First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

You are here: Home / Information Technology / Social media in the workplace: Addressing cybersecurity risks

By | 3 Minutes Read

Social media in the workplace: Addressing cybersecurity risks

social media cybersecurity

People love social media and cannot imagine living without it since these platforms are intertwined with many aspects of daily online activity. Employers appreciate this and often allow employees to use their social media accounts at work during the workday. However, it is important to recognize that threat actors can compromise an organization’s networks and systems. To that end, this article discusses important points coming out of a recent Canadian Center for Cyber Security entitled, Use of personal social media in the workplace — ITSAP.00.066.

Considerations: personal social media accounts

It is important to do the necessary research in order to make an informed decision about whether a platform is appropriate to use in the circumstances. This includes examining:

  • publicly available information.
  • the platform’s privacy, data collection and data use policies, requirements for permissions, and terms and conditions of using the application to know what data will be accessed and where it will be stored or transmitted.
  • the ownership, control or influence, and data residency—vendors and owners of the platform are subject to the laws of their region, which could impact the security and privacy of users.
  • what features and elements of devices that can be accessed by the app such as the camera, microphone, location, and contacts list.

Considerations: corporate social media accounts

Organizations that have a corporate social media account are recommended to:

  • ensure that the organization’s Internet usage and social media policies are read, understood, and adhered to (especially by users who have publishing rights).
  • limit the number of users in the organization who have administrator or publishing rights to corporate social media.
  • ensure that all authorized users have separate accounts with unique credentials when publishing content.
  • seek final approval before publishing any content or making a post to official accounts.
  • publish content using only trusted and approved applications and devices.
  • secure corporate devices with multi-factor authentication and strong passwords or passphrases.
  • keep web browsers, operating systems, devices, and applications patched and up-to-date.

Risks

It is necessary that users interact with social media with their eyes open. In terms of cybersecurity, some of the main risks involve:

  • Unintentional loss of data – before posting work-related material to a personal social media account, users need to be cognizant of the fact that even what seems to be an innocent post can lead to unintentionally helping threat actors gather information about the organization. Threat actors can gain access to personal data about a person along with data concerning any of the person’s work contacts to shed light on the organizational structure.
  • Malware and viruses – threat actors can deploy malware to a device or network through social media. For instance, clicking on a shortened URL, photo, or advertisement can lead to serious cyber security attacks on the organization’s devices and network. The message is, “Be wary of clicking on anything suspicious when using your personal accounts in the workplace.”
  • Social engineering – this must be highlighted: the more information a person reveals on social media, the greater the possibility of that person becoming a target for a threat actor and a cause of reputational harm to the organization. In addition to reputational harm, things that are shared can be used in well-crafted social engineering scams. Threat actors can use this information to imitate a person and send targeted emails containing malware to colleagues in the organization. This is how it works: if the recipient is fooled into opening the email and any attachments, malware can infect devices and corporate networks.

Mitigating risks

How can a person reduce the risks mentioned above? When using personal social media in the workplace, it is recommended to:

  • use a unique passphrase or password for each account.
  • seek approval before posting work-related information on a personal account.
  • limit the use of tracking or location services in social media applications.
  • enforce multi-factor authentication on all devices and accounts when available.
  • accept friend, follower or contact requests only from people you know.
  • be wary of posts containing unusual language or content.
  • use caution when clicking on shortened URLs.
  • avoid revealing private information on personal accounts to avoid things like identity theft.
  • review privacy settings to control who sees what.
  • sign out or log off when finishing using social media accounts.
  • notify the organization’s IT security team immediately where there are abnormalities or suspicious activity.

Related resources

For more information, organizations are recommended to take a look at the following:

Spotting malicious email messages (ITSAP.00.100)
Cyber security tips for remote work (ITSAP.10.116)

Please note that any views expressed in this article are solely the views of the author.

Follow me
Latest posts by Christina Catenacci, BA, LLB, LLM, PhD (see all)

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Christina Catenacci, BA, LLB, LLM, PhD

Christina Catenacci, BA, LLB, LLM, PhD, is a member of the Law Society of Ontario. Christina worked as an editor with First Reference between 2005 and 2015 working on publications including The Human Resources Advisor (Ontario, Western and Atlantic editions), HRinfodesk, and First Reference Talks blog discussing topics in Canadian Labour and Employment Law. She continues to contribute to First Reference Talks as a regular guest blogger, where she writes on privacy and surveillance topics. Christina has also appeared in the Montreal AI Ethics Institute's AI Brief, International Association of Privacy Professionals’ Privacy Advisor, Tech Policy Press, and Slaw - Canada's online legal magazine.

Leave a Reply

Your email address will not be published. Required fields are marked *

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

Main Menu

Stay Connected