Facebook failures: how to protect your business against social media mishaps
20 December 2018
Dr Guy Bunker, Senior Vice President, Products & Marketing, Clearswift, says if companies continue to ignore – or misunderstand – the threat that social media poses, it will become the go-to platform for cybercriminals to gain sensitive information or cause huge reputational damage when silly mistakes are missed.
Social media has become the number one marketing tool for businesses, with 82% of organisations now using social media as a key communications and promotional tactic. It has become the window to a business, enabling companies to build a following, engage with clients and consumers, and share news and updates in a cost-effective way.
While it is a great tool for reaching target audiences and getting products, services and messages out, people often forget that there are also a number of security threats associated with social media accounts. Just by having a presence on the platforms, organisations of any size put themselves at risk of a cybersecurity breach.
There are a multitude of ways a security issue can occur via social platforms, everything from a DDoS attack to giving admin rights to the wrong person can affect the business negatively, but there are 3 main ways that social media regularly threatens businesses:
Also of interest: How will cyber threats evolve in 2019?
While it may not seem like a security issue, one of the biggest risks to businesses when using social media is that of reputation.
In 2011, an employee at Chrysler sent out a tweet on the company Twitter feed that contained expletives about people’s driving capabilities in Detroit. This sparked outrage, both on social media and in the press and a statement of apology had to be issued as well as the employee getting fired for ruining the brand’s reputation. This is a common occurrence today. High profile individuals, brands and organisations are regularly been caught out for saying the wrong thing, or posting something inappropriate.
This can happen via the corporate account itself, or via employees that are associated with the company. It’s important that companies understand that the networks created on social media, including employees that use the company name on their own profiles, act as the face of the company. If an employee, director or owner posts pictures of themselves drinking excessively or discussing views that aren’t held by the company, this is often attributed to the company itself and the reputational damage can come down on the organisation rather than the individual.
Also of interest: Taking a social lens to the cryptocurrency community
The slip of a finger
It doesn’t necessarily have to be maliciously intended for a security issue to occur via social media. In fact, over 60% of organisations attribute data breaches to employees and this isn’t just exclusive to sending an email to the wrong person.
With 64% of marketers confirming that social media is just one aspect of their job, it’s clear that many employees cannot always dedicate the time needed to properly manage corporate accounts. This is where mistakes happen and have the potential to ultimately cost businesses.
A common occurrence of this happening is when an employee responds to a private message that ends up being sent to the wrong person. The contents of the message – often containing sensitive data about the request – is then shared with someone that it wasn’t originally intended for, causing a major compliance issue. A worse scenario is where that private message ends up being shared on the corporate public timeline. In this public setting, companies have to be conscious of the fact that this is not only a compliance breach, but a reputational issue as well.
With GDPR compliance fines of up to €20 million (or 4% global turnover), a small mistake like this can have big consequences. For example, if Google shared customer data accidentally on their corporate Twitter account, this could mean they face a fine of $1.4 billion.
Also of interest: Cyber breaches: are millennials to blame?
Phishing is a prevalent cyberattack method, often carried out via email as a way to steal sensitive information from businesses or to infect corporate networks with malware. However, it has become increasingly popular with cybercriminals to execute on social media through tricking employees into allowing access to sensitive information about the company they work for.
Hackers have been known to send a direct message to employees asking them to click on a link to find out more about ‘an exciting new role’. When they click on the link, which actually contains malicious content, the corporate network is flooded with malware that has the ability to not only steal data from the corporate network, but send Information Security and IT Managers into a frenzy to fix the situation.
LinkedIn in particular has the biggest challenge with this because it isn't something employees use sporadically. Sales people especially use the platform every day to find new business, track down information about people they're going to meet and look for new job roles; meaning that incoming messages from recruiters asking employees to click on a link isn’t uncommon, a link to a potential job role, for example.
In addition to this, those using LinkedIn tend to use it via a laptop during working hours, so cybercriminals know they have more potential to reach the corporate network because laptops often offer the quickest route to the company server.
Also of interest: Gone phishing – five ways to spot a spoof email
Awareness is at the heart of the issue
Social media use is now a part of our everyday lives – both personally and professionally. However, there are some simple steps that businesses should be taking to ensure everything stays safe on company social accounts.
All of the above risks can be mitigated by ensuring employees – from the c-suite and down – are aware of the ways in which social media can be a threat to organisations. Employees should be trained on corporate social media policies and be given a ‘best use’ guide demonstrating what they can and can’t do on corporate social media accounts.
Information about cyberattacks via social platforms should also be shared and circulated so employees know what to look out for and as well as how to prevent a potential attack from happening.
Having simple practices in place, such as internal reviewing and a best practice guide for existing and new employees, which can be followed by the entire company will reduce social media risks greatly. Limited access to the social corporate accounts should also be in place.
Not all employees should be given the passwords for the accounts; instead, the individuals that require access, or have been granted access, should have the login details sent to them privately and confidentially. These passwords should be changed regularly and most definitely changed when an employee, who previously had access to the accounts and the passwords, leaves the organisation.
Social media is, and will continue to be, a great marketing tool for businesses. However, if companies continue to ignore – or misunderstand – the threat that it poses, it will become the go-to platform for cybercriminals to gain sensitive information or cause huge reputational damage when silly mistakes are missed.
Starting with employees, organisations need to mitigate the risks involved with using corporate social media accounts to ensure that they can continue to use platforms to promote their business without the threat looming over their every post.
Dr Guy Bunker is an internationally renowned IT expert with 25 years’ experience in information security and IT management. Before joining Clearswift in October 2012, Guy was a Global Security Architect for HP. He has recently authored a paper on security for the Elsevier Information Security Technical Report and co-authored the European Network and Information Security Agency (ENISA) report on cloud security. Previously, Guy was Chief Scientist for Symantec and CTO of the Application and Service Management Division at Veritas (acquired by Symantec).
Guy is a frequently invited speaker at conferences, including RSA, EuroCloud and InfoSec and has made many appearances as an IT expert on television, radio and in the press. He is a board advisor for several small technology businesses and has published books on utility computing, backup and data loss prevention. He holds a number of US patents and is a Chartered Engineer with the IET.