A few years ago, I was invited on a behind-the-scenes tour of the security operations of a well-known Las Vegas casino. Before we could enter, however, we had to turn off our phones and put them away. No pictures, we were told, because it could reveal information that would jeopardize casino security. The casino staff also asked us not to share any details about what we saw or heard on social media. In one room, someone tried to slyly pull out their phone to snap a picture. Casino staff quickly escorted them out of the room and off the tour. These folks weren’t kidding around about protecting any details about their security operations. Organizations should take a cue from them when it comes to cybersecurity training.
Why Social Media Matters
Most organizations aren’t so strict about photos taken on-site or what ends up on social media. It’s not that they don’t want to protect their intellectual property or trade secrets. Rather, leadership may not be aware of what their employees are sharing on social media. Or, they may have no policies in place about what can and cannot be posted online. In fact, some employees think they are doing their employers a favor by putting up pictures and videos showing off the workplace or anything with the corporate logo. Instead, this lack of professional social media discretion could lead to a security breakdown.
All photos and videos shared from workplaces can contain sensitive information that employees don’t even realize they are sharing. Posting pictures and videos is a personal brand to many. They post dozens of times a day without ever realizing the security fallout or the threat of personal and business identity theft. And they don’t realize it’s a problem because it isn’t a focus of cybersecurity awareness training. It’s an issue across every industry, across every type of workplace. Here are some of the social media threats presented by employees.
Do You Know What’s on Your Desk?
People like to take pictures of their workspaces. Social media inspires that type of sharing, with viral posts asking you to show off your clean (or messy) desk. Maybe you want to show what is hanging on your cubicle walls. But good cybersecurity training should help people think for a moment about what is on the desk or walls: information the worker needs for their job. A cubicle wall shot could include a whiteboard with details of new products not yet made public. A picture of your computer could end up sharing sensitive and private information with everyone in your social media universe. Rep. Mo Brooks posted a picture of his computer screen on Twitter, not realizing that he was also sharing his email password and a PIN.
Cybersecurity Training Needs in the Health Care Industry
The most egregious sharing of personal information of 2021 was COVID-19 vaccination cards. That card is the equivalent of a ‘get out of jail free’ card. Of course, we all wanted to share that news. But people weren’t covering their personal information on the card. They put full names and birthdates out there for the world to see. But it wasn’t just that. This also shared the location you got the shot and details about the vaccine itself. And, “[d]epending on the photo, OSINT [Open Source Intelligence] researchers can go even further to possibly pinpoint where exactly the photo was taken, what time of day, the type of camera, or find other revealing clues about the person.”
Sharing a vaccine card doesn’t violate HIPAA, but sharing photos taken during a medical procedure on Instagram might be, as no one had permission from the patients to share intimate details of their surgery. In other social media security incidents, medical professionals post pictures, videos and stories about patients and staff. That can put their workplace at risk of compliance violations. In the same vein, patients shouldn’t share pictures of their medical ID bracelets, medicine bottles or ID cards on nursery bassinets.
Many retailers have turned to social media as a way to attract customers and build their brand. But not every picture tells the story the company wants to tell. A fun staff photo taken in the office could show sensitive financial information or confidential information about suppliers.
It’s not just a lack of cybersecurity awareness that is a concern for brick-and-mortar stores. Poor social media sharing could put the physical security of stores at risk. A photo montage meant to be a marketing tool gives potential thieves a good look at what and where the most valuable items are. Photos taken in storage areas and back rooms show entrance and exit points. And those office pictures? They could reveal where the safe is or show keys hanging on the wall.
The financial industry has turned to social media as a way to update its image and navigate the new ways people manage their money. It also appears that employees tend to overshare on professional social media. Maybe they don’t post visual images much, but they may make posts airing their complaints. Barclays, for example, found that employee complaints about new software systems and policies spill over into the corporate brand. If employees are showing that they don’t trust the software they are using, it raises questions on the security of customer data. Consumers lose confidence.
Of course, financial institutions deal with very sensitive information. So, employees sharing pictures taken at work are at high risk of breaking office privacy policies. A photo or video can easily catch account numbers or client portfolios.
Cybersecurity Training Challenges
Keeping track of social media is difficult. A growing number of businesses and agencies depend on social media as a marketing tool. Staff members engage with their followers as part of their work. Photos and videos add a human touch to an otherwise faceless business.
And employees are social media consumers who like to share parts of their lives. Innocent pictures of lunch at your desk could reveal sensitive information. Chief information security officers (CISOs), already likely short-staffed, don’t have time to be a watchdog for everything employees share on their social media accounts. Meanwhile, employees don’t have a clue that what they are doing is causing problems.
Education is everything, so CISOs need to include social media risks and behaviors in any cybersecurity training. It’s not just a matter of teaching employees what not to do, but how their actions can impact the business (and the employee’s own privacy).
Elements of Good Training
Cybersecurity awareness training should include the risks in posting pictures and videos on social media, but it should also include the following issues:
- The need for multi-factor authentication in case people share passwords
- How to safely store passwords
- Establish policies about camera use (such as never allowing cameras in areas revealing intellectual property, for example)
- Storing paperwork when not in use and setting devices to go into hibernate mode when not in use
- Use background images on video calls (you never know when a screenshot of the call will end up on someone’s Facebook page)
- Review data privacy rules and how data leaks can affect businesses.
You won’t be able to stop employees from sharing on social media. Ensuring they have the right cybersecurity awareness training about how their sharing can be detrimental to corporate and personal security should encourage them to think twice before they hit post.