111 East Wacker Drive, Suite 500, Chicago, Illinois 60601

Why is Social Media a Threat to Data Security?

 Social media, in its many varied forms, has quickly become so entrenched in daily life that many companies have not been able to recognize just how employees’ use of that media can impact business data.  Similarly, many organizations and institutions may have adopted stringent protocols and technological data to protect their own systems, but do not fully understand how their employees can innocently and unintentionally create liability when posting to social media.

 Before social media and smart mobile devices, for many people, their work life and private/personal life were very separate, at least in the use of computers, internet, email, and technology.  Today, with social media websites like Facebook, Twitter, Instagram, Snapchat, and LinkedIn, employees’ work and personal lives are coming together.  For many organizations, the days when an employee could only access work-related data through their work-issued desktop computer, which they used for purely work-related purposes, are long gone.  Although a business or organization’s policy may prohibit it, employees are using their personal social media accounts on their company computers, iPhones, Android smart phones, iPads, and other smart devices.  In other instances, employees are able to access their business data, emails, or other accounts on their personal devices, which they also use for social media.  When an employee uses social media on a business- or organization-owned device or vice versa, they run the risk of supplying third-parties with the business or organization’s data or portals through which to gain enough information to easily hack into a business’s confidential data.  Further, many of those using social media do not fully understand the scope of its reach, or the liability and risk it can introduce.

Businesses and organizations are increasingly using social media to promote their own objectives as well.  Employees authorized to use these accounts are speaking on behalf of the company – not the employees, personally – and so their actions in those accounts should comply with all applicable company policies. When these official company accounts are managed from the same devices that the employees use to access company data, or that the employee uses to access his or her own social media accounts, several risks arise.  Through negligent use of the company’s account, the employee may introduce viruses, malware, or other content from hackers that compromises the company’s data security.  Alternatively, the employee may simply confuse the company’s account with his or her own personal accounts, and an errant post may cause embarrassment or other problems for the company.

Employees’ use of their personal social media accounts, away from the company’s own activity, can also present problems.  While your employees might think only their friends, family, co-workers, and possibly their employer are monitoring their social media accounts, opportunistic hackers may also be watching.  Many of these social media platforms have security settings to limit how information is shared, but many users do not understand or are not vigilant changing the default settings from public disclosure to private access.  Scammers, phishers, terrorists, activist groups and other criminals are increasingly using social media to target employers through their employees.

Small businesses and non-profit entities are not immune from these risks.  Many of these criminals are not sophisticated hackers, but, instead, are more like digital pickpockets and opportunists looking for small bits of information that they leverage for any kind of profit.  People who trade in personal information, payment card information, personal health information, and other data in black markets know small enterprises often have a wealth of valuable data.  The criminals are also looking for small scale fraud opportunities to trick employees into transferring funds, or providing information so those criminals can hold an entity’s data hostage, until a ransom is paid.

Thus, employees must understand that, when they post things like a picture on Instagram of several employees at a company outing, with the location tagged and other employees identified, criminal third-parties can see the picture and gather information that leaves the company vulnerable to loss of its data.  The criminal may use information gathered from that photo, whether the caption provided by the employee or metadata attached to the posting, to create convincing “spear phishing” email to others at the company that is then used to introduce a virus or malware into the company’s system.  From there, the criminal may be able to steal third-party data, to lock up the company’s information and demand a ransom payment to unlock it, or a host of other actions that may cause damage to the company or third-parties.

Strengthening Your Weak Links

 While it is impossible to thwart all human error and prevent each and every data breach, businesses and organizations can work with their leadership, and their professional technology and legal consultants to develop an approach to these issues that makes sense for their business, organization, or institution.  Some entities may determine that policies and procedures should be adopted to address these issues, while others may focus on employee training, or a combination of the two.

Regardless of the particular steps an organization or entity takes to address these issues, the most important thing is that social media, and employees’ use of social media, is addressed as part of any organization’s approach to data security.

For more information on this topic, please contact Mollie Werwas at [email protected] .