Securing social media for safe working environment
Your LinkedIn account doesn’t just provide valuable intelligence for recruiters. It’s also a fascinating avenue for potential attackers, who can use it to map out a network of your company, your professional relationships and hierarchies. Those can easily be abused to socially engineer their way into your office, craft sophisticated spearphishing attacks, and much more.
Your Facebook profile, even when locked down, gives surprisingly deep insights into your networks, social relationships, friends, even people whom you’ve met at conferences. Once again, an attacker could trivially use this information to figure out whom you interact with. This is a key avenue to social engineering attacks – for example, emails that impersonate your real-life friends. Alternatively, a determined adversary could also launch direct attacks on your contacts. Even if your account is secure, theirs – which contains all your communication with them – isn’t necessarily so.
Other social networks – such as Twitter – bear similar risks and we are often unaware of how much info our posts from conferences, or even the backgrounds of photos we post, can reveal about our location and movements.
Some ground rules you can set in your organisation
With this in mind, it might be useful to think of and set some ground rules on what security teams could do to help their colleagues manage social media more securely:
1. Don’t ban personal social media use
A security rule that isn’t followed is worse than a rule that was never codified. This is because those who break the rule – for example, by setting up Facebook accounts under false names – will rarely come forward to security teams if any breaches or leaks have happened. It’s rare to have an industry where security considerations rank so highly that everyone would follow a social media ban. If you are in one of those industries – great. If not, be very wary of any excessive restrictions on personal social media (a ban on posting photos from the office is perfectly reasonable, a ban on adding colleagues to their networks less so)
2. Teach people about how to secure both their professional and personal lives
There are huge benefits in using tools such as hardware security keys (or app-based 2FA) or password managers not just for corporate, but also personal accounts. Make sure that your organisation’s security trainings teach colleagues how to protect their personal, not just professional, accounts against hacking.
3. Share responsibly
Sharing settings on personal Facebook accounts can get pretty overwhelming. Organise a brief course on how best to manage them. Such a class cannot look at technical settings alone but must also teach participants on how to, for example, be mindful of what background details are visible in the photos they publish. The web is filled with case studies of investigators who gained huge amounts of information from image backgrounds and social media data. Use them.
4. Separate the personal and professional
It’s relatively easy for someone to create a Facebook account impersonating your colleague or boss, add you as a friend, and begin asking questions about work. Unless absolutely necessary, ask your colleagues never to use personal communication to discuss professional matters. This is not always possible or practicable (politicians, for example, make quite liberal use of WhatsApp groups), so make sure that they have verified the offline identity of the person with whom you are are communicating. A simple phone call and test message should be enough.
5. Conduct advanced web searches
Googling your name is one thing, using advanced search operators, browsing archived webpages, and the like is another. Show your colleagues how to conduct a deep web search on themselves and figure out all the data that lurks on them online. If your personal email address (or even your corporate one) can be found via a search engine – it’s trivial for an attacker to find it. Even if the address has not been published, it’s relatively easy to find somebody’s email@example.com address. Be mindful of that.