DID YOU KNOW? On average, 1.4 billion social media accounts are hacked every month.
Just over half of the world's population is at risk of social media hacking... and these attacks are constantly on the rise.
A Google report found that 20% of social media accounts will be compromised at some point...
And 28% of businesses who suffered a social media hack spent $10,000 or more to fix and rectify the hack.
Hackers know that many of us tend to recycle passwords across personal and work accounts - so getting a single password can be like a skeleton key.
We're also used to receiving notifications and alerts, which makes us prone to clicking fake notification links.
Attackers will even create fake profiles or pose as co-workers to make an email look more authentic (be wary of fake recruiters asking for personal information).
So, how do we build policies and procedures that protect against these threats?
In the guide below, we'll look at:
- The types of attacks to look out for
- How to build your social media security policies
- Procedures for spotting and responding to threats
- The tools you can use to identify and prevent attacks
The risks of using social networking sites
Social media platforms are essential to connect with customers, promote products, and build brand awareness...
And there's nothing you can do to stop your employees using these platforms in their free time.
However, social media can also open your organization up to potential threats.
Social media is often a staging ground for phishing and social engineering attacks...
Social networking sites are a treasure trove of personal and organizational information, making them lucrative targets for cybercriminals.
From employee credentials to customer details, you're potentially exposing (albeit unintentionally) valuable information that can be used in cyber attacks.
Cybercriminals will pretend to be trusted entities to trick users into divulging confidential information or clicking on malicious links.
Without proper awareness and training, employees can easily fall victim to these phishing attacks - which are always evolving in sophistication.
Types of phishing attacks used on social media sites
Account takeover (ATO) scams: Attackers will use compromised or fake accounts to impersonate legitimate businesses or employees, tricking users into providing sensitive information or clicking on malicious links.
Fake customer support pages: Counterfeit customer support pages mimic legitimate brands to deceive users into sharing personal or financial information.
Social engineering attacks: Attackers often exploit human psychology and social dynamics to manipulate users into divulging confidential information or performing actions that compromise security.
CEO impersonation scams: In this type of phishing attack, cybercriminals impersonate company executives or high-ranking officials on social media to deceive employees into transferring funds, divulging sensitive information, or performing fraudulent activities.
Brand spoofing: Attackers will create counterfeit social media profiles or pages impersonating well-known brands to deceive users into engaging with fake content or advertisements.
Source: IT Governance
Credential harvesting: In credential harvesting attacks, perpetrators employ phishing tactics on social media to trick users into divulging login credentials or sensitive information.
Here's what to look out for on each platform 👀
Social media security threats: real-life case studies
Twitter (2020)
What happened?
In 2020, Twitter experienced a high-profile security breach where hackers gained access to the accounts of prominent individuals and companies.
The attackers used these accounts to promote a cryptocurrency scam.
Impact
The breach affected 130 accounts, with tweets posted from 45 of them, and personal data accessed from 36 DM inboxes.
Cost
Although the exact financial impact on Twitter was not disclosed, the company faced significant reputational damage and had to invest heavily in security improvements. The estimated total damage from the scam itself was around $120,000 in Bitcoin.
LinkedIn (2021)
What happened?
Data scraped from around 700 million LinkedIn profiles (over 90% of LinkedIn’s user base) was found for sale on a dark web forum.
The data included personal information such as full names, email addresses, phone numbers, and job information.
Impact
While LinkedIn claimed no sensitive private data had been breached and the data was scraped from publicly visible profiles, the scale of the data collection raised significant privacy concerns.
Cost
The exact financial impact on LinkedIn or its users was not detailed, but the incident highlighted vulnerabilities in social media platforms regarding user data scraping and privacy.
Marriott International (2018)
What happened?
Although the breach occurred in 2018, the ramifications were felt for years following this incident.
Marriott disclosed a massive data breach affecting up to 500 million guests’ information, including names, addresses, phone numbers, email addresses, passport numbers, and in some cases, payment card information.
Impact
The breach, which was one of the largest in history, affected the company’s global operations and trust with its customers.
Cost
Marriott faced significant financial repercussions, including a fine of $124 million proposed by the UK’s Information Commissioner’s Office (ICO).
The company also incurred costs related to customer notification, credit monitoring services, and legal fees.
Creating your social media security policy: best practices
1. Adjust privacy setting
Employees should be aware of privacy settings and how to manage them. Here’s how you can guide your employees to follow best follow best practices:
Profile visibility: Ensure employees set their profiles to private or restrict access to connections only. This minimizes the exposure of personal and potentially sensitive organizational information.
Post visibility: Advise employees to limit who can see their posts and updates. Encourage them to avoid sharing confidential or proprietary information publicly.
Data collection: Make sure employees are aware of what data social media platforms collect and how it is utilized. Advise them to share minimal personal and organizational data on these platforms.
Connected apps: Advise employees to regularly review and manage third-party applications that have access to their social media accounts. Encourage them to revoke access for apps that are no longer needed or appear suspicious (more on this below👇).
2. Implement strong passwords
One of the most effective (and straightforward) ways to secure social media accounts is by implementing strong and unique passwords.
