Using social media is, without a doubt, one of the most popular online activities that internet users engage in. Businesses have also discovered how to leverage social media to create opportunities for their brands. However, the use of these platforms has also created many risks. Not only can a bad social media post spiral into a full-blown PR crisis, but social media has become a data channel that cybercriminals exploit regularly to steal sensitive corporate information or cause huge reputation damage. Many businesses create a social media policy for their organization but often don’t understand how to fully protect themselves.
The Social Media Policy
It is said that 3.96 billion people and 88% (and rising) of companies currently use social media platforms worldwide. Despite its high usage, social media culture is still relatively new territory for both employers and employees. Businesses have recognized that unwise social media can create detrimental outcomes, but the social media policies these companies develop show a level of naivete when it comes to understanding risk.
The corporate social media policy is often a document that resides in a company’s intranet rarely unchanged from the date of inception. It is often a standard practice to include the social media policy at point of employee on-boarding as part of the contractual process between employee and employee. Typically, the contents of the policy are centred around the do’s and don’ts of employee usage, regulatory or compliance obligations and will explain expectations in terms of employee conduct online. For example, Dell Global’s Social Media Policy is reported to be as follows:
- Protect Information
- Be Transparent and Disclose
- Follow the Law, Follow the Code of Conduct
- Be Responsible
- Be Nice, Have Fun and Connect
- Social Media Account Ownership
The overall goal is to set expectations for appropriate behaviour and ensure that an employee’s usage will not expose the company to legal problems or public embarrassment.
The example policy is also remarkably vague. There are probably a couple of reasons for this. Today’s HR departments are very sensitive to employee privacy concerns. There may be a reluctance to lay down specific rules for behaviour that may seem subjective and intrusive.
However, there is a difference between something that is embarrassing and something that is dangerous. Many companies like this are clearly not concerned about network security implications and how employee actions online may compromise both personal and corporate security. The reality is that there is a real need for specific rules (or at least “tips”) regarding how employees present personal data about themselves on social media.
Social media content is highly susceptible to cybercriminals
Social media usage exposes company networks to hacks, viruses and privacy breaches. How? Social media encourages people to share personal information or Personally Identifiable Information (PII). Even the most cautious and well-meaning employee can give away information they should not or accidentally disclose sensitive company information. With this data, cyber criminals who use social engineering techniques can more effectively exploit the gullibility and misplaced trust of many social media users – having serious consequences for those users and their employers’ networks.
All it takes is one mistake. According to the latest EY Global Information Security Survey 59% of organizations had a “material or significant incident” in the past 12 months. Research also found that 21% of organizations have been infiltrated by malware via Facebook and 13% report that their organization has been infiltrated by malware via YouTube. So, what can be done to reduce the risk and ensure your employees and your brand are protected?
The Social Media Policy: What you can do to safeguard against potential attacks
The first step should be to implement a detailed and effective social media policy. While 80% of businesses report having a social media policy in place, the reality is the majority of policies (58%) could be described as general in nature – only 28% have a detailed and thorough policy. So, what additional guidance should your social media policy include? Be focused on data exposure as much as reputation. Here are just a few examples of some rules to publish to get started:
- Don’t accidentally describe your tech stack: If you are a technical person, like an engineer, you may want to post your technical proficiencies online. However, combined with your job title, you could end up describing the technical infrastructure of your company, which, of course, may give information to a hacker or social engineer that they need to attack the company. So, what might seem like a clear description of your current employment and career path, in today’s world, you are only revealing information that won’t actually help you but might harm you if it falls into the wrong hands.
- Don’t post your resume online: Yes, your LinkedIn page is a resume…but it isn’t. Resumes typically contain personal contact information that can be protected by LinkedIn’s UI structure. Remember that resumes are artifacts from old one-to-one communications between job seeker and employer. In today’s world, you are only revealing information that won’t necessarily help you, and but might actually harm you if it falls into the wrong hands.
- Pay attention when providing personal information online: In general, we all should be wary of giving out information that helps make us personally identifiable. For example, middle name, birth place, marriage status, check-in and sharing current location status. Each of these bits of information are innocent in themselves, but used in combination with other information, social engineers are equipped with more tools to attack you or leverage your personal data to get access into sensitive parts of your company.
- Help employees spot suspicious activity: While employees can be your weakest link when it comes to potential cybersecurity risks, they can also be your greatest asset in protecting your company. Educating and teaching employees on how to spot and identify suspicious activity such as dubious links or downloads will also go a long way in reducing potential attacks and malware intrusion in your computer systems.
For any businesses, social media can be a gateway to reaching larger audiences. However, they have also gained the attention of cyber-criminals who are more than willing to use them against you. Considering the average data breach costs companies in the U.S. $7.91 million, protecting company, customer, partner, and employee data cannot be understated. Business with a holistic social media policy in place will be in a better position to protect both their employees and organisation against potential attacks.