Social media is appealing because humans are inherently social creatures. We like to connect, share and discuss. But it’s clear that sometimes, these impulses take a wrong turn in the remote, detached online settings where social media takes place.
A key issue with social media use – one that’s often not understood or even recognized – is the cybersecurity risk it introduces. This risk doesn’t only affect individuals; as an employer, your employees’ social media behaviors may create significant risk to your organization.
It’s necessary to understand how malicious actors gather information from social media platforms about your employees, particularly with digital artifacts, relationships and personally identifiable information aggregation across platforms.
1) Everyone’s Information Has Value
Once you create a digital profile, your information is available for everyone to see. That makes it available to be harvested by malicious actors. People tend to repeatedly use similar images, usernames and email addresses for different platforms. They also use those email addresses for other, more sensitive online activities, like banking. Every time you put a piece of information online, it puts you at greater risk.
It’s surprising how many people believe their online information isn’t a target for bad actors. They assume that since they aren’t rich or famous, no one would be interested in it. But the money in your bank account is of interest to criminals; your computer can be compromised and used as a resource to target other people of interest to criminals. That means every person is of some interest to a criminal.
2) Oversharing Creates Risks for Curated Phishing
Everyone knows someone within their social media circle who overshares – that virtual social butterfly with way too many “friends” who offer a running commentary on everything they are doing, everywhere they are going, every personal problem they’re having.
What most people don’t know is that this kind of oversharing can open a person up to the risk of spear phishing and similar attacks. Why? The more information an attacker can string together about you, the more likely they’ll be able to create a realistic-seeming email or text that you will engage with.
For employers evaluating a prospective employee, a habitual over-sharer is at a higher risk for phishing attempts, which then puts the company at risk. And that leads into the next point.
3) Bad Actors Can Aggregate Data Across Forums
Every bit of information you put on your social media accounts is a potential data point, but it’s not only about the content you share. Bad actors can gather information from the memes and quizzes you fill out. It’s a seemingly harmless diversion to respond to memes like “Your secret agent name is your mother’s maiden name plus your favorite color.”
What else do those answers remind you of? How about the security questions that sites ask to recover passwords? First pet, first car, favorite color and so on. It’s been shown that some of these quizzes are created by malicious actors to gain access to your online accounts.
One or two bits of information aren’t likely to be dangerous, but if you become the target of an attack, the bad actor will look for more information across your social accounts. Any content that’s publicly available is of potential use. For instance, if bad actors can find your business email address easily, they can use that info to attempt a Business Email Compromise attack.
4) Relationships Can be Leveraged for Information
In addition to what you share and what others share with you, your social media connections also pose potential risk. A clear example comes from the Cambridge Analytica scandal. When you post something and your friends like it, comment on it or reshare it, that’s now a relationship that’s exposed if that post is publicly available.
Even if your accounts are private, there’s still risk. For instance, your Facebook profile image is public, and some of your connections can comment on your profile image if you’ve recently changed it.
Even if you don’t share your interests, location or education history, an attacker can conduct pattern analysis across relationships or life pattern analysis. They can derive information about you just from your relationships, whether you share it or not. In fact, this is one of the most valuable tactic attackers use.
5) Disinformation on Social Media Leads to Business Risk
Attackers are taking advantage of disinformation and misinformation. For instance, malicious actors could take advantage of a recent data breach by sending an email like, “Your account has been compromised” or “You’re locked out of your account. Click here to change your password.”
These attackers are taking advantage of the individual’s decision cycle to get access to corporate computer systems, sensitive information, bank accounts and more.
Social Safety: Strong Policy is Needed
These days, social media is about more than being social. It’s become a business necessity, but it’s also now a potential security liability. Attackers have adapted their methods so that they can glean important facts about your employees from social media to develop stealthy phishing campaigns and other social engineering-based attacks.
Make sure you have a strong social media policy in place and that you enforce it. Also, consider monitoring the social media of your employees, as well as your corporate social presence. Such steps will help you stay ahead of social cyber risk.
About the Author:
Aaron Barr is the CTO of PiiQ Media