Password complexity: Encourage employees to create passwords that include a mix of uppercase and lowercase letters, numbers, and special characters.
Avoiding common passwords: Remind employees to avoid using easily guessable passwords such as “password" or "1234".
Secure storage: Use password managers to securely store and manage complex passwords.
Generating passwords: Encourage the use of password managers to generate strong and random passwords. This will ensure employees are using unique passwords for each of their accounts without having to remember them all.
Regular password changes: Make sure employees are regularly changing their passwords. Set up reminder systems to notify employees when it’s time to change their passwords. This can be done through internal communications or automated reminders.
3. Enable multi-factor authentication
Incorporating MFA into your social media security policies will strengthen your overall security posture by providing an additional layer of protection against unauthorized access.
Below are a few of the ways in which you can bake MFA into your policies...
Mandatory implementation: All business-related social media accounts should have multi-factor authentication enabled.
User account management: Only authorized personnel should have access to business social media accounts. Access should be granted based on role and necessity.
Simulated phishing attacks: Regularly conduct phishing simulations to test the effectiveness of MFA and employee awareness.
4. Regularly reviewing connected apps and permissions
Third-party apps and integrations can help speed up your workflow... but they can also pose significant cybersecurity risks if not properly managed.
The 2020 Twitter attack we looked at above was a result of compromised third-party app access.
Regularly reviewing the apps connected to your organization's social media accounts helps identify any unauthorized or suspicious applications that may have gained access.
Many third-party apps request access to sensitive information. By regularly auditing these permissions, you can ensure that only trusted and necessary apps have access
Here's how to review your connected apps:
Regular audits: Schedule regular audits (these don'y need to be to frequent, monthly or quarterly will do) to review the list of apps connected to your social media accounts.
Evaluate necessity: Remove any apps that are no longer in use or whose utility is outweighed by the potential security risks.
Check permissions: For the apps that remain connected, review the permissions they have been granted. Ensure that these are aligned with the app's purpose and revoke any unnecessary permissions.
Update and patch: Ensure that all connected apps are regularly updated and patched. This helps protect against any vulnerabilities that could be exploited by cybercriminals.
5. Use monitoring tools for mentions and tags
Monitoring tools are a must-have for managing your organization's reputation and security on social networking sites.
Here are a few ways in which they can be used:
Early detection of brand impersonation: Monitoring tools can quickly detect when someone creates accounts that impersonate your brand.
Identifying phishing attempts: Cybercriminals often use mentions and tags to trick users into clicking malicious links. By monitoring these activities, you can identify and respond to phishing attempts targeting your organization or employees.
Tracking security threats: Monitoring tools can alert you to potential security threats or vulnerabilities discussed in mentions or tags. This proactive approach allows your security team to address issues before they escalate into more significant problems.
6. Limit access privileges
Managing who has access to your social media accounts and what they can do will significantly reduce the risk of unauthorized actions and potential security breaches.
Role-based access control: Implement role-based access control to assign specific roles and permissions to users based on their job responsibilities.
Granular permissions: Set granular permissions that dictate what actions each role can perform. For example, content creators may be allowed to draft posts but not publish them, while administrators have full access.
Immediate revocation: Promptly revoke access for employees who leave the organization or change roles.
7. Beware of free Wi-Fi
Using public Wi-Fi networks can pose significant security risks to your organization, especially when employees access social networking sites.
A few best practices for using Wi-Fi securely:
Use a VPN: Employees should always use a VPN when connecting to public Wi-Fi.
Disable automatic connections: Ensure that employees adjust their settings so that devices do not automatically connect to nearby Wi-Fi networks.
Limit access to sensitive information: Avoid accessing social media accounts over public Wi-Fi.
8. Avoid logging in via links
Attackers often rely on fake login links distributed via emails or messages. So, the easiest way to reduce this risk is to encourage employees to avoid logging in via links altogether.
Login directly from legitimate URLs: Make sure employees always log in to your social media accounts by manually typing the URL into their browser's address bar.
Bookmark trusted sites: Employees can create bookmarks for frequently used websites to ensure They'e visiting the correct URL every time they log in.
Verify before clicking: If employees receive a link via email or message, they'll need to verify its authenticity before clicking - and be particularly wary of unsolicited messages that urge you to log in or provide sensitive information.
9. Invest in employee training
Regular security awareness training is essential for defending against the evolving threats posed by social networking sites.
However, some training solutions will be more effective than others.
To genuinely change employee behavior, you'll need to make sure that training is frequent, engaging and rewarding.
Here's a rough criteria for training that actually works:
Digestible content: Training should be broken down into manageable chunks and embedded into an employee's workflow.
Personalization: Employees should receive training that is relevant to their cyber knowledge (IQ), role, department, and language. Solutions like Hoxhunt will even tailor content based on how employees respond to phishing simulations.
Behavior change: Continuous reinforcement and repetition is required to change employee behavior in any meaningful way. Training should positively reinforce the right behavior and deliver content regularly.
