The Scoop on Social Media and Cybersecurity
Social media is becoming more regulated, but it can still feel like the Wild Wild West at times. Social media and cybersecurity have a unique relationship. If your company is active on social media, you should know the security implications of popular platforms.
The most common social media cybersecurity threats for businesses include social engineering and employees that unintentionally or maliciously compromise cybersecurity.
There’s a lot to consider when you use social media for your business such as social media threats, the cybersecurity risks inherent to social media use, and vulnerabilities that are frequently exploited. The mitigation of these threats is fairly easy to implement with the right advisor.
Impacts of Social Media
What Social Media Threats Are
Social media threats are simply any security threat that emerges from social media use. It’s common for bad actors to develop different methods of attack specific to different social media platforms.
Most social media threats are part of the initial steps in a cyberattack. Cyber criminals often use the social media profiles of a business and its staff to learn more about them and identify weak points.
Once they’ve gathered publicly available information, they often use it to deceive you, your staff, or your customers into giving up passwords, bank details, whatever the cybercriminal is after.
These threats may share broad characteristics, but they are different enough that it’s worth learning about each in detail.
Common Threats
Phishing | Phishing messages can be sent on social media apps with an embedded messenger. They might try to persuade you to click on or download something malicious. |
Malware | Another threat commonly delivered via social media messenger, malware is usually hidden in a link or ad or hosted on a malicious website. Clicking on the link or ad or visiting the site is all it takes to infect your computer or network. |
Catfishing | A catfish is a fake social media profile, usually with stolen photos, created to deceive or defraud other users. Catfishers create personas which they use to befriend their targets. Catfishing is used for corporate espionage, data theft, and credential harvesting. |
Brand Impersonation | Brand impersonation is corporate catfishing, where someone poses as a known brand online. They spread fake discounts, giveaways, or gifts. Their aim is to get customers to give up their account credentials or other sensitive information. |
Social Engineering | Social engineering happens when cyber criminals study your company and staff on social media to see who will fall for manipulation. They send messages designed to instill a sense of urgency or panic, leaving their victim scared and vulnerable. Then they ask for whatever they want. |
Cyber criminals will attack the low hanging fruit first. Implementing basic social media and cybersecurity practices across your business can reduce the risks to your company.
How Social Media Makes Businesses Vulnerable
The social media specific vulnerabilities that bad actors typically exploit fall into three categories:
- Application vulnerabilities
- Company vulnerabilities
- Human vulnerabilities
All three leave your business open to significant risk. This is why we strongly recommend including social media policies in your cybersecurity plan.
Application Vulnerabilities
This category encompasses a couple different types of applications. The first is the social media apps themselves because there’s no such thing as a 100% hacker-proof system.
With that in mind, it’s important for businesses and their employees to keep discussions about work off of social media entirely. Anything sent through social media is much more vulnerable to attack.
Another application that is incredibly vulnerable to attack are third-party scheduling or analytics apps. While they provide a valuable service, these apps can have back doors. Back doors are gaps which allow anyone who knows about them unauthorized access to your data within the third party app.
Back doors put you at risk because these apps store social media login information. They do so in order to post on your behalf or pull necessary data for analytics, but if the third party app isn’t secured, neither is your business’s profile.
How to address these vulnerabilities:
- You should thoroughly research which social media platforms and third-party apps are most secure and address any identified vulnerabilities.
- Make sure that your staff has a secure and convenient messaging system. Educate them on why they shouldn’t use social media messengers for work as a part of your regular cybersecurity training.
Company Vulnerabilities
As a business owner, anything that happens to your employees’ or customers’ personal data is ultimately on your shoulders.
Every company should develop and maintain a comprehensive social media policy. The idea is that the policy outlines the etiquette expected of employees when using the business account and safety practices recommended for personal accounts.
Additionally, it’s important to ensure that devices are password protected and locked when left unattended. Unsecured devices pose all kinds of risks that are not limited to unauthorized social media access. That kind of unauthorized access is really easy to prevent.
Human Vulnerabilities
Last but not least, human error accounts for 88% of data breaches each year. That data comes from a study by Stanford Professor Jeff Hancock and security firm Tessian titled “The Psychology of Human Error”.
People make mistakes, all the time. Whether it’s uploading the wrong attachment to social media, forgetting to revoke access from your former social media manager, or abandoning a company Twitter account that hasn’t been posted on since 2015, these mistakes can be costly.
We strongly recommend regular and frequent training on safe social media practices. Start with how to recognize phishing, catfishing, brand impersonation, malware, and social engineering. Wrap it up with what is acceptable to post or discuss on social media.
This training will help your employees better understand the risks of social media use. They’ll know much more about how to protect themselves and the business.
It’s important to develop and follow a protocol when social media employees leave their positions. Also, what to do when you decide not to utilize certain social media channels anymore.
The Risks Inherent in Social Media Use
There are a variety of risks associated with business social media accounts. There are even more when your employees use social media on either their personal or business devices. You must understand the risks to properly address them.
