How Social Media Can Threaten Your Organization’s Cybersecurity

Facebook has recently made headlines, and, somewhat unsurprisingly, not for a good reason. It has been revealed that phone numbers, email addresses, full names, and other details of half a billion users were made public in a massive data breach. “It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019,” reads the statement by a senior executive at Facebook, which tries to justify why the company chose not to notify those affected by the incident.

Social media platforms have been at the center of discussion in the past few years: how they handle user data, their advertising practices, etc. However, in the midst of heated conversations about the practices of the tech giants, organizations need to be aware of another risk posed by social media platforms – the cybersecurity danger that can jeopardize the integrity of organizational networks and data.

How social media can undermine the security of your digital infrastructure

Organizations often overlook how social media fits into their cybersecurity practices. “It’s employees’ personal space, and we don’t feel comfortable dictating the rules or monitoring our employees’ social media accounts.”

While, indeed, regulating employees’ social media behavior is a controversial topic, there are a number of threats that you, as an organization, need to be aware of and take measures to counteract them.

1. Employees using the same password for all personal and business accounts. Social media platforms store enormous amounts of data on their users: emails, passwords, usernames, posting history, messaging history – the list goes on.At least 71% of users use the same password for multiple online accounts. Embed this graph: https://www.statista.com/statistics/763091/us-use-of-same-online-passwords/ This means that if a social media platform gets hacked and user passwords are stolen, cybercriminals will attempt to apply these passwords to as many accounts as they can associate with the users. Your organizational access points are among them.
2. Employees conducting business communication via social media messaging apps. Whether it’s sharing such sensitive data as log-in information with one another, discussing ongoing projects, or revealing any other business-related information, your organization risks having its system hacked or proprietary and sensitive information leaked.
3. Social media social engineering attacks.Only about 3% of malware attacks go after technical vulnerabilities. 97% try to trick users through social engineering tactics. And, while 94% of social engineering attacks are delivered via email, social media platforms are increasingly targeted by malicious actors. In the same way email can be used to send malicious links and attachments, your employees can get targeted through their social media accounts.
   For example, it was recently announced that a hacking group was targeting professionals on LinkedIn in a spear phishing attack, whereby users would receive highly personalized fake job offers. Opening the job offer triggers a series of events, resulting in that person unknowingly installing backdoor malware.
4. Unknowingly sharing sensitive, private, or privileged information. Sharing such information as the street they grew up on, the name of their first pet, or mother’s maiden name is personally dangerous for your employees, but it also puts your organization’s network at risk. The same way that this information can be used to hack personal accounts, it can be used to gain access to corporate networks.There are numerous other ways in which your employees may unknowingly share sensitive information. For example, an employee might record a TikTok video while at work, discussing matters that have nothing to do with your organization. What this employee didn’t realize, however, is that his co-worker has his password on a post-it attached to his computer in the background. Or a nurse shares a picture with a patient who has made a recovery, revealing this patient’s name and proudly announcing that the patient beat a serious disease, therefore, unknowingly violating HIPAA. 

How to protect your organization from social media cybersecurity threats

While you can’t monitor your employees’ social media accounts – be it for ethical or regulatory reasons – you can invest in educating them. Your cybersecurity training must incorporate responsible social media behavior in areas that may impact your organization. 

Education is a crucial aspect of the overall cybersecurity strategy and can significantly reduce the risk, but you have to have multiple lines of defense. To that end, enable multi-factor authentication, install VPNs on personal and business devices, and install top-of-the-line anti-malware and anti-virus software. 

Furthermore, you need to have a strong password management system that will centrally monitor access, track password status, generate passwords, and enforce password policies.

Provide your employees with secure communication methods outside of email. Whether it’s a text-based messaging platform or a video-chat tool, carefully vet and select applications that your employees can use to efficiently and securely communicate information. 

Finally, ensure your organizational environment is physically protected. There should be no post-its with login information, access to the server room must be restricted, and sensitive information should never be lying around.