Social media has been a thorn in the side of chief security officers because employees, managers, and even the C-Suite continue to put personal identity markers on open platforms. Unsuspecting social media users do not realize that online criminals have been combing these sites since the early days of hacking. Now that business data can be accessed remotely, social engineering provides clues to login credentials and buoys targeted spear phishing actions.
Posting birthday wishes, family photos, or professional information on sites such as LinkedIn creates opportunities for cybercriminals to build profiles about staff members to their psychological disadvantage. Persuasive information in a phony “emergency” can prompt even the most trusted team member to err. However, by better understanding why social engineering succeeds and implementing social media cybersecurity measures, organizations can harden their attack surface.
Why Does Social Engineering Work?
Social engineering involves manipulating people to disclose confidential information against their better judgment. It may seem inconceivable that an otherwise intelligent and cautious individual would give out their username, password, credit card information, or Social Security number via text message, email, or over the phone. Unfortunately, hackers skilled in the art of confidence schemes leverage deeply personal information to prompt a bad decision.
In his book “Influence: The Psychology of Persuasion,” Robert Cialdini outlines six triggers that sway people:
- Reciprocity: This involves the impulse to return a favor. A hacker may seem to do something that makes kind people want to give back.
- Commitment: Once someone has agreed to perform a task, regardless of why, they feel compelled to follow through.
- Social Proof: As part of the so-called “herd mentality,” people tend to follow the lead of others.
- Authority: Hackers sometimes pose as supervisors or industry leaders, knowing staff members are likely to obey directives.
- Liking: Part of many confidence scams, people do things for those they like.
- Scarcity: When products or services are scarce, professionals experience a sense of urgency and act rashly.
Criminals — online and in person — use basic human psychology to get what they want through enticements, blackmail, and quid pro quo. Hackers who employ social engineering masquerade as someone professionals know, trust, sympathize with, or are likely to comply with their mandate. In the digital age, these schemes are spawned by information culled from social media.
Oversharing Opens Door to Social Engineering Tactics
It’s essential for CEOs and other company leaders to consider that oversharing on social media could land them in court. In 2016, a plane parts company lost $60 million to hackers who posed as an executive. Using personal data, cybercriminals prompted employees to comply with the requests of the fake authority figure. They paid actual invoices but put them in bank accounts that fraudsters established.
The company reportedly spent heavily on suing the CEO, and Gartner predicts that over 75 percent of CEOs could be held personally liable for cybersecurity mishaps. Oversharing remains a critical social media problem that aids hackers. These are examples of information that helps cybercriminals motivate staff members to do the wrong thing.
- Relationships: Posting information about your family, friends, and colleagues.
- Photos: Images and videos provide a physical description of you and the people in your orbit.
- Locations: Addresses such as your home, business, places you frequent, and others are all social engineering fodder.
Venting about a boss, significant others, station in life, and other stressors are emotional keys that flim-flam artists will put to use. Our human frailties may be part of our DNA, but they are dangerous expressions in the hands of sophisticated hackers.
Implement Social Media Security Awareness Training
Although using social media can create additional data security pain points when not used prudently, there are ways to flip the script. Business leaders have increased their security investments by expanding employee cybersecurity awareness training. The hard data proves the return on investment has been worthwhile, as hacks due to human error have dipped from over 95 percent to 74 percent.
With the average cost of a data breach hovering around $9.5 million in the U.S., adding social media cybersecurity awareness training could upend social engineering schemes. These foundational strategies can be seamlessly repackaged to enhance an organization’s overall cybersecurity posture.
- Passwords: Adding social media security mirrors the tenets of business awareness training. Educate workforce members about strong passwords for the company network and social media platforms. Having a different password for your business and social media sites is also essential. Hackers can leverage Facebook, TikTok, X, and others to communicate with co-workers.
- Two-Factor Authentication: Texting or emailing a secondary code to another device has been an effective way to deter hackers. Many social media platforms offer this identity verification measure.
- Monitoring: The value of ongoing cybersecurity monitoring cannot be overstated. Staff members with social media accounts would be well-served to check them regularly to ensure someone isn’t posting or messaging online friends and colleagues.
- Inspect Third-Party Apps: Exercise caution when integrating apps or giving approval to seemingly fun and entertaining applications. Social media users could be agreeing to give over access to contacts and images, onboarding malware, delivering personal identity information, and blazing a pathway to seize control of the device.
- Secure Wi-Fi Only: The favorite cafés and other businesses people patronize typically offer free public Wi-Fi. Hackers are keenly aware that people connect without giving security a second thought. Cybercriminals sometimes establish fakes that encourage people to sign up at no cost. These traps ensnare professionals, allowing hackers to gain control over devices, digital accounts, and deploy malicious applications. Following the same principles of network cybersecurity awareness training, using a VPN or another secure connection also applies to social media use.
Integrating a social media awareness training program can deliver the same qualitative benefits as one designed to directly protect the company’s sensitive and valuable digital assets. Staff members are exposed to information about clever schemes and learn how social engineering works. The overall training brings security to the forefront of people’s minds, improving the odds they will avoid oversharing missteps and identify threats before they cripple an organization.
Neglecting Social Media Security Risks Catastrophe
Billions of people (with a “b”) use social media platforms daily, likely including most of your employees, managers, and executives. From LinkedIn to Reddit, Facebook to Twitter, it is unrealistic to expect your team to stay off social media. This, in turn, presents clear points of vulnerability that bad actors can exploit through things like phishing attacks.
Social media use is common and likely here to stay. Businesses must understand the risks involved and points of potential failure, and educate their workers on how to safely use the social media platforms of their choice to reduce the chance of falling victim to a malicious attack. By following the guidelines outlined in this blog, your business can start on the path to minimizing the risks of social media in cybersecurity today.
Author Bio
John Funk is a Creative Consultant at SevenAtoms. A lifelong writer and storyteller, he has a passion for tech and cybersecurity. When he’s not found enjoying craft beer or playing Dungeons & Dragons, John can be often found spending time with his cats.