From likes to leaks: How social media presence impacts corporate security
From a psychological standpoint, we all crave attention, and likes and comments fuel that need, encouraging us to share even more on social media. In the corporate world, this risk grows exponentially because it’s not just our personal information at stake, but the security of the entire company.
Social media oversharing creates a cybersecurity risk for companies
Every piece of data we share is like a puzzle piece. LinkedIn reveals job titles, Facebook and Instagram provide everyday details from our lives, and X offers real-time insights. Together, these fragments can form a roadmap for cybercriminals, and can aid in creating highly-targeted phishing attacks.
The sophistication of AI improves this process. According to Ivanti, GenAI is further enhancing the effectiveness of these attacks while also reducing their cost. By analyzing patterns in social media activity, AI can craft highly personalized, convincing phishing emails.
Oversharing information on social media creates opportunities for cybercriminals to gather detailed profiles. This can range from sharing favorite hobbies to vacation plans, family details, and even work-related achievements.
These details can allow attackers to impersonate employees or craft emails that exploit this information, convincing the recipient to click on malicious links or open malicious attachments.
Cybercriminals can use social media to build a relationship with employees and manipulate them into performing actions that jeopardize corporate security. They can impersonate colleagues, business partners, or even executives, using information obtained from social media to sound convincing.
A recent report from Gen shows that social media platforms have become major targets for cybercriminals, with Facebook accounting for 56% of identified threats. YouTube follows at 24%, while X makes up 10%, and Reddit and Instagram each represent 3%.
Many employees use the same passwords for personal social media accounts as for their work accounts, putting corporate data at risk. While convenient, this practice means that if a personal account is compromised, attackers could gain access to work-related systems as well.
In 2023, Iranian threat actor TA455 has targeted aerospace industry employees by impersonating job recruiters on LinkedIn, directing them to malicious websites that distribute the SnailResin malware to establish persistent backdoor access.
CISOs must address employee behavior on social media
CISOs must now account for employee behavior beyond the firewall. The attack surface no longer ends at corporate endpoints; it stretches into LinkedIn profiles, Instagram vacation posts, and casual tweets.
Companies should establish policies regarding what employees are permitted to post on social media, especially about their work and workplace. These policies should include restrictions on sharing sensitive information such as:
Workplace projects: Employees should avoid posting about ongoing projects, upcoming product launches, or internal operations that could be leveraged for a cyberattack.
Work-related relationships: Encouraging employees not to share details about their colleagues, supervisors, or business partners could help avoid social engineering attacks.
Job titles and responsibilities: Specify that employees should avoid posting sensitive details about their job roles, responsibilities, and work locations, which could be used by attackers to craft targeted phishing emails or impersonate them.
The problem with social media posts is there is a thin line between privacy and company security. CISOs have to walk a thin line, keeping the company secure without policing what employees do on their own time.
This is why privacy awareness training should be integrated with cybersecurity policies. It’s not about control, it’s about clarity. CISOs can’t just impose rules; they need to empower employees to make informed decisions about what they share online, striking a balance between personal freedom and corporate security.