People love social media and cannot imagine living without it since these platforms are intertwined with many aspects of daily online activity. Employers appreciate this and often allow employees to use their social media accounts at work during the workday. However, it is important to recognize that threat actors can compromise an organization’s networks and systems. To that end, this article discusses important points coming out of a recent Canadian Center for Cyber Security entitled, Use of personal social media in the workplace — ITSAP.00.066.
Considerations: personal social media accounts
It is important to do the necessary research in order to make an informed decision about whether a platform is appropriate to use in the circumstances. This includes examining:
- publicly available information.
- the platform’s privacy, data collection and data use policies, requirements for permissions, and terms and conditions of using the application to know what data will be accessed and where it will be stored or transmitted.
- the ownership, control or influence, and data residency—vendors and owners of the platform are subject to the laws of their region, which could impact the security and privacy of users.
- what features and elements of devices that can be accessed by the app such as the camera, microphone, location, and contacts list.
Considerations: corporate social media accounts
Organizations that have a corporate social media account are recommended to:
- ensure that the organization’s Internet usage and social media policies are read, understood, and adhered to (especially by users who have publishing rights).
- limit the number of users in the organization who have administrator or publishing rights to corporate social media.
- ensure that all authorized users have separate accounts with unique credentials when publishing content.
- seek final approval before publishing any content or making a post to official accounts.
- publish content using only trusted and approved applications and devices.
- secure corporate devices with multi-factor authentication and strong passwords or passphrases.
- keep web browsers, operating systems, devices, and applications patched and up-to-date.
It is necessary that users interact with social media with their eyes open. In terms of cybersecurity, some of the main risks involve:
- Unintentional loss of data – before posting work-related material to a personal social media account, users need to be cognizant of the fact that even what seems to be an innocent post can lead to unintentionally helping threat actors gather information about the organization. Threat actors can gain access to personal data about a person along with data concerning any of the person’s work contacts to shed light on the organizational structure.
- Malware and viruses – threat actors can deploy malware to a device or network through social media. For instance, clicking on a shortened URL, photo, or advertisement can lead to serious cyber security attacks on the organization’s devices and network. The message is, “Be wary of clicking on anything suspicious when using your personal accounts in the workplace.”
- Social engineering – this must be highlighted: the more information a person reveals on social media, the greater the possibility of that person becoming a target for a threat actor and a cause of reputational harm to the organization. In addition to reputational harm, things that are shared can be used in well-crafted social engineering scams. Threat actors can use this information to imitate a person and send targeted emails containing malware to colleagues in the organization. This is how it works: if the recipient is fooled into opening the email and any attachments, malware can infect devices and corporate networks.
How can a person reduce the risks mentioned above? When using personal social media in the workplace, it is recommended to:
- use a unique passphrase or password for each account.
- seek approval before posting work-related information on a personal account.
- limit the use of tracking or location services in social media applications.
- enforce multi-factor authentication on all devices and accounts when available.
- accept friend, follower or contact requests only from people you know.
- be wary of posts containing unusual language or content.
- use caution when clicking on shortened URLs.
- avoid revealing private information on personal accounts to avoid things like identity theft.
- review privacy settings to control who sees what.
- sign out or log off when finishing using social media accounts.
- notify the organization’s IT security team immediately where there are abnormalities or suspicious activity.
For more information, organizations are recommended to take a look at the following:
Spotting malicious email messages (ITSAP.00.100)
Cyber security tips for remote work (ITSAP.10.116)
Please note that any views expressed in this article are solely the views of the author.
- Social media in the workplace: Addressing cybersecurity risks - May 26, 2023
- ChatGPT and privacy complaints: investigations launched - April 21, 2023
- Home Depot disclosed personal information without valid consent - March 24, 2023
Leave a Reply