Balancing the cyber risks of social media with the benefits

 

By Ross Thomson, Principal Consultant, Amethyst Risk (cyber security specialist)

A known target for rogue employees and criminal hackers, social media can look like a portal to peril, so should we continue to use it? My view is yes, we definitely should, but we must do so with an element of caution.

I believe the benefits of social media for businesses far outweigh the risks. From market research to targeted advertising, social media allows us to build relationships and brand loyalty that translate into more sales.

To prevent those benefits being undermined by cyber threats and other dangers, we simply need a common sense approach to managing risk.

The threat can come from many quarters. A disaffected employee could use social channels to post damaging content while another employee might accidentally post sensitive material. Unhappy customers might place damaging content on your social channels. Meanwhile, criminal groups could be using your streams to identify individuals to target with “phishing” scams or placing malware in social media messaging. Unscrupulous competitors and hackers might be looking to break into your systems through social media while single interest groups can use social media to commandeer your own social forums and use them to protest against you.

It’s an unnerving idea. The first thing you can do to protect your business is to take stock of the vulnerabilities.

Consider this. It’s reckoned that ten per cent of people will click on anything in a social media stream without considering that it might be a cyber risk. Your business’s social media channels may have insufficient privacy settings in place. That may also be true of key individuals within the business, for example your directors’ personal LinkedIn, Facebook or Twitter profiles. I recommend that you keep on top of those privacy settings and fine tune them for your business needs.

One obvious area for attention is that many firms allow uncontrolled usage of social media by employees with little or no monitoring. Employees and directors should be educated about the risks. For example, they should know to think twice before clicking on shortened URLs in social media updates that give no clue where the link will take them. It’s worth noting that social media messaging systems, such as Facebook Messenger or Twitter’s Direct Message, may have less powerful security filters than your email systems so scams that would be detected and go straight to junk or quarantine in email may get through via social media.

Pay attention to passwords. It’s remarkable how few people take the time to protect themselves and their businesses in this way. Simple passwords are easy to hack, so use strong passwords – long chains of special characters, numbers and a mix of upper and lower case letters. Wherever possible, go for two-factor authentication as well.

Some of the scarier security risks for businesses include the posting of inappropriate content that leads to reputational damage or even legal corporate liability. Accounts can be hijacked by hackers, and social media is a way that identity thieves can swot up on their victims. Once again, common sense goes a long way to protecting individuals and their employers. For example, if you have a top secret security clearance and work at a nuclear weapons facility, you shouldn’t be posting about it on social media.

Perhaps the single most important lesson to learn when it comes to assessing vulnerability is to accept this basic premise – people are fallible – and proceed accordingly.

So what security controls can businesses put in place? I recommend six areas for your attention.

  1. Control access – make it clear who can use social media at work and especially who has access to your organisation’s social media channels

  2. Have an “acceptable use” policy so employees know for what purposes they can use social media at work, and what would be unacceptable

  3. Control publication of content on your social media channels – an important aspect of this is to ensure your marketing team are properly trained to create your social media output and manage your social media channels

  4. Review privacy settings across your business’s social media profiles and pages

  5. Train people – ensure everyone is aware of the dangers

  6. Have good IT hygiene – make sure Windows or other Operating Systems are up to date, install security patches for your OS and third party applications such as Adobe and Java

This all involves a certain amount of work and management time, but it is certainly worth it to ensure you benefit from the advantages of social media without leaving yourself open to risks. Every journey starts with a single step. Begin by doing this one thing: Use strong passwords.