What happens when the dangers of oversharing online cross into the professional realm?
It’s true that some bosses think that checking your social media accounts is just due diligence these days. How many of us know someone whose photos of them partying on Facebook have cost them a potential job offer?
But it isn’t just potential employers of whom you need to be wary.
Forbes magazine tells the salutary tale(1) of former Hewlett-Packard VP Scott McLellan who tipped off competitors about the firm’s cloud innovations by sharing sensitive information on Linkedin. His oversharing had negative impacts on the company’s revenue, share price and reputation – and his own.
There is a criminal risk too. Hackers and criminals are employing increasingly sophisticated and targeted attack vectors – meaning that oversharing on social media can expose the organisation to malware, spear phishing attacks, ransomware and other nasties.
So much of the answer has to rest with education. We’ve all become so used to sharing personal data online. A 2017 survey by Kaspersky Lab(2) found that 93% of people questioned share information digitally.
Organisations are not in a position to “opt out” of social media; a social media presence is expected of any reputable organisation and is an important communication and sales tool.
As a result, organisations must create, articulate and promote best practice policies around what employees should share online. Not only will this help to protect the organisation from oversharing, but it can offer a legal recourse if it were to happen.
As a minimum, your social media sharing policies should consider the following aspects of sharing information online:
Apparently, even Twitter CFO Anthony Noto has inadvertently publicly sent information he intended to be sent as a direct message, back in 2014. As the Huff Post said(3) at the time: “If Twitter's chief financial officer can't understand the difference between private messages and public ones, what hope do the rest of us have?”
If you are sending sensitive information to a colleague, consider the most secure way of sharing that information – and use it. If you must post on social media, double check who you are sending it to before hitting the post button.
On social media it is all too easy to forward things on; bear in mind that once information is published or shared, you lose control over it. Some things don’t belong on social media, whoever is set to receive that first DM.
Even people not working directly on a new innovation may know commercially sensitive information about it. Education about what constitutes commercially sensitive information in your organisation should be rolled out to everyone; not just those directly involved. You don’t need to include specific data – but make the rules clear enough to be understood.
Employees need to understand that the sharing of some information is completely unacceptable. This may include: emails, personal phone numbers, mobile numbers, account numbers, names and passwords, etc.
Kaspersky Lab’s report also highlighted the problem of allowing access to devices which contain personal, company and sensitive information. It found one in ten of those questioned had shared the PIN for accessing their device with a stranger. One in five had left their device unlocked and unsupervised with others. To what information could that allow access? And could those contacts – either inadvertently or maliciously – click on a link or download software that could corrupt or leave the device exposed?
Another 2017 report from Kaspersky Lab(4) specifically focused on the danger of business leaders using dating apps. The problem is three-fold. First, it identified multiple security vulnerabilities in popular apps including Tinder, Bumble and OKCupid. 19% of the surveyed business leaders using dating apps reported problems from malware, spyware or ransomware. Second, business leaders are often installing these apps on their work devices – leaving work-related documents and emails vulnerable. Finally, 24% of business leaders surveyed admitted to sharing information about work on these apps – leaving them vulnerable perhaps to industrial espionage and certainly to potential spear phishing attacks.
Personal information is often used as a security check – or used by employees themselves as passwords. Ensure your corporate security checks don’t rely on this type of information.
Think about those fun surveys or games online that get you to unwittingly give up your mother's maiden name, the name of your first pet and the town in which you were born. All often used as password reset security questions.
Educate staff about good password security and ensure your corporate password policies support this. In addition, educate staff so they understand the value of using privacy settings and do use them; thereby denying cyber attackers access to these insights.
Checking in to geographical locations can compromise your personal safety. The development of the Please Rob Me website highlighted these dangers(5) back in 2010. Location sharing data is also manna to stalkers – so it’s great if your social media education programme can highlight the personal risks to staff. However, if your staff are operating in dangerous areas or in a high-risk industry where there have been cases of kidnapping or espionage, your responsibility goes far beyond this. Ensuring staff understand the risks involved has to be part of your duty of care.
Those responsible for posting on your company accounts should understand the imperative to steer clear of sensitive or controversial topics. Your organisation doesn’t need to take a stand on sensitive, political or religious subjects unless it works in those fields – and, even then, should do so cautiously. Posting controversial comments can excite activists, extremists and hackers and expose your organisation’s social media accounts and website to unwanted attention, comments and attack.
Hackers and cybercriminals thrive on our inability to keep things private. If they are targeting an individual for a spear phishing attack, the accounts of friends and family may fall under their gaze. Make sure that staff understand the risks of friends and family members posting personal information about them. Encourage family members to keep social media accounts personal, not public, so only friends can view information.
Remember that more senior staff or staff working in sensitive areas are more likely to be singled out for spear phishing attacks, so should take special care – but everyone should practice good practice.
You can proactively monitor how and where your business is being talked about on social media by setting alerts within the platforms on which you operate or through specific monitoring tools.
You’ll need to have policies in place about how to deal with negative postings and minimise any reputational damage. The best way to do this, of course, is to ensure there aren’t any issues which may result in hostile behaviour – whether from staff, customers or other stakeholders.
Monitoring alerts and acting quickly is an essential second-best.
When it comes to ensuring that your employees don't over-share online, education is clearly the solution. At Grant McGregor we can help you set up and deliver ongoing Cybersecurity Awareness Training & Testing for all of your staff with GM Cyber Aware.
Contact us or call us on 0131 603 7910 today for more information.
References:
(1) https://www.forbes.com/sites/cherylsnappconner/2012/10/19/sharing-too-much-itll-cost-you/#175a4e2e4125
(2) https://www.kaspersky.com/about/press-releases/2017_giving-too-much-away
(3) http://www.huffingtonpost.co.uk/entry/twitter-cfo-direct-message_n_6218488
(4) https://www.techrepublic.com/article/business-leaders-oversharing-on-dating-apps-putting-companies-at-risk-of-cyberattack/
(5) https://www.huffingtonpost.com/2010/02/17/please-rob-me-site-tells_n_465966.html
Photo by NordWood Themes on Unsplash