It is difficult to overstate the current backlash against social media. Social media giants are under attack from virtually all sources, including both governments and individuals. The #humblebrag du jour is a social media addict publically stating the intent to close accounts, take social media sabbaticals, cull friend and follower lists, and boasting about how much better life has become after weaning themselves from the constant attention-drain – even if many do not follow through on the threat.
If you join the movement, you might be helping your company’s information security profile.
Social media accounts often contain sensitive personal data that can be accumulated, hacked, sold and resold in their own right. But beyond that, they provide corporate hackers with enough information to guess passwords, whereabouts and interests, and provide enough data to craft sophisticated and effective spear-phishing emails – personalized missives that reflect the character and wording of the individuals they spoof, down to grammar, spelling and tone.
That’s why it’s so important to include a cybersecurity-focused review of your company’s social media policy and practices. If you aren’t going to set strict social media standards for C-level executives and consider conducting regular audits of their social accounts, then you at least need to educate them about the risk. Some of the key risks – but only the most obvious ones – are below.
Social Media Exponentially Increases Your General Exposure
Cyber risk in social media can be thought of in viral terms – the equivalent of going downtown and shaking hands and sharing your home address with every single person that passes by—hundreds if not thousands of people about whom you know absolutely nothing. And unlike work or personal email, where we’ve been trained to be suspicious about spam, links, and questionable attachments, we often have our guard down on social media. So some of us take quizzes, surveys and polls, or click on links that, if they came to us directly in our inbox, we would be naturally wary of. Bing! Malware installed. And as we know from recent disclosures, social media companies can collect personal information, with or without permission.
Here’s Another Cute Picture of My Password!
Many people use the same password, or variations on a theme, for multiple accounts; personal, business, and social. Unwisely, many of us choose familiar objects for our passwords: children’s names, hometown and year of birth, favorite sports teams, etc. These are particularly helpful to hackers who need to answer “challenge” questions – they can use your email address to reset your password, and your posted information to answer challenge questions. All of these are readily accessible on social accounts, and our activity likely highlights them, based on what we like or comment on. Add a 1, 0 or & and your passwords are likely hacked before you can like the next photo of your nephew’s dog passed out on the couch.
#Hashtag Me at Brunch/at a Conference/on Vacation/at the Team Offsite
Posting personal information enables phishing engineers to use it against us. When a hacker customizes an email with this information, we are much more likely to click on a link or acquiesce to a request, especially if it appears to come from someone we know.
Consider the following email.
Hi June. Sounds like you had a great time in Colorado (recipient’s Facebook vacation photo). Now that you are back, we are moving ahead with the Kemper project (team offsite tweet). They’ve added Ben, whom you’ve met, to the team (LinkedIn), and he’s serving as project manager. We’re pivoting a bit, and leading this off with a $10,000 pilot project ASAP. Please send the funds to Ben this week so they can get started, to this account. Gotta run; I’m out rafting the Grand Canyon and off the grid (purported sender’s Facebook post). We’ll catch up when I’m back in two weeks. Best, Tom
If June is a diligent team member wanting to push the project forward, she may take this at face value and transfer the funds. Other professionals have been hit with similar scams, such as this one directed against anti-money laundering professionals at credit unions, as reported by Krebs on Security, using what seems to be non-public data to bolster phishing claims.
In summary, social media is an unnecessary trail of bread crumbs that distributes cybersecurity risk with, as many are finding, very little true personal reward. In my next post, I’ll suggest practices to reduce risk. For now, understand that the social media habits of your employees and executives need to be a key component of your cyber defense planning, and merits a sophisticated review by IT and legal professionals.
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.