Don’t Overlook LinkedIn as a Corporate Security Risk
Social media platforms such as Facebook, Twitter, Instagram, as well as specialized social networks and encrypted messaging apps have come under attack for facilitating violent extremism and serving as violent ideology laboratories. Since the Christchurch mosque shootings in March, governments are again discussing social media clampdowns as they gain greater awareness of far-right extremism. The threat these leaders are trying to address is very real, but from the standpoint of corporate security and other corporate risk functions, I’m more worried about the often ignored risks associated with LinkedIn – including those pertaining to corporate espionage, fraud and phishing, operational security, workplace risk and reputational risk.
Why LinkedIn Matters
Before we get to discussing these dangers, it is worth thinking about why LinkedIn matters in the first place. While the platform has an active user base that puts it below the top 10 largest social media sites, LinkedIn is the platform of choice for professionals. It is the most used social network by Fortune 500 companies and according to Louis Camassa, Managing Partner at EMPATH brand consultancy, “LinkedIn is where most Fortune 500 decision-makers and executives like to spend their spare time.” This means that LinkedIn is what we call in security a “target-rich” environment, a one-stop shop for threat actors who seek to leverage social media to target major enterprises, executives and other employees.
What you Need to Watch For
So, what are the main risks corporate security professionals need to be watching for as we use LinkedIn? I would argue there are at least five:
- Corporate espionage – if you’ve been reading the news lately, you’ll know that almost every week a case of foreign state-backed corporate espionage is uncovered in the U.S. LinkedIn serves as a connection tool that can be exploited by those seeking secrets, as demonstrated by the recent case of former CIA officer Kevin Mallory, who sold state secrets to China. The effectiveness of LinkedIn as a tool of choice for threat actors is not surprising. While some professionals still use LinkedIn only as a rolodex of existing contacts, the platform encourages users to make new connections, whether to support a job search, or simply to expand the new virtual-professional network.
- Fraud and phishing – tricking people into clicking malicious links is a tactic that is far older than LinkedIn and defrauding them through impersonation or other means is ancient. Yet LinkedIn does provide an inviting pool of targets for scamming and social engineering. Career-focused individuals, especially if desperate for a next step, may be more likely to engage and to overlook the signs of fraud.
- Operational security – remember when you took some personal information off your Facebook profile in the wake of the company’s many data privacy scandals over the past couple years? I do, and yet my LinkedIn profile is a repository of open-source intelligence (OSINT) on my life, and if someone wanted to know where I am on any given weekday, they could use my account to find out. What is more, when I had less information on my profile, LinkedIn was insisting that I add detail or lose out on the professional networking benefits. Some individuals amid a job search even place their full resume on the site, with home address included. Having a very public profile on LinkedIn is a calculated risk that I choose to take, but I am not a company executive or a public figure. For them, exposure of such information could greatly heighten security vulnerability.
- Workplace risk – whereas influencers on Instagram or Facebook can be seen peddling lifestyles, brands, or politics, LinkedIn has become a hub for career philosophers. These individuals collect likes and shares by expressing views on ideal workplaces, ideal managers, and ideal job searches, among other topics. Most of the content is inspirational and aspirational for followers but can also serve to create unrealistic expectations and grievances. Anecdotally, several workplace violence investigations conducted by AT-RISK later revealed the instigator to have expressed such grievances through the platform.
- Reputational risk – LinkedIn can also create several forms of reputational risk for users. To begin with, how you represent yourself is much more likely to be tied—even if implicitly and unintentionally—to your current and former employer than on other forms of social media. If you are an intelligence and investigations professional who is sharing “fake news” without conducting basic due diligence, for example, it is highly likely that you and your firm will lose credibility.
Corporate Security Professionals, You’re Not Exempt
In early February, I was contacted through LinkedIn by a foreign security professional with seemingly impressive credentials, including a PhD from a military university as well as a leadership position in a veterans’ organization. My initial inclination was to admit the professional into my circle; he was from a country where I have few security industry connections and we seemed to share an interest in intelligence and investigations. A bit of profile digging, however, quickly revealed a manifesto that included a demand for further scrutiny of and “ending the speculation about the Holocaust.” Subsequent media searches also showed that the so-called veterans’ union was involved in violent activity and had links to far-right organizations, including one that was banned by Facebook as a hate group in April. Security professionals are on the front lines of maintaining their employers’ or clients’ safety and reputational integrity, so I decided to decline the invite. I implore my security colleagues to be as aware of their virtual environment as they are of their physical surroundings, or, like nearly 50 of my current LinkedIn connections, they will have clicked “accept” and potentially exposed themselves to serious reputational fallout.