As our lives become more and more digital and increasingly connected, information security (infosec) seems to have become a continuous cycle of good and bad news. The story is always the same: A highly visible breach takes over the headlines, the weakness the cyber criminals uncovered is identified, the general public is assured that new measures have been put in place to address the vulnerabilities, and other enterprises follow suit. And then the cycle begins all over again as hackers find another way in.
In any enterprise, especially in regulated industries like financial services, government and healthcare that deal with high volumes of critical data, infosec must be at or near the top of the executive priority list. In a breach-prone world, enterprises that handle sensitive personal or corporate information need all the help they can get in the form of awareness, advice and peer support on how to manage this growing challenge. Interestingly, though, the daily influx of stories about securing critical information rarely includes discussion of one particular area of risk: social media.
As companies continue to adopt the use of social across the enterprise for things like marketing, customer care, sales and market research, social media is rapidly becoming a new point of exposure and an infosec threat vector. Lapses in security around this platform can damage brand reputation, spread misinformation, leak data or even cause financial harm. High-profile examples from this year alone include ISIS sympathizers’ takeover of the U.S. CENTCOM Twitter handle and similar hacking crises with Delta, Newsweek and the Twitter CFO’s accounts, but even key guidance like the SEC’s April 2015 cybersecurity bulletin still fail to mention social media.
Social media is a unique enterprise application platform because the individual owns the account or “license,” not the enterprise, making it more challenging for firms to manage risk. It presents other exceptional challenges for enterprises in any industry, in that the rate of adoption continues to skyrocket, new social networks are introduced with remarkable frequency, and existing networks are constantly changing their functionalities, privacy policies and core algorithms. Trying to keep up with all the changing points of exposure can seem impossible and has perhaps led to turning a blind eye to discussing or addressing infosec at all when it comes to social.
It is a common occurrence for organizations to be paralyzed by the risk, effectively outlawing social altogether in the absence of an obvious solution to the infosec issue. Once a technology has a foothold with an employee base, however, that’s just not a realistic course of action, and to deny the many benefits of social media for the business would be shortsighted.
Rather, firms need to acknowledge and embrace social and extend guardrails to keep activities secure and compliant. Part of that process is employee education, but the technology exists today to contain the risk by putting processes, checks and balances in place to pre-review, moderate and monitor employee social media activity. Regardless of a firm’s tolerance for risk, there are solutions available today to make social media a safe and effective channel for business.
Here are four common types of social media infosec threats that enterprises need to scrutinize and address:
Leaking Sensitive Information: This is the threat grounded most directly in human error, and it’s usually an innocent mistake. Employees may accidentally (or overtly) share personally identifiable information (PII) or inside company information on Facebook, Twitter or LinkedIn, particularly when using functionality like direct messages on Twitter or InMail on LinkedIn, where it seems like the information is being shared privately between two parties.
Fraud/Phishing: Just like with email, cyber criminals can hack and hijack corporate social media accounts or create confusingly similar aliases, misrepresenting companies or individuals. This could cause employees or consumers to divulge sensitive information because they believe they are interacting with the “official” brand.
Malware/Trojans: Most people who have ever used a PC or newer piece of mobile technology are aware of this type of threat, usually transmitted through hyperlinks to viruses. These viruses may corrupt the user’s device or gain access to private information elsewhere on the computer or the firm’s network. Despite users’ familiarity with the typical tricks to get them to click, these types of schemes are craftily making their way into social streams by taking advantage of users’ trusted contacts to get them to click or share links.
Compliance Pitfalls: In regulated industries, compliance with complex rules from regulating bodies like the SEC, FINRA or IIROC is a necessary reality. The rules are designed primarily to protect the consumer from being misled by incorrect information. This means that information shared by employees, like financial advisors, must be constantly monitored and reviewed to ensure compliance with industry regulations.
In essence, companies should acknowledge, engage and protect social the same way they handle other electronic communication channels. This includes creating firm-wide policies around the use of social, training employees to protect themselves, the enterprise and consumers, and finding adept technology partners to help manage risks in an automated, scalable way.
Infosec threats through social media are increasing in lockstep with adoption. As the threat vector gets wider, people intent on exploiting weaknesses sense a new opportunity. Inventorying the risks, knowing what to look for and having a plan in place will go a long way to ensuring that a company can use social media safely and effectively to generate business and manage client relationships.
