From local corner shops to global organizations, social media has had a transformative effect on marketing, customer service, knowledge-sharing, and even recruitment and hiring. Companies need to leverage social media to maintain their visibility and build closer relationships with their customers. However, the ability to engage instantly with millions of people around the world also comes with risks. So how can companies mitigate the risk of using social media in business?
While marketing leaders tend to be nervous about employees saying the wrong thing on branded social channels, most enterprise security teams still haven’t come to terms with the reality of social media cyber security threats. Social networks are among the easiest platforms to exploit. Cybercriminals routinely use them for carrying out spear-phishing attacks or conducting research into potential victims for use in targeted social engineering attacks.
Bad actors go where they know critical mass exists: volumes of data records, personally identifiable information (PII), and users. Social media checks every box.
Despite the risks, avoiding social media altogether is neither realistic nor desirable from a business perspective. At the same time, it is also unrealistic to completely eliminate the risks. What companies can do, however, is ensure that their marketing, security, compliance, legal, and support teams have a thorough understanding of the risks of using social media.
To manage these new digital risks on social media, organizations need enhanced visibility into official and unofficial channels. You can learn more about this in our webinar with the CMO of Capital One, Peter Horst. Companies also need the ability to act against threats in real-time, at the scale of social. They need a full picture of threats to official brand channels to remediate compromised accounts and prevent data loss.
Secondly, organizations need visibility across other channels like outside social channels, the deep web, and the dark web. While social media is a primary threat vector, today's cyber attacks are complex and multi-channel. Defense structures cannot be siloed.
To secure social media, enterprises will need an overarching security strategy, powered by the right technology, to maintain complete visibility and mitigate risk.
Social Media Risk Assessment: What Does Your Attack Surface Look Like?
Account Takover (ATO) attacks present unique choices for hackers: they can either attack externally, such as launching phishing scams against customers. The other choice is more insidious, a silent takeover. This poses a huge risk for businesses using social media. With access to social accounts, attackers can often gain back-end access into an organization or other cloud-hosted services such as Dropbox, where marketing teams may keep shared assets. Moreover, from an account takeover, attackers can spread malware to company employees and other contacts "under the radar," as it were, through direct messages. This is precisely how the Turkish hacker group, Ayyildiz Tim, launched and quickly spread a coordinated ATO attack against high-profile media accounts on Twitter.
While a company with just one or two accounts might not have much to worry about in this respect, larger organizations often have a much wider social attack surface due to the sheer number of accounts they operate. For example, a company might have multiple accounts on various platforms for different departments, lines of business, or even for individual high-profile employees. That’s when it becomes critical to ensure that none of these accounts end up compromised. As more front and back office operations are moved into social, the risk of using social media for marketing and of compromising sensitive data grows.
Brand and Reputation Risks
Spear Phishing & Data Loss
Most people know not to post confidential information on social media, but even non-private information can pose a danger. On one hand, social platforms want to collect as much data about their users as possible for advertising purposes. On the other, the public availability of such data also makes things easier for attackers.
Compliance & Legal Risks
4 Steps Toward Mitigating Social Media Risks
Armed with a thorough understanding of your social media attack surface, you must develop a documented protocol to mitigate the risks. Ensure employees are fully aware of the policies and procedures. Administrators must also implement a comprehensive solution for enforcing these measures.
Step 1: Gain Visibility into known & unknown Social Media Assets
You can’t protect your house if you don’t know how many rooms you have. One of the most important components of any digital social media security strategy is an all encompassing approach that provides complete visibility into digital assets.
Start by identifying every social media account belonging to your brand across all departments. This should be the shared responsibility between both the CIO/CISO and the CMO, since the latter is usually responsible for the teams managing social media channels. Your policy should also make it explicit that access is to be revoked immediately for employees who leave the business and inactive accounts are closed. A clear inventory of social pages and accounts will clarify your company’s potential social media risk.
Step 2: Establish Control Over Brand Assets
A robust cybersecurity strategy typically starts with the principle of least privilege, by which users only have access to the systems and data that are necessary for their jobs. In the case of social media, there’s no reason to give everyone in the marketing department access to all the accounts you use.
Limit and identify the number of social media users and access rights in your company. Many businesses have a social media manager who takes charge of all posts, even if they’re written by someone else. Similarly, businesses usually only need one person to answer customer complaints on social media. The degree of freedom you should give your employees will vary depending on factors like training and the size of the business.
Step 3: Respond to Threats in Real-Time
Conflict can escalate in seconds on social media, as the examples we’ve explored here have demonstrated. Whether an attacker attempts to take over your Twitter account, or a botnet is summoned to downvote your videos on YouTube, you need an established social media security protocol in place to deal with the matter before it gets out of control.
Real-time detection of malicious content or account takeover attacks is the first step. Minor threats can typically be dealt with using pre-approved responses, while more serious conflicts may need intervention from specific members of your team. Ensure you have the ability to lock down accounts, quarantine malicious content, or revert account profiles in the event of compromise.
Step 4: Protect Assets with a Proactive Defense
Your enterprise should also look to proactively monitor cyber threats or risks to brand reputation from imposter social media accounts. This can include scanning the deep and dark web, or searching in overlooked areas like app stores or e-commerce sites. Security is just as much about adapting to new and emerging risks before they become active threats.
Use your company protocol to outline the expectations regarding how your employees should behave, and be sure to add an additional section dealing with the use of personal accounts. For example, some companies require employees to disclose their affiliations when discussing work-related matters on their personal social media pages. Finally, when commenting on matters of business, even those authorized to speak for your brand must clearly state that their own views are not necessarily those of the company they represent.
A company present on Facebook, Twitter, and LinkedIn may have 100,000 posts to review each week and tens of thousands of accounts. If it takes a human only one minute to review a post and take appropriate action, more than 40 people working 40 hours per week would be required.
Businesses need to extend their perimeter to include social media, which remains invisible to most security teams. To make it happen, you’ll need a way to monitor every bit of information that leaves your business through both private and public channels. Your goal is to reduce risk and mitigate attacks before they start.
SafeGuard Cyber was developed to eliminate the need to manually monitor social channels, as well as others like mobile chat, and collaboration platforms. Instead, it provides the tools administrators need to enforce their policies while automation helps teams cope with scale and prioritize the risks that matter most.