What Can a CISO do to Mitigate Social Media Risks?

Finjan TeamBlog, Cybersecurity, data security

Finjan What Can a CISO do to Mitigate Social Media Risks?

Social media replaced workplace ‘water coolers’ long ago as a primary channel for both officially and unofficially exchanging corporate and personal information. Despite the controversies of how certain social media networks treat, use and resell personal data, social network growth continues at a healthy annual pace of 4 to 6%. Estimates say that over 2.77 billion people worldwide will visit or use one social media site in 2019. That is roughly 1 out of every 3 people!

What is interesting, and perhaps unforeseen by social media founders, is how social media evolved beyond social person-to-person communications and has become part of the corporate landscape. Social media now plays a big role in enterprise communication strategies. From innocuous announcements about corporate meetings and social events to influencing public opinion, social media and social networks are core tools in an enterprise communications’ arsenal. Which is why social media should be a top ‘care-about’ in the CISO office.

CISOs Should Have Social Media Usage on Their Radar

One of the dark sides of social media is that it represents a huge threat vector. Not only does it provide a path for a variety of network security attacks, but the misuse of social media can harm an organization’s reputation and brand. IT executives should be aware of the two main ways social media can hurt a business or non-profit:  

A Gateway for Malicious Applications, Malware and Social Phishing

  • When social media is accessed over an enterprise network, attackers can use malware to infiltrate and rapidly expand within the organization. These exploits are well documented
  • While an enterprise-owned computing device may (and should) have malware defense software installed, increasingly sophisticated attacks will circumvent these defenses.
  • Employee owned mobile phones, tablets and computers may possess malicious software that then gets passed on to other devices and systems when used on the enterprise network.
  • Social phishing, a huge attack vector that entices users to click malicious adware or email offers, can show up on both enterprise and employee-owned devices. Social media phishing, primarily from Facebook and Instagram, saw the highest quarter-over-quarter growth of any industry with a 74.7 percent increase, according to the Vade Secure Phishers’ Favoritesreport for Q1 2019.

Negative Impact to an Organization’s Reputation and Brand

Sometimes, a clever marketing ploy backfires yielding very real and devastating consequences.

Large, visible brands and organizations have been called out for saying the wrong thing or inappropriate postings on social media including Pepsi, Adidas, United Airlines, McDonald’s and Uber. At a minimum, these examples are just embarrassing. But some have also resulted in lawsuits, stock price declines and firings. 

Building Your Social Media Use and Security Strategy

It is now table stakes for CISOs to actively monitor and manage – to the extent they can – the use (and potential) misuse of social media within their enterprises. Here are three tips that represent guardrails in building your social media use and security strategy. 

  1. Document a Social Media Policy as Part of Your Overall Security Strategy

As mundane as it may sound, every organization needs one. It will help mitigate security threats, negative PR and legal issues. At a minimum it should include: 

  • Guidelines that define proper use of social media for personal versus corporate use
  • Guidelines for explaining how to talk about your organization, products and brand on social media
  • Copyright and confidentiality guidelines
  • An approval process for posting social media for corporate purposes
  • Advice for how to recognize malicious software, malware and phishing exploits in social media
  • Guidelines for using personal devices on an enterprise network are likely already covered under your general security policy, but should include
    • Minimum standards for personal use of devices on a corporate network.
    • Password creation, maintenance and sharing policies
  • Actions and notifications in the event of a social media related compromise and/or crisis

2. Educate and Train Your Teams on Social Media Best Practices

As with other aspects of infrastructure, application and network security, teams need to be educated and trained. Training provides a mechanism to verbalize what is in a manual or document, making it more real and actionable. Teams will be more engaged and take more ownership. Over and above providing a platform to review both security and social media best practices, it also can help to educate teams on the latest social media tool, tips and tricks. 

3. Audit Social Media Activity and Reactions

Those responsible for social media management should take an active role is reading daily posts and flagging anything that is questionable or runs afoul of the organization’s guidelines. This includes all channels that are seemingly dormant, as any post can go viral in a matter of hours. Monitor all the conversations and accounts relevant to your brand. Comparing posts with your team’s content calendar ensures that only approved content appears online. Most importantly, immediately flag anything questionable and get your social media team and communications team in sync to determine a course of action. The faster risky content is neutralized, the better. After all, if the content turns out to be legitimate, you can always repost it.