Unintended Consequences: How to Keep Social Media from Becoming a Security Risk
A manufacturing company was about to make a major expansion. The plan was to build a new warehouse and improve shipping times. Excited executives announced the move on the company's website and its blog. They posted on Facebook and tweeted about the new expansion on Twitter.
As the day for the big move approached, they told customers about potential shipping delays, but said they'd return with better service than ever.
On the first day, several men wearing the uniforms of a well-known logistics company showed up to help with the move. With dozens of legitimate workers swarming around the site, they blended in easily and no one questioned them as they loaded equipment into their own van. They drove off before anyone realized they were interlopers.
"They got away with more than $1 million in equipment and inventory," says Gavin Manes, Ph.D., president and CEO of Avansic, which specializes in digital forensics. Avansic helped investigate the incident and track down the perpetrators. (Some details have been changed to protect the business, though not the amount of the loss.)
Like this manufacturing company, users of social media often encounter the law of unintended consequences: a company gets excited one aspect of social media without realizing the possible side effects. This can be particularly true for employees who use social media and put your company at risk without even realizing it.
"For instance, someone could send out a simple tweet saying they're working on a new innovation and give away more than they should. The competition might read that tweet," says Holly Myles, social media coordinator at Eisbrenner Public Relations.
Since it's so easy to post photos and videos to social media sites, that also means you might be revealing a wealth of information about the culture of the company, who works there, what products are in use and even precious details about your customer contacts. In the same way, an employee who posts on Facebook or uploads an image to a photo-sharing site during a business trip may unintentionally expose your company's otherwise secret plans to merge with a competitor in that location.
All this comes under the heading of what Manes calls "inference analysis," the science of assembling pieces of information to see what can be learned. His company uses inference analysis to discover what sensitive information his clients are sharing online, and he says criminals are out there doing the same thing.
"There was a young woman who posted on Facebook that she was going on vacation with her family," he recalls. While away, they were robbed, and Avansic investigated. "When we looked back through her posts we saw she had complained about her house, saying that it was on a corner with large windows, and a weird statue right outside." Although she had not posted her address, it was easy enough for the thieves to find it.
‘Is This You?'
Sharing too much information is one way to get in trouble with social media. Another, much simpler one is to fall victim to phishing or other social engineering tactics -- clever manipulation that can trick you or your employees into giving away passwords or other information that will grant wrongdoers access to your accounts or your network. For example, a fake bank site might trick customers into giving away login details.
Unfortunately, social media users are especially vulnerable to phishing.
Early last year, thousands of Twitter users around the world were deceived by a direct message (which is sent only between specific Twitter users) that appeared to come from someone they knew and included a "LOL - Is this you?" note followed by a link.
Those who clicked on the link were taken to a fake Twitter login page. If they were foolish enough to login, the phishing bot automatically accessed their Twitter account and started sending direct messages to all of their contacts, triggering another round of "LOL -- Is this you?" messages or, in some cases, spam of a sexual nature.
A surprising number of people who should really have known better were sucked in by this scam, including technology experts, a British government official -- and this writer.
"People feel like they're safe," explains James Carnall, deputy director of the Cyber Intelligence Division at Cyveillance. "If you have a network in one of these environments, you may feel like you're sitting in your living room providing information to people who are familiar. But just as my phone is not me and my email account is not me, my Facebook and Twitter accounts are not me. They are mediums that I use to reach out to my network, and they can be compromised."
To avoid being fooled, he suggests being skeptical of messages that could have been sent to anyone and checking back with the sender to make sure the message is legit. He also says to be especially wary of clicking on links, especially those with shortened URLs. "You could go somewhere that downloads binary code onto your computer," he notes.
To Tweet or Not To Tweet?
How do you prevent your employees from compromising your company's security when using social media? One radical approach is to not use social media at all.
Jessica Howell, a senior account executive at Eisbrenner, says it is a valid strategy to avoid social media channels if you think they can harm your company. "In a lot of cases, people jump right in because they think they're supposed to, and they wind up doing their brand more harm than good."
Indeed, Avansic itself avoided social media for years and only very recently sent out its first tweet. The company is especially cautious because its executives are often called on to testify in legal matters, Manes explains. "It would be unfortunate for us to have a blog post or tweet that contradicts what we're saying in court."
To make sure this doesn't happen, Avansic's policy is insist that any tweet must be approved by the both the Sales and Marketing departments and the CEO before it can be posted to Twitter, and the same people must give their approval before Avansic's Twitter account follows any others, in part because the company wishes to avoid any appearance of favoritism in its choices.
As for Facebook, Avansic avoids the social media site altogether.
"We haven't figured out how to use it appropriately because of the [Facebook] wall issue," Manes explains. The company is concerned because it can't control what visitors write on its wall and such comments would be visible to anyone who visited the company page.
The strategy of not posting information on social media does not mean you should ignore these services, however. It's still important to monitor social media and the Web in general to keep track of what others are saying about your company. You should also create identities on Facebook and Twitter, whether or not you plan to actually use them, in order to preserve them from being used by others.
Think Before You Post
Most companies do use social media and see it as a necessary tool for marketing and to connect with customers. For them, educating users about the risks is the first line of defense.
"Getting training for employees is a great idea," Carnall says. "But if you're a small company and can't afford that investment, simply reading stories that deal with these security issues and forwarding them to your staff can make a difference."
Most importantly, though, you need a policy that dictates which information can't be shared online and who can and can't use social media on the company's behalf.
"Any company that doesn't have an updated and well-communicated social media usage policy is inviting disaster," says Dallas Lawrence, managing director of digital strategy for Burson-Marsteller. "Rather than a strict code of ‘what not to do,' smart companies are developing ‘how-to' policies that embrace the reality that employees will engage in online activities. They provide guidelines for what is appropriate to discuss about the company and their work life."
With such a how-to approach, he adds "they not only leverage their employees as brand ambassadors, they educate their teams on the risks, while sending a very clear message that the company is actively monitoring the online space."
"It's important to us that employees are transparent so that people always know who is tweeting or posting on Facebook," Howell adds. She believes this transparency is an important aspect of social media. At the same time, she says, "we ask that employees are aware that their colleagues and peers are also using these channels. So the smart way to use social media is to think before you act."