One only needs to open their favorite homepage or scan ubiquitous media feeds to know that security professionals face an increasingly complex and ever-changing risk landscape, filled with uncertainty and contingency. While zero-day vulnerabilities, ransomware and unpatched software continue to pose significant threats themselves, a new and potentially more dangerous threat continues to grow within the corporate environment – one’s own employees. For example, an April 2018 Ponemon Institute survey of IT security professionals across 700 organizations reported that the average cost of a single breach due to employees or others with access was over $8.7 million.[1]
Social Media: Both Friend and Foe
Employees who are unaware of the risks associated with oversharing on social media can endanger the company’s intellectual property, reputation, clients, and fellow employees. Posting too much information on social media can lead to the accidental publication of proprietary information that wasn’t intended for public consumption. Leaks such as project names, phone numbers, emails and shipping addresses may seem innocuous to most, but when linked together and combined with the power of search engines, they pose a true risk to the company, its employees and its clients. Simple online researching and cross-referencing can easily expose unlisted and anonymous clients, proprietary intellectual property and methodologies and sensitive personal data such as social security numbers, credit cards and home addresses. Even personal and private photos of family, friends and fun corporate events (e.g., publicly available photos of company picnics or happy hours) could contain useful and sensitive information if employees aren’t careful.
Some run-of-the-mill cybercriminals, but especially organized criminal cyber gangs and some nation-states, collect and aggregate personal information in robust databases, allowing “professional” hackers to shift and use this collected data to gain previously privileged access or infiltrate organizations at scale. This has widespread implications, ranging from smaller, laser-focused spearfishing scams on unwary executives to real-world physical threats like employee kidnapping and ransom.
The Threat is Real – What to Do?
An important first step for an organization, and especially for its Chief Security Officer (CSO), is to construct a comprehensive social media security policy and program that outlines the can- and cannot-dos, who’s covered and impacted and what is authorized vs. recommended in terms of social media usage during company-time. While some employees may see it as draconian or “Big Brotherish,” the policy and outreach should also include recommendations on how to best use social media when not on company time or using corporate assets. The ultimate goal is to create a culture of consequential thinking and awareness throughout the company, imbued into all employees and staff regardless of when and where social media is used.
Training, Training and More Training
Employee training is critical. Period. Employees should be trained according to the level of information they will have access to – i.e., more senior staff will have greater access to more sensitive information and should be trained in how to handle that information specifically, versus a junior-level employee who will not have that kind of access. Employees should be aware of how social engineering campaigns try to manipulate them into giving up information and should be trained in identifying threats such as phishing attacks, malicious links and websites. The Infosec Institute reports that over 50 percent of all internet users receive at least one phishing email a day but 97 percent cannot identify a phishing email – and one in 25 users will click![2] For an organization of 200, eight users may be a manageable risk but what if you’re an organization of 2,000 users? That’s a click-rate of more than 80 users a day opening an email with a malicious payload. Therefore, it’s imperative that employees, staff, contractors and others with corporate access be educated on when it is appropriate to disclose information to known and unknown coworkers, clients and other third parties. CSOs need to work across the organization - especially with those in IT, legal, HR, sales and marketing, etc. - to educate employees on how to identify both proper and improper contacts.
When training, CSOs should use realistic scenarios that highlight these risks and put employees in believable situations where they can exercise their judgment accordingly. Using realistic training scenarios provides real people with realistic exposure to situations they might encounter in real life, thereby increasing the chance they will respond appropriately should they face a similar threat outside of training exercises.
Managing One’s Own Access and Security
In today’s world of constant connectivity, everyone should have a basic understanding of online safety. However, for many, this knowledge is lacking. For example, a 2018 CA report found that 56 percent of organizations saw weak or reused passwords as the biggest insider threat.[3] This is an easily remediated issue. Employers should encourage employees to use stronger and more varied passwords by showing them how these practices can be applied to their home life. Once they learn how to identify threats like malware and phishing attacks, they will be more aware when browsing the Internet both at home and at work.
A Watchful Eye
On the technical side of this, CSOs should use a combination of network monitoring and data protection technologies to guard against vulnerable applications that employees might use. It’s unfortunate, but in modern-day, corporate life, monitoring employees is not only appropriate but necessary for legal liability and business success. CSOs must work with the IT and security teams to consistently monitor the full social media spectrum, prioritize threats, and confront and mitigate these threats in the event of an attack. For example, if a high-profile executive or employee exposes their location due to a social media post and is kidnapped, a CSO can utilize features like the phone’s GPS function to potentially track their location.
Communication is Key
Senior management’s participation in drafting and circulating security training procedures is another core element of an effective social media security strategy. The heads of various corporate departments should be in communication with their CSOs on a regular basis so they can more effectively create coordinate and implement security practices and employee training. The CSO shouldn’t be omniscient from the process, rather they should rely on other senior staff members to relay information from within their departments so a comprehensive and effective procedure can be produced. If the CSO acts alone without input, they could produce a social media policy and training regimen that might not meet the needs of the employees and the company, resulting in wasted effort and ineffective processes.
Building an Effective Culture of Security
Taking all the elements described above, the CSO needs to advocate for the creation of a strong security culture. As with fostering communication, facilitating proper cyber hygiene starts at the top—with leadership setting a precedent that permeates throughout the organization. To facilitate this saturation, the CSO must work with management to incentivize security compliance and articulate how security impacts critical business objectives such as growing top-line revenue, lowering operations costs, improving service quality, penetrating new markets and recruiting and retaining top talent. Getting management buy-in is a key component of a CSO’s role in shaping and enforcing an organization-wide security policy. Together, they must create clear guidelines on confidentiality so employees can understand what can and cannot be shared online.
The security procedures outlined above can be reinforced by highlighting their applicability to spaces outside the office. For a truly effective security culture and social media protection program, accountability is key. With the support of management, CSOs should begin to hold employees accountable for their security posture through positive incentives and negative reinforcements. It should be clear that employees who violate the corporate code of conduct by exposing sensitive information will risk disciplinary action or termination. A single misstep or leak could expose crucial information that could cause clients to abandon the company and potentially take legal action, cutting into revenue streams. Releasing personal information about coworkers or clients could put people at risk of being targeted or attacked.
About the author: Chris Duvall, CISSP, CeH, CCSK, is a Senior Director at The Chertoff Group, where he works with clients to assess their security and risk management capabilities and helps improve their security programs and operations. Prior to joining The Chertoff Group, Duvall spent two years as a Federal employee, and ten years as a management consultant at Booz Allen Hamilton, with the U.S. Department of Homeland Security (DHS) in their Offices of Cybersecurity and Communications and Infrastructure Protection. During this time, he helped lead the development and coordination of DHS’ efforts to promote understanding and adopting of effective risk management strategies like those found in the NIST Cybersecurity Framework. He helped establish DHS’ new cybersecurity program, the Critical Infrastructure Cyber Community Voluntary Program (C3VP), charged with helping organizations recognize available cybersecurity resources to improve their overall security postures. He was also the lead Federal official for coordinating U.S. Government critical infrastructure protection and cyber risk management activities for industries within the Information Technology and Communications Sectors. In this role he worked with public institutions, private sector, and international representatives, to develop programs related to enhancing IT and communications critical infrastructure resiliency.
[1] https://www.infosecurity-magazine.com/news/insider-breach-costs-rise-to-87m/
[2] https://resources.infosecinstitute.com/category/enterprise/securityawareness/security-awareness-fundamentals/security-awareness-statistics/
[3] https://www.ca.com/content/dam/ca/us/files/ebook/insider-threat-report.pdf