Tracking & reporting: Make sure your training has the capacity to track and measure your success. When employees are engaged in training, reporting rates of simulation exercises will increase - which means reporting rates of real-world threats will increase too.
Tools for tracking and managing social media threats
Social media monitoring tools
What are they?
These tools track brand mentions, keywords, and hashtags across various social media platforms.
Use case
You can use these tools to monitor real-time mentions of your brand to quickly identify and respond to customer complaints so you can spot malicious activities or fake profiles.
Threat intelligence platforms
What are they?
These platforms provide comprehensive monitoring of social media, dark web, and other sources for potential cyber threats and malicious activities.
Use case
You can use threat intelligence platforms to detect early signs of phishing campaigns targeting your employees or customers - so you can preemptively warn users and enhance security measures.
Security information and event management (SIEM) systems
What are they?
SIEM systems collect and analyze data from various sources, including social media monitoring tools, to detect security incidents.
Use case
You can integrate your social media data with a SIEM system to identify patterns indicative of coordinated cyberattacks.
Identity and access management (IAM) tools
What are they?
IAM tools ensure secure access to social media accounts through features like multi-factor authentication (MFA) and single sign-on (SSO).
Use case
IAM tools will allow you to enforce MFA on all social media accounts, ensuring that only authorized personnel can access and post on behalf of the company.
Content filtering and moderation tools
What are they?
Content filtering tools automate the moderation of social media content to filter out inappropriate or malicious content.
Use case
Content filtering tools can be used to moderate user-generated content on social media pages.
How to spot suspicious activity
Here are key indicators and strategies for identifying social media cyber threats:
Unusual account behavior
Look out for posts, messages, or other activities that are inconsistent with the usual behavior of your organization's accounts.
This includes sudden changes in posting frequency, tone, or content that doesn't align with your brand's voice.
Login alerts
Monitor login attempts from unfamiliar locations or devices.
Many social platforms provide alerts for logins from new devices or locations, which can help you spot unauthorized access attempts.
Unknown contacts
Be wary of connection requests or messages from unfamiliar users, especially if they are asking for sensitive information or trying to redirect you to external sites.
Phishing attempts
Watch for messages or posts that ask for personal information, contain suspicious links, or have urgent requests for actions that could compromise security.
Unrecognized tags or mentions
Keep an eye on any mentions or tags that seem out of place, as these could be attempts to associate your brand with malicious content or scams.
How to respond to security incidents on social networking sites
If you do happen to fall victim to an attack, there are a few steps you can take to mitigate damage and protect your organization...
Take action immediately
As soon as you identify a security breach, take action to contain the issue.
This might involve changing passwords, revoking access to compromised accounts, or temporarily disabling affected profiles.
Notify relevant parties
Once the incident has been investigated, inform internal stakeholders, including your IT team and executive management, about the incident.
If customer data is compromised, promptly notify affected customers and provide them with guidance on how to protect themselves.
Report to social media platforms
Report the incident to the social media platform where it occurred.
Most platforms have dedicated teams to handle security incidents and can offer assistance in resolving the issue.
Public communication
If the breach is significant and affects a large number of users or sensitive data, consider issuing a public statement.
Review and improve security measures
After addressing the immediate threat, review your security policies and procedures to identify any weaknesses.
Implement improvements to prevent future incidents (enhanced monitoring, stricter access controls, additional employee training etc).
Keep a record of the incident
Document the incident and your response thoroughly.
This documentation will be valuable for understanding the incident's impact, reporting to regulatory bodies if necessary, and improving future incident response efforts.
Reduce human cyber risk with Hoxhunt
Hoxhunt gives you individualized phishing training, automated security awareness training and advanced behavior change - all in one human risk management platform.
Here at Hoxhunt, we set out to build a solution that maximizes training outcomes by serving every user a personalized learning path that tangibly changes behavior.
- Deliver interactive, bite-sized trainings that employees love.
- Automatically optimize training to employees' location, role and skill level.
- Get a complete picture of risk and documented behavior change outcomes via Hoxhunt's reporting dashboard.
- Drive true risk reduction with realistic simulated attacks that mimic the latest threats, helping employees recognize and respond to social media security risks, phishing schemes, and privacy breaches.
How can You protect your organization on social networking sites? FAQ
What are the main social media security risks for organizations?
The primary social media security risks for organizations include data breaches, phishing and social engineering attacks, malware distribution, and reputational damage.
These risks can stem from human error, insufficient privacy policies, and inadequate security measures.
How do social media apps and third-party integrations pose a risk?
Social media apps and third-party integrations can pose risks if they have insufficient security measures or access sensitive information.
These integrations can become potential vectors for malware attacks or unauthorized access.
Regularly reviewing connected apps and permissions, and limiting access to only those necessary for business operations, can help mitigate these risks.
What should be included in a comprehensive social media policy?
A comprehensive social media policy should outline guidelines for acceptable use, privacy settings, content creation, and the approval process for social media posts.
It should also include protocols for responding to security incidents and handling sensitive information to mitigate social media security risks.
What role does monitoring play in social media security?
Monitoring plays a crucial role in social media security by enabling organizations