Public Service Announcement: Social media use increases your cybersecurity exposure. Share appropriately.
If that were all it took.
In my earlier post, I described how casual use of social media (that is, failure to take into account its impact on privacy and security) can put your company’s information security profile at risk, and open your executives and employees to social engineering cyber scams. Additionally, social media accounts often contain sensitive personal data that can be accumulated, hacked, sold and resold. The most popular social media sites compound this problem when they release – unintentionally or not – personal information. Facebook is a regular offender; just this month it confirmed that it “unintentionally uploaded” the email contacts of 1.5 million people without their consent. Business Insider reported that a security researcher noticed Facebook was asking some new users to provide their email passwords when they signed up — a move widely condemned by security experts.
While it’s unrealistic to enforce a policy banning the use of social media, companies can and should educate executives and employees on appropriate use as part of regular cybersecurity training. Social media “hygiene” should become as ubiquitous as the signs imploring that “employees must wash hands” in restrooms.
Look at Your Settings—Often
When apps or devices are updated, it’s common that privacy restrictions get reset to the baseline, which is often the most liberal sharing of data. As a result, even if you set your privacy preferences at an acceptable level recently, updating your operating system or applications – generally a good idea – may result in reestablishing the basic settings.
Read the Policies
Social media policies are written by lawyers, and even when expressed in “simple language,” are difficult to understand. At the same time, they lay out exactly what you agree to by using a program, website or application, and deserve a close read. Unfortunately, very few read the fine print. Companies should consider making employees aware of the basic terms and understand what they may be agreeing to.
Guard Your Birthdate and Security Question Information
Just as some people have “Starbucks names,” an alias they use to make ordering coffee easier or more discrete, consider whether it makes sense to put your birthday in your profile. It’s often a key security data point, and is used by financial institutions, health providers and others to validate identification. Posting online not only allows a user to enjoy best wishes on a special day; it is also a gift to a hacker. Likewise, guard against sharing the names of family members, your hometown, where you went to high school, and other such details. Many people use variations of these as passwords, and they are often part of security “challenge questions” some sites use to confirm your identity. Some savvy users have established false birthdates, families and even work histories to thwart bad actors.
Consider What You Put Online
It’s very tempting to post pictures while one is on vacation; it’s also a public notice that the user isn’t home, and often not in a good position to protect their data. It may not have the same immediacy, but it’s a good idea to wait until you are home from vacation to post photos. Also, be aware that what you post affects others – your posts may frustrate the good online hygiene of others. The more you post on social media, the more you can’t help but expose yourself, who you are, how you write, and what your interests are. This puts you and those you post about at risk for phishing attacks and doxing.
Be Crystal Clear What Employees Can Post About Your Company
Companies need to have clear and explicit policies about what employees can post to social media when it comes to company business. It’s not always obvious, or intuitive, that disclosure can be harmful. Imagine the casual “bunch of suits at work here today” post from a tech company employee. That’s an easy-to-read signal the company is being bought, or is courting investment. “Off to Texas to meet a top prospect” is equally damaging. Why give competitors clues to your plans? Decide whether you want your employees to identify themselves as such on Facebook or Twitter. Many people do so, and then claim their views are their own, not the company’s, which is little consolation after they’ve been provoked into a political dustup with a troll and HR, Communications and Legal need to take over.
Look at Who You Really Need as Friends or Followers
In the halcyon days of social media, many of us wanted to collect as many friends, followers or connections as possible – it seemed harmless enough, and demonstrated our popularity. These days, it just doesn’t make sense. Consider culling your lists. And beware of others who have poor social media hygiene, and limit your contact with them. Your feeds will improve dramatically, and you will have reduced the number of individuals who receive updates about you. Those who have done so claim it has the potential to make social media actually useful again.
We continue to learn the hard way that cybersecurity breaches are less about true hacking and the breach of a firewall, and more about human error and gullibility. Intelligent use of social media is an important step in strengthening your company’s defenses.
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.