Why Social Media Data Breaches Should Push C-Suites to Change Their Digital Risk Approach

Google's announcement that it's shutting down Google+ because of a data vulnerability is the latest example in a series of shocking social media privacy scandals. These recurring issues demonstrate just how difficult it is to secure a large, complex system, or protect subscribers and corporate customers from a multitude of other cybersecurity threats. Here are some recent headlines:

• Facebook Security Breach Exposes Accounts of 50 Million Users
• U.S. accuses China of 'super aggressive' spy campaign on LinkedIn
• Battling Fake Accounts, Twitter to Slash Millions of Followers
  

While this may be unnerving for the billions of consumers using these platforms, this situation should be alarming to the boards of companies that rely heavily on social media advertising and customer engagement activities to fuel business growth. The stakes are high, if indicated by the level of social media advertising spend, which is forecasted to reach US $68 billion globally in 2018.

Cyber threats unleashed through social media data breaches and account contamination include:

• Malicious attacks - Bad actors target digital assets with direct account takeovers, malware, phishing re-directs, or bot attacks
• Brand Impersonation - Bad actors intent on scamming customers set up fake accounts, divert revenues, and conduct other fraudulent activities, all at the expense of the brand
• Brand & Reputational Damage - Often the target of bad actors for social engineering campaigns or digital sabotage; angry customers intent on revenge, or even innocent posts, can result in brand damage
• VIP Exposure - Often high profile executives are targets of impersonations, spear-phishing (aka whaling), bot attacks, doxxing campaigns, and more
• Data Loss & Data Privacy Risk - Sensitive information accidentally/deliberately leaked can results in IP loss, unauthorized financial disclosures, and privacy violations (PII, GDPR, HIPAA); all of which can result in heavy penalties & litigation exposure

The Tipping Point

Perhaps, the Google announcement is finally the tipping point? Although Google+ had been struggling, it was not shut down for low usage. It was shuttered for a major data vulnerability. 

The time has come for companies to proactively build the cyber security capabilities necessary to protect their organizations from the persistent vulnerabilities in social media, and to assure the sovereignty of their digital properties. Security teams routinely invest in additional defenses for email systems, and no company has ever concluded when faced with email attacks that the solution is to shut down email and just live without it. (Reverting to homing pigeons and smoke signals make for funny jokes in breach meetings, but are not to our knowledge carried out). Given social media's impact is often better than email for customer acquisition and engagement, why not just protect it?

As CMOs and CISOs remain some of the most critical stakeholders for social and digital networking engagements, we recommend a teaming approach to put an effective digital risk defense solution in place.

Start with this process:

1. Initiate Digital Risk Assessment - Kickoff project (CMO & CISO to co-sponsor)
2. Map Digital Footprint - Determine active social/digital channel engagements; may include social, collaboration, mobile, and/or back office cloud applications (CMO-led)
3. Survey User Activity - Conduct due diligence to confirm channel usage, sanctioned or permissible employee accounts, and flag unauthorized users including former employees and third-party agencies (CISO-led)
4. Identify Vulnerabilities - Investigate existing risk exposures, prioritize vulnerabilities and channel coverage requirements (CISO-led)
5. Determine Solution Requirements - Understand operational considerations for time-to-threat detection and time-to-threat remediation. Agree on budget and obtain sign-off on investment plan (CMO & CISO - jointly)
6. Select Solution & Deploy - Place channels under governance of digital risk protection solution (CISO-led)