One of these risks could be devastating, but victims of cyberattacks usually experience many of them due to one breach. It could be serious enough to close a small business down for good.
Loss of Reputation
It’s pretty obvious that no one wants to be known as the company that compromised customer data. But there are other risks that go hand in hand with social media use that are less obvious.
When your brand is impersonated, your social media accounts are hacked, or an employee accidentally posts something they shouldn’t on your social media page, your business suffers.
Potential customers could decide to go a different route or current customers could take their business elsewhere. People could decide to boycott your products/services if the breach is severe enough.
This tainted reputation can follow you around for years. Consider the widespread and mishandled Equifax data breach in 2017.
What is your gut reaction when you think or hear about Equifax now, years later? Their reputation is still suffering, according to this writeup from 2019. You don’t want to become another Equifax.
Loss of Intellectual Property and Company Data
When a business falls victim to a cyberattack, it isn’t always due to cybercriminals wanting to sell data. There are plenty of malware or ransomware attacks that involve the sheer destruction of data instead of data theft.
(Don’t know what ransomware is? Check out this article where we cover commonplace cybersecurity threats!)
It could be as simple as falling for a phishing email and clicking the wrong link. Suddenly, your business’ archives, templates, graphic designs, accounting records, training courses, etc. will vanish or be held for a ransom.
Take stock of your business and all the files you utilize on a daily, weekly, or monthly basis. What would you do if they disappeared overnight? Could you rebuild from such a significant data loss?
Even if you do pay the ransom, there’s no guarantee that all your data will be returned to you. According to the SOPHOS State of Ransomware 2021 report, organizations that do pay the ransom rarely recover all their data.
Data Breaches or Leaks
Depending on the data your business collects on its customers and employees, a data breach or leak could be devastating. It doesn’t matter if data is stolen through a social engineering attack or leaked on social media by accident.
Individuals whose data is breached often suffer from identity theft, credit card fraud, theft, insurance fraud, etc. It can take years for the victim’s credit to recover.
As a result, it’s difficult for a business to recover when they cause people to experience this kind of victimization. Recovery plans are key in the event that a breach happens. It’s even more crucial to do everything in your business’ power to prevent a breach in the first place.
Compliance Violations
Depending on your industry, what you post on your company’s social media may be subject to regulation and compliance. Risks include trademark/copyright infringements, HIPAA or CCPA violations, data retention or privacy rights related violations, and more.
Large breaches have resulted in legislative responses around the world. It’s important to be aware of the laws governing social media within your industry. This could be in your area or areas you do business in.
Violating these laws can result in massive fines or loss of reputation.
Financial Losses
All of the above risks can result in a direct negative impact on your company’s revenue.
You could be on the hook for thousands of dollars in the event of a breach. You may owe fines for compliance violations, lose customers to bad publicity, or have to rebuild your IT infrastructure.
According to Truevault.com, the average HIPAA violation costs between $100-$50,000 per violation, with a cap of $1.5 million per year for identical violations. And as the business owner, if you don’t have that in the business account, you could be personally liable for the remainder.
And that’s just one facet of regulation. In a data breach, there is no guarantee that there will be only one type of violation.
Recommended Best Practices For Small Businesses
Now that you know what’s at stake with social media and cybersecurity, let’s focus on solutions. These practices will allow you to protect your business, ensure your data is protected, and start social media marketing.
These are our top 6 recommendations to any business that utilizes social media as a marketing tool:
- Carefully monitor use of your intellectual property online. This includes your brand name, logo, or anything you can trademark or copyright. This helps prevent brand impersonation.
- Enact a rigorous password policy. This applies to company devices and social media accounts. The harder it is to get into both or either, the more protected you are.
- Set up two-factor authentication for your business’s accounts. Two-factor authentication (2FA) is when you enter a password upon login and then a second form of verification takes place. For example, a temporary code sent by text to your phone. This helps to ensure that no unauthorized access to your company’s social media takes place.
- Implement and update a social media usage policy. It should outline rules for using the business’s social media. It should also contain safety guidelines for personal social media use pertaining to the company.
- Teach your staff how to recognize social engineering, phishing, and malware attacks on social media. Some companies go as far as to stage false attacks to test their employees every so often. Regular training keeps your employees thinking about cybersecurity and doing their part to protect data.
- Carefully observe and curate your social media connections. You want to be sure that your followers on social media are real people, not fraudulent accounts. Learn how to recognize a fake account and cull your followers every so often.
Safe Viral Marketing is Possible
As we said previously in this article, cyber criminals typically go for the low hanging fruit. This is good news for you, because there’s no such thing as being 100 percent secure. All you have to do is be more secure than the average small business so bad actors look elsewhere.
Implementing a social media policy for your company and following our recommended social media best practices will get you there. You don’t have to fear social media use as long as you know the common pitfalls and plan around them.