Businesses of all sizes have leveraged the power of social media to increase brand awareness and connect with consumers, both locally and globally. However, the rapid growth of social media use has left businesses unaware of the many cyber risks associated with social media.
While some individuals or businesses may be familiar with common cyberspace security issues, businesses must understand social media’s impact on cybersecurity on both a personal and consumer level.
Why Social Media is Vulnerable to Cybercrime
Almost 4.8 billion people worldwide use one or more social media platforms, or just over 59% of the global population. While social media platforms help users keep in touch with friends, connect with customers, and promote businesses, they also increase people’s and businesses’ exposure to cyber threats in the following ways.
Increased Risk of Social Engineering Attacks
While social media has become an essential marketing tool for modern businesses, using social networks also increases a business’s cyber risk of social engineering attacks. Social media channels can increase a business’ attack surface by displaying internal information or employee contacts that cybercriminals can use to execute phishing attacks, credential theft, data theft, or other scams.
The same applies to the personal social media accounts of employees. Every post in each social media profile connected to a business could contribute to a cybercriminal’s ability to use social engineering techniques or other methods to compromise business systems and data. Once a digital profile is created, information is typically visible to the public. The more information the user uploads, the greater the risk of cybercrime.
An example of this is when cybercriminals target social media users using fake accounts to trick unsuspecting users into providing personal information or access credentials or clicking links that download malicious software.
If an employee has their social media account hacked or stolen and they also have access to the business social media account, it could be
People who post frequently and with personal information on social networking sites pose a particular threat to businesses. Not only can they put themselves at risk by sharing confidential information — such as travel plans, business data, or patient information — but they also provide cybercriminals with a library of information they can leverage in the following ways:
- Spear phishing attempts, targeting individuals with more detail and higher accuracy than typical phishing attempts, such as current news or relevant financial documents;
- Whaling attacks, using the wealth of information gleaned to target senior executives and trick or manipulate them into performing a secondary action, typically performing a transfer of funds;
- Spoofing, in which a cybercriminal impersonates an individual or organization to attain confidential data.
Social media connections can pose another cybersecurity risk because user engagement — likes, shares, and comments — exposes relationships useful to cybercriminals attempting fraudulent activity, such as phishing, spoofing, and impersonation.
Exposure to a user’s social media relationships also increases cyber risk by allowing cybercriminals to make inferences about the user. Even if they have hidden their interests, location, and other information, analysis of a user’s profile can lead to potential identity fraud or theft.
Some popular quizzes and puzzles on social networking sites provide cybercriminals with information to help them achieve unauthorized access to respondents’ accounts.
Fun or psychological online tests may initially seem harmless, but even those not maliciously designed still collect personal information, such as maiden names and first pet names. Personal preferences are not exempt either, and they’re frequently examples of security questions commonly used for password and account recovery.
When a user has profiles on several social networking sites, this can help a cybercriminal build a more complete picture of who they are, which can help them launch an attack against the individual or the business with which they are aligned.
Unsecured Portable Devices
Social networking apps make it very convenient for people to use social media on the go. The average user spends about 2.5 hours daily on social media, most through mobile devices. About 35% of the US population only uses social media via mobile apps.
This introduces the risk of information being stolen from lost or stolen devices. Many users enjoy the convenience of connecting to social media with a single tap, but dedicated cybercriminals or opportunists can also enjoy this convenience, accessing other people’s social media accounts without requiring authentication.
From here, the bad actor can access personal data, sometimes including credit card data, confidential business data, customer lists, or other more sensitive information. They can also post as the individual or business to commit further crimes, such as distributing malicious links to the user’s connections, launching realistic, targeted phishing attacks against everyone in their friend lists, running scam campaigns, and spearheading other cyber attacks.
Business Cyber Risks Associated with Social Media
Cybercriminals, including hackers, are proficient at data mining for private information from social media sites and manipulating social media users.
Posting on social media can reveal more information than many users realize, including:
- Contact information
- Date of birth
- The time of the post, which can be used to infer information about the poster
- The location from which the post was sent
- Locations identifiable from photos or videos
- Links to friends and other users
- Links to people tagged in the post
- Faces recognized by the social media network or other users and identified
Considering the potential for account compromise, the primary business cybersecurity risks posed by social media are related to social engineering attempts, identity theft, and the proliferation of malware.
Users should also consider the impact of artificial intelligence (AI) technology attacks using the collection of available information to create a complete profile of the targeted users or businesses. For example, AI technology can now create even more sophisticated and error-free phishing attacks that may be nearly indistinguishable from the original company or domain. Impersonation attacks may falsely pretend to be an online business to trick its existing customers into making transactions or purchases.
How to Reduce the Cyber Risks of Social Media Use
Modern consumers expect businesses to maintain an online presence, including on at least one social media site. The use of social media has become a business necessity for trust, visibility, customer reviews, research and comparison purposes, or the ability to directly contact the business itself. Fortunately, businesses can limit the cyber risk associated with social media.
Social Media Access Control
Big businesses often have teams to maintain their presence in social media cyberspace, from post creation to social media messaging and responding to customers. The fewer people with access to social media accounts, the smaller the attack surface, and the easier it is to identify, contain, and mitigate a data breach.
Having one person with oversight responsibility for social media can help mitigate security risks by having someone manage the business’s social media accounts. Additionally, the individual must be trained in social media security, such as not revealing business information and recognizing impersonated accounts that could pose a danger to customers.
Furthermore, businesses must revoke account access when no longer required, for example, if the social media manager changes roles or leaves the company.
