Select Page

With our ever-increasing reliance on the Internet for interpersonal relationships, it comes as no surprise that the use of social media has gained steam for professional relationships as well. Any new form of relationship-building tools, especially digital tools, are prone to new forms of risk and must be considered carefully before reputational damage (or worse) is done due to carelessness. The FFIEC, SANS Institute, NIST, and others have all issued guidance on appropriate use of social media to extract value while reducing risk. Here are a few key points to consider when assessing social media risk:

How official channels are managed

Social media can be a powerful and rewarding tool to connect with new and existing clients, but how these channels are managed can be cumbersome. It is up to your organization to determine the best approach to maintaining an official social media presence. Many organizations have an official Facebook and LinkedIn page, but Twitter, Instagram, Google+ and many others offer even more opportunities to connect with an audience.

For example, if your organization will utilize an official Facebook page, who will have access to it? Marketing, human resources, executives, or some combination of business units? What will be posted? Upcoming community events, job postings, photos of staff? How will complaints be handled? There are an endless number of considerations to weigh before making decisions, and every organization is going to have different answers depending on what they consider worthwhile, their relationship with the community, and their ability to adapt quickly.

Understanding the pros and cons of maintaining a social media presence is a critical component of making appropriate choices. Remember, it has always taken months or years to cultivate relationships with clients, but only seconds to destroy them - and social media has made that process even swifter.

Whether internal access is allowed

Blocking social media sites through a web-content filter has lately been the topic of a heated back-and-forth at many organizations, as management and IT departments clash with users over what seems appropriate. From an organizational standpoint, restricting access to users has a two-fold benefit: users have less opportunity for distraction while at work, and the organization remains more technically secure as these sites are often targets for malware, file sharing, or other forms of inappropriate and undesired content. Users, however, counter that these sites can be useful as a stress release or for current events, or for use on breaks or other downtime.

It is up to the organization to determine whether access to such sites will be technically restricted, for whom, and for what reason. There is not a one-size-fits-all answer, so management and IT should work together to determine the organization’s risk and an appropriate response.

How employees represent the organization

In all likelihood, your employees are connected to your organization on social media. Employees may follow an official company account, Facebook allows searching by employer, and LinkedIn is solely built around working relationships. It is therefore important for every employee to use professionalism and good judgement when using their personal social media accounts.

Employees should remain mindful of confidentiality standards, copyrighted materials, and any other information that should not be disclosed publicly. Anything posted by an employee, such as rude or derogatory language, inappropriate behavior, or intentionally harmful actions, could potentially be interpreted to represent the organization as a whole, regardless of intent. It is therefore important to coach employees on appropriate use of social media, and to have contingency plans in place in case an employee does cause reputational damage.  Organizations should create or amend their acceptable use policies to cover social media activities, and should implement disciplinary procedures for handling noncompliance.

Protecting information online

The easiest way for an adversary to gain information about your organization is through social media. Your employees likely have multiple profiles across various sites, and depending on how privacy settings are configured, could represent a treasure trove of information that can be leveraged against you. A successful social engineering attack oftentimes only needs information that is publicly visible by default: first and last name, and a job title.

Did you know that Facebook offers a “View As…” option to see what it looks like to anybody else, including the public? Or that LinkedIn only displays detailed information for profiles depending on their degrees of separation for that profile? Employers should be aware of the premium account options available on LinkedIn that can allow users to override privacy settings and view additional details on otherwise private accounts. Many sites also offer a third-party API, allowing access to stored data even if it is not publicly visible. A recent example from Microsoft allows Facebook to extract and share WiFi credentials via the new WiFi Sense feature in Windows 10. This represents a potential risk if employees are permitted access to an internal wireless network, especially common in BYOD environments, and then share out the connection details to their friends. Social media sites change their security settings frequently, often with little notice or fanfare, so make sure that you and your employees know what to watch out for.

Consider adopting a policy that all employees must monitor the privacy settings of their social media profiles to determine what is publicly visible and ensure that it is appropriate, and under no circumstances accept a connection request from someone they do not know personally. You may want to include a tutorial on how to perform basic defense measures during annual security awareness training - not only for the security of your organization, but also for you employees’ personal privacy and protection.

Tyler Butler
Follow me:

Tyler Butler

Editor-in-Chief at Implicit Deny
Tyler is the founder of Implicit Deny. He is an information security auditor with a special interest in bridging the gap between the professionals and the general public. He tends to be unnecessarily sarcastic.
Tyler Butler
Follow me: