As of 2021, 4.5 billion people—more than half of the global population—possessed a social media account.1 Social media platforms connect people and facilitate simple methods of sharing information. The first social media platforms were created to help people share personal information to connect with friends, family, coworkers and users with similar interests.2 As the popularity of such platforms grew, so did their features and functionality, allowing for more personalized and interactive user experiences. Websites such as Facebook and Twitter serve as online communities where people can share personal information as they choose. Other websites such as Digg and Reddit make it easier to find specific information or images.3 Use of social media varies, but, anecdotally, many people consider the growing number of platforms solely in a personal-use context.
But social media platforms have also become vital to business and marketing. Social media platforms allow enterprises to improve brand awareness, are cost effective, facilitate customer engagement, can improve brand loyalty and may even increase customer service levels.4 With these benefits comes added responsibility and security and privacy implications.
Failing to prioritize the security and privacy of a social media account can result in negative consequences spanning both the personal and professional worlds. Of the 2, the latter may adversely impact enterprise resilience. Reputational damage, loss of customer trust, compliance violations, decreased employee productivity, and compromised intellectual property and/or sensitive data are just several of the possible outcomes of a poorly managed social media platform.5
Failing to prioritize the security and privacy of a social media account can result in negative consequences spanning both the personal and professional worlds.
Despite its benefits in terms of connecting people, sharing information and community building, there are legitimate concerns when social media is used in a nefarious manner. Examples of this include promoting disinformation and targeting persons electronically (e.g., cyberbullying, harassment). Whereas propaganda is nothing new, social media and questionable data collection techniques (i.e., privacy dark patterns) are seemingly pitting consumers and organizations against each other because they create information disparities that favor the organization over the individual. By using dark patterns to obscure or manipulate the information that users need to make informed decisions about their privacy, organizations can gain access to more user data than they might otherwise be able to obtain.
Social Engineering and Phishing on Social Media
Common account security questions can easily be answered by seeking information about the target on various social media platforms. By asking seemingly random questions, malicious actors can use social engineering to obtain the information necessary to answer security questions required to reset a password (e.g., the name of a first pet, mother’s maiden name). Alternatively, they could send phishing messages posing as a legitimate entity (e.g., bank, email provider) asking for personal information to verify identity for a password reset.
Security education and awareness trainings have made strides in educating employees about certain security red flags to look for on social media (e.g., requests to send sensitive information, spelling errors). Training programs and awareness materials (e.g., posters, newsletters) help keep employees informed and educated about the risk of social media, which is a critical aspect of information security. This knowledge helps create a culture of awareness and responsibility, which can go a long way in preventing social engineering attacks and other security breaches.
Despite their newfound knowledge, employees are still likely to share information on social media. Particularly when employee profiles are correlated to places of employment, the availability of this public information increases the effectiveness of social engineering efforts. For example, a malicious actor could leverage information gleaned from social media accounts about an upcoming class reunion. Posing as a classmate, the malicious actor could increase the likelihood of success in an email compromise through the use of a tailored phishing email campaign. This believable impersonation effort would allow the threat actor to gain the trust of the target account holder and leverage it for malicious purposes.
Not only can information be garnered from one’s personal social media account, information such as employee names, job titles, email addresses, and telephone numbers found on an organization’s social media profile can be used to target employees with spear-phishing attacks, social engineering tactics, competitive intelligence gathering, and identity theft. To prevent this, it is important for organizations to be aware of the information they share publicly and limit the amount of sensitive information they disclose.
Social Media and Employee Mental Health
The growing popularity of social media, coupled with an always-on society, appear to underscore a growing mental health crisis surely to further strain the healthcare provider ecosystem and/or increase absenteeism in the workplace. A distracted employee can be a significant threat to information security because they may be more likely to make mistakes or take shortcuts that can leave systems vulnerable to attack or compromise.
The impacts of social media on an enterprise are numerous and can affect employee mental health. Employees with mental health issues may have trouble focusing on and completing tasks, leading to lower productivity levels. They could also have difficulty communicating effectively with colleagues, which can lead to misunderstandings and delays in completing projects, and possible security missteps. Alexey Makarin, an assistant professor at the Massachusetts Institute of Technology (MIT) Sloan School of Management, Cambridge, Massachusetts, USA, stated, “people who use more social media may become more depressed, or conversely, people who are more depressed may be more active on social media.” Makarin believes that social media enterprises and policymakers must work to alleviate social media’s potentially harmful effects on mental well-being.
But for enterprises, social media issues exceed human resource impacts. From an adversarial standpoint, social media platforms are a low-risk way to conduct reconnaissance and target enterprises or key persons within them. Gathering information about individuals by looking at their posts, comments and connections on social media platforms remains relatively easy to do when so few people use multifactor authentication (MFA) or employ strong privacy settings.
Conclusion
As the use of social media continues to grow, it is crucial that individuals and organizations be vigilant in protecting their information and privacy. Social media platforms are prime targets for cybercriminals hoping to steal personal information, spread misinformation, and carry out phishing and other scamming activities. Enterprise security education and awareness training programs should be routinely reviewed and tailored to increase employee awareness and education regarding an enterprise’s unique threat landscape. By raising awareness of potential threats, taking necessary precautions (e.g., enabling two-factor authentication [2FA], not sharing sensitive information online) and abiding by a thorough social media policy, individuals and organizations can better protect themselves.
Endnotes
1 Walsh, D.; “Study: Social Media Use Linked to Decline in Mental Health,” Massachusetts Institute of Technology (MIT) Sloan School of Management, Cambridge, Massachusetts, USA, 14 September 2022
2 Maryville University, Town and Country, Missouri, USA, “The Evolution of Social Media: How Did It Begin, and Where Could It Go Next?
3 Rastogi, K.; “How Can Social Media Be Misused,” iPleaders, 17 May 2016
4 The Edge Picture Company, “5 Reasons Your Business Needs Social Media”
5 DeLoach, J.; “10 Ways Social Media Impacts Your Risk Profile,” Corporate Compliance Insights, 6 March 2018
Chris McGowan
Is the principal of information security professional practices on the ISACA Content Development and Services team. In this role, he leads information security thought leadership initiatives relevant to ISACA’s constituents. McGowan is a highly accomplished US Navy veteran with nearly 23 years of experience spanning multidisciplinary security and cyberoperations.