New research from PWC finds almost half (48%) of CEOs in the UK are concerned enough about cyberattacks that they are shuttering their social media accounts. The report, the “23rd Annual Global CEO Survey,” also reveals most CEOs (around 80%) have changed their online behavior due to potential risks.
Social media has been a challenge for organizations for more than a decade since these sites became pervasive and began posing both security and reputational risks due to information oversharing. At the same time, the need for a social media strategy to expose a business message and build its public profile is critical for most organizations. So, it’s interesting to observe that many C-levels executives have decided it’s now too risky to maintain any kind of personal profile online. While severe, it’s a move that’s warranted today, said Brandy McCarron, co-founder of McCarron Risk Group, which advises clients on corporate intelligence and brand monitoring.
“A bigger part of this picture is that corporate espionage is alive and well,” she said. “Many large corporations are actively engaged in the practice as a means to gain a competitive edge. Anytime an employee or an executive posts on social media a seemingly innocuous comment about the work your company is doing, your competitor has been offered a piece of the puzzle to the overall picture.”
McCarron said her firm recommends that clients restrict employee use of social media on company equipment or networks unless engaged in authorized company activities. But for C-level executives, given their high profile, a no-use policy might be more effective.
“For C-level executives, rampant social media activity creates a whole host of physical security issues to consider, particularly if the figure could be seen as opinionated or polarizing. Not all threatening remarks made on social media commenters are idle. Frequent posting can aid criminals in creating patterns of life for the targeted executive, making a real-world attack significantly more plausible. Small details peppered in postings over time can give away far more to a patient criminal than the average person would consider.”
“Targeted social engineering attacks informed by social media are by far the most common attack directed at my client firms,” added Andrew Werking, executive director of cybersecurity with consultancy Agio. “Limiting the information available about you on social media is an obviously effective way to avoid being targeted. Doing so can be problematic, so most of my client firms opt to take a hybrid approach to managing exposure by reducing the amount of information made available via social media posts; periodically assessing the scope and nature of publicly available information about the firm, its principals and executives; and continually educating and testing users on how to identify and avoid targeted social engineering attacks.”
Striking a Balance on Social Media Sharing
While many business leaders tried to take a hard line on social media use in the early days of Facebook and Twitter, it soon became clear that stopping people from using these sites was futile. Personal freedoms were at issue, and then there was an even larger consideration that social media was becoming an essential element of a business’s messaging and marketing strategy.
“Back when I was lead security analyst at Gartner, the DoD was going to put out a policy banning all use of social media,” said John Pescatore, director of emerging security trends with SANS. “However, on the exact same day, the DoD put out a press release that they had actually exceeded their goals, and they credited DoD’s use of social media as the biggest reason! The idea of banning social media use was dropped.”
In his view, Pescatore does not think it’s necessary or even realistic to have C-level executives give up social networking to protect their organizations. But education is key.
“It is important that C-level execs, any IT employees with sysadmin privileges and really all employees be aware of two very important points: Criminals and competitors are regularly searching social media for competitive information and exposed intellectual property that can be used for their financial gain that will hurt your company. (And) criminals and hostile nations are using any information they find in social media—this includes job boards and neighborhood email lists and reflectors—to create very targeted phishing attacks that seem very realistic.”
In an effort to educate everyone about social media risks, Bart Westerink, vice president of security engineering at MobileIron, said all employees at his firm go through an awareness training program as soon as they walk in the door, as part of employee onboarding.
“We also regularly conduct security exercises to test employee awareness on cybersecurity risks and ensure we’re abiding by our corporate cybersecurity charter,” he said. “For example, we recently conducted a companywide mock phishing exercise to ensure our employees are staying vigilant and only clicking on links that they trust, as phishing attacks continue to be a main entry point for attackers to gain access to critical systems.”
No One-Size-Fits-All Approach
“C-level executives set the culture of an organization and social media risk appetites can vary greatly from one company to the next, which is why the C-suite should be a good role model practice good cyber hygiene when it comes to social media and help craft their company’s policies,” said Yaniv Bardayan, CEO and co-founder of Vulcan Cyber. “Here’s an example of why their input is needed: Many C-level executives allow employees to access their personal accounts to share news or promote the business. That’s a delicate situation—personal accounts often contain PII and store passwords and other sensitive data. If the account is compromised, it could be a huge hit to the company’s security posture. On the flip side, a tweet from a CEO’s personal account might have more reach and business impact than the company’s Twitter or LinkedIn feed, making third-party access an acceptable risk. “
But ultimately, individual business goals, needs and risk profile will dictate how C-levels should approach social media use.
“There is no single right policy or action for dealing with that situation other than to have a business-appropriate policy in place,” said Bardayan. “Because C-level social media risk is fluid, it’s unlikely that a single best practice or blanket policy can cover all situations. That said, if a C-level executive is so busy that they don’t have time to keep apprised of how other people are using their personal accounts, then, in my opinion, they should close them.”