Apart from ensuring that the brand and its messages are consistent across platforms, this individual should maintain good communication with the IT department to monitor and mitigate risks.
They should review social media security controls and threats regularly because cybercriminals continually develop scams, strategies, and malware. Social monitoring or listening tools can help organizations keep track of brand mentions, which can help identify suspicious account activity.
Social Media Policy Implementation
A clear, company-wide social media policy should be readily-available so everyone in the organization, including the C-suite, knows what the organization recommends to protect sensitive and confidential information and what is categorically prohibited.
As part of a broader social media strategy, the policy document should detail the brand’s official social media channels and how employees can use social media. Guidelines for social media use need to cover both personal and professional use.
In addition to helping a firm maintain a brand voice and identity, the social media policy helps ensure that users steer clear of regulatory compliance issues, conduct communications without discrimination or harassment, and adhere to social media security protocols.
At a minimum, the social media policy should cover the following areas:
- Roles and responsibilities regarding social media accounts, including posting, customer service, and advertising
- Who to contact with questions or concerns regarding social media
- Guidelines regarding taking online quizzes and prohibiting vulnerable or suspicious third-party apps
- Copyright and confidentiality rules aligned with official regulations
- Personal and business use of social media accounts
- Guidelines regarding strong password creation and maintenance
- Instructions about social media privacy settings
- Enabling two-factor (2FA) or multi-factor (MFA) authentication
- Whether the firm has a Bring Your Own Device (BYOD) policy
- How to identify spam, phishing attempts, and other potential cyberattacks
- Requirements regarding keeping devices and software up to date
It’s important to note that social media policies are not meant to be restrictive. A firm’s employees can be its greatest brand ambassadors as long as they can post safely and securely with some corporate social media guidelines and training.
Social Media Training
Social media training would build on the social media policy making to ensure people are familiar with the best cybersecurity practices to increase social media security and have the necessary skills to follow them. Training works best with dialogue, so learners can engage with the topic and ask questions. The social media training should include the following areas:
- Avoiding oversharing - Posting personal information provides the information cybercriminals need to create more realistic phishing attacks or commit identity theft.
- Portable device security - Many phone users leave their phones unlocked and out unprotected, making it easy for cybercriminals to access personal information if the device is stolen or lost.
- Avoiding public Wi-Fi - Using social media via untrusted, public Wi-Fi hotspots is a significant risk because public Wi-Fi is more susceptible to hackers intercepting communications.
- Rejecting unknown friend requests - Cybercriminals can send friend requests an authentic-looking account that has mutual friends, hoping users will accept to initiate a social engineering attack. Cybercriminals also use compromised accounts to target users from a legitimate source, attempting to steal data or money.
- Auditing privacy settings - Each social media network provides controls that can change who has access to a user’s information, including phone numbers, the time they posted the message, their date of birth, location, gender, or personal and professional connections. Privacy settings allow users to decide what gets shared with whom, so businesses should encourage account managers to check their settings regularly to ensure this layer of protection from social media threats remains effective.
Social Media Monitoring for Employees
Some businesses monitor their employees’ use of social media, including their personal usage. It’s another way a business can protect itself from cyber risk via social media if the employee is carelessly sharing (knowingly or unknowingly) confidential company information through personal channels.
Openly monitoring employee social media accounts allows a business to enforce its social media policy. From a cybersecurity standpoint, the firm can use this monitoring to safeguard confidential information and help maintain organizational security.
Social Media Verification
LinkedIn’s Community Report reveals that the firm’s automated defenses prevented almost 16.5 million fake accounts from being registered in the first six months of 2022 alone. This highlights the benefits of a business having its online accounts verified. With a simple verification process, consumers can be more confident when interacting with verified business accounts.
This may highlight a security gap in smaller businesses that do not have active social media accounts. Cybercriminals could possibly use publicly-available information to post as the business, potentially harming the company by misinforming followers, spreading inappropriate, damaging brand mentions, attempting scams, or distributing malware.
This is a particular risk for unused social media accounts. It’s a good idea for businesses to claim social media profiles in their names, even if they are not ready to use them, unused accounts attract attention from cybercriminals seeking the opportunity to commit their crimes without being noticed.
Cybersecurity Culture Development
Creating a culture of cybersecurity is an excellent way to defend a business and its people from cyber threats. It begins with ensuring that cybersecurity is a key theme at the boardroom level, then uses innovative strategies and campaigns, ongoing training, and drills to ensure cybersecurity awareness messages trickle down to the entire workplace.
The disadvantage of this approach is that it takes time — and money — to build a mature cybersecurity culture. The benefit, however, is a workplace where everyone understands, values, and is proactive about cybersecurity and remediating vulnerabilities.
It’s challenging to remediate vulnerabilities when unvetted mobile devices are involved. For this reason, social media training should impress the importance of maintaining antivirus and anti-malware software on all portable devices in case of a cyber attack. Such software will mitigate or remediate some security threats, protecting the users and their organization.
Incident Response Plans
Hopefully, an organization won’t need to use its incident response plan, but if there is a data breach or cyber attack, an incident response plan will help reduce the impact in the event of a security breach.
For example, it may be necessary to shut down the organization’s social media and all related accounts involving the stolen information. This requires the company to identify the scope of the attack preemptively by determining which assets are directly or indirectly related to the social media accounts.
The roles and responsibilities detailed in the company’s social media policy should be updated in the incident response plan. If the origin or impact of the incident involves social media, this information will be critical, as will social media messaging as part of the response to a cyber incident.