October 9, 2019 By Mark Stone 4 min read

When it comes to social media safety, users are often unaware of the ramifications of their online posts. Many don’t realize they may be putting their personal data — and, by extension, their company’s data — at risk. While you may not be dealing directly with your customers, you’re only one step away from your clients on some social channels, and many organizations have spent a lot of time, money and effort to create brand loyalty through those channels.

Social media should be fun. We shouldn’t have to be so careful about what we do and say online, but cybercriminals aren’t going anywhere, and social media presents a natural gateway for bad actors to get what they want.

“I Thought That Was Safe to Post”

In many cases, there are common social media mistakes that employees don’t even realize they’re making. For instance, what if you’re taking a team selfie in the boardroom at the end of a strategic meeting and there’s information from a projector up on the whiteboard? Patrick McBride, chief marketing officer for ZeroFox, has more than two decades of cybersecurity experience and has heard many nightmarish stories about social media posts gone awry.

“With these posts, you could be inadvertently giving away confidential plans, financial information or other intellectual property,” he said. “Those kinds of things happen all the time.” Any information traditionally considered personally identifiable information (PII) is fodder for bad guys to monetize, McBride warned.

“Things like your Social Security number, your age, where you grew up, your mother’s maiden name and date of birth should be kept private,” he noted. “A lot of people put birthdates in the social platforms because they like to get the ‘Happy Birthday’ message.”

Armed with this information, hackers can increase their odds of engineering a successful password reset. Plus, PII only gives malicious actors more ammunition to launch social engineering attacks.

What Is Safe to Post?

According to McBride, anything outside of PII should be relatively safe. Generally speaking, the less you share about yourself or your company, the better. However, it may not be as much about the content as who can see it. That’s where privacy settings on social media can make a meaningful difference.

“Some of the social platforms have gotten better at pulling things together into a single place,” McBride said. “The platforms are making it easier for you to lock down content, but most preferences are open by default.” McBride also suggested ensuring that privacy settings are as restrictive as possible and auditing them at least annually.

Secure Social Media Tips and Tricks

Social media safety means showing without showing too much, according to independent security researcher Rod Soto. “Most of all, you want to protect as much of your sensitive, private information as you can.”

Soto offered seven recommendations for anyone who wants to participate in social media and mitigate the risks of the internet at the same time. Some of these may appear too restrictive, but I have to agree with him here — I’ve seen employees’ social media posts cause irreparable harm to either the individual or the company far too many times.

The first tip cannot be stressed enough:

  1. Think before you post. A post stays on the internet forever, even if you delete it. Not only will it remain public, but those who see it in the future may not have the context needed to understand it.
  2. Do not use your actual name. Use a nickname or some other moniker that does not give away your identity.
  3. Do not announce or reveal your location when you are away from home. Be mindful of backgrounds, people and landmarks that could reveal too much information — unless, of course, you mean to show them.
  4. Whenever possible, customize your privacy settings based on who you want to see your posts. In many cases, social media helps communicate and share special moments with friends, family and acquaintances. Target with your posts. Consider having one account for communicating only with people you trust and another account for acquaintances and the general public.
  5. Protect your accounts by using multifactor authentication (MFA), not repeating passwords and not recycling your security questions and answers.
  6. Don’t repost, retweet or share without scrutinizing or verifying. Many memes and pieces of viral content are inaccurate or exaggerated. Links, files, games or applications sent to you by anyone (including your family) could compromise your systems. Remember, the sender may already be compromised.
  7. Freedom of expression does have consequences. Employers, organizations, people or even friends may not like what you post.

Enterprise Best Practices for Social Media Safety

Many of the best practices and policies that help organizations increase social media security awareness in their workforce start at the top and work their way up and down the corporate hierarchy.

“It is very important for organizations to clearly state and promote security awareness in their employees, and this includes the use of social media in corporate related events,” noted Soto. “There are many times where employees themselves reveal sensitive corporate information by inadvertently revealing it on their own personal social media. This usually gives criminals enough information to target employees and executives.”

Soto advises that corporate social media accounts be considered assets in information security policies. As such, a safe social media policy must be implemented and followed. In addition, corporate accounts must also be monitored for threats.

McBride echoed this sentiment and added that best practices for social media safety should ideally be incorporated into standard security training administered by an organization’s IT or security team: “Focusing on how to identify social engineering tactics, impersonating accounts, scams and fraudulent posts, as well as how to strengthen account security settings to prevent account hacking, will help employees stay safe on social and protect both personal and corporate social accounts.”

Keeping employees off social media is like trying to keep a bee from honey: If you prohibit social completely, you will likely be stung. A middle ground must be established, and the best solution is to include everyone in the process instead of restricting their online behavior. As you develop your policies and practices around social media, remember that people respond well when they feel empowered and involved.

More from Data Protection

Third-party access: The overlooked risk to your data protection plan

2 min read - A recent IBM Cost of a Data Breach report reveals a startling statistic: Only 42% of companies discover breaches through their own security teams. This highlights a significant blind spot, especially when it comes to external partners and vendors.The financial stakes are steep. On average, a data breach affecting multiple environments costs a whopping $4.88 million. A major breach at a telecommunications provider in January 2023 served as a stark reminder of the risks associated with third-party relationships. In this…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

SpyAgent malware targets crypto wallets by stealing screenshots

4 min read - A new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes. Using optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often stored in screenshots on user devices.Here's how to dodge the bullet.Attackers shooting their (screen) shotAttacks start — as always — with phishing efforts. Users receive text messages prompting them to download seemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today