3 Social Media Security Risks for Government Employees

November 10, 2015

These days, everyone, even government employees, are on social media. Some agencies even allow for limited personal use of government resources such as laptops and official time to check or update social media. But when could the Facebook and Twitter habits of government employees be putting their agencies – and the publics they serve – at risk?

Connecting With People You Don’t Know

Social media makes it easier than ever for people all over the world to connect with one another. For government employees, though, connecting with someone that they don’t actually know can pose a serious security risk. It is very easy for an adversary to create a false Facebook account and then begin “friend”-ing people who are either known as government employees or identify themselves as such on social media. Once these adversaries have connected with employees, they can track status updates, new connections, even likes and shares to begin to put together a picture of what is going on at an agency and potentially use that information for their own gain.

To prevent adversaries from gathering this information, it’s critical that government organizations remind employees that there’s no reason to friend or connect with someone on social media if they don’t actually know that person. Agencies should establish social media security policies that require employees to validate the identity and authenticity of a new connection before allowing access their social profiles.

Sharing Too Much Information

In addition to being careful about who they connect with, it’s critical for federal employees to be extra cautious about what information they share on social media. Seemingly simple updates such as “Headed downtown for a meeting this afternoon…” or “Excited about spending the next two weeks in Europe” are exactly the types of information that can become dangerous if it falls into the wrong hands.

Unfortunately, government agencies have adversaries out there who are actively trying to get this information. The process of sharing information and connecting with unknowns is something that can easily get federal agencies in trouble, if not through a cybersecurity breach, then with the government itself. There are existing social media policies against these practices, even though many government employees don’t realize it. They’re designed to protect agencies and employees, but both can find themselves in serious trouble if they do not follow and enforce these policies.

Security leaders should have specific policies in place about what information is acceptable for employees to share on social media, and what is not. Security professionals should also work with IT staff and HR professionals to enable employee communications while ensuring they stay secure. Remind employees that when they talk about where they work, being a federal employee, or having access to certain information on social media, they are setting themselves and their agency up as a target. Establish best practices, such as to simply not identify yourself as a federal employee on social media.

Separating Business and Personal

To help government employees enjoy the benefits of social media while at the same time protecting against cybersecurity threats to their agencies, one of the easiest and most foolproof things to do is to keep separate accounts.

In today’s always-connected world, separating your personal and professional lives offline can be tricky, and it’s no different on social media. It’s important to keep in mind the differences between the various social media platforms.

On social media platforms where you might connect and engage with people on a more personal level, such as Facebook or Twitter, it’s best for employees to avoid using their official titles. It can also be wise for employees to add a disclaimer to their profile, stating that the views expressed are their own and not that of their employer.

With professional networking sites such as LinkedIn, employees may choose to include biographical information about their current job status and employment history. This type of identification as a federal employee is acceptable under current policy, and if employees are careful about their privacy settings, who they connect with, and what they share, it also comes with minimal security risks.

It can be tricky for some government employees to balance the line between acting in an official capacity and their lives as private citizens, especially on social media where the lines are easily blurred. Security leaders should encourage employees to establish separate accounts to help keep things clear for everyone. They should also reinforce the fact that interactions on social media are really the same interactions as in real life. If employees wouldn’t share information about their work with a stranger on the street, they shouldn’t be sharing it on social media.

Greg Kushto is the Director for Security at Force 3, The Network Security Company.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.