickly to report impersonation accounts — you can hire a service to scan for these, but, often, you will notice such accounts responding to posts on your Facebook page or your Twitter stream, or hear about them from customers. Training and technology can also help reduce the likelihood of a person sharing fake news or the like — so use both for employees and for yourself — and have your marketing department ready to address any false information that gets spread by others, just as it would if the information was spread through other media. Make sure your family members understand the risks as well, and be sure to double check each post before it goes out to make sure both the content and the permissions are set properly.
Joseph Steinberg, CISSP, CEO, SecureMySocial, [email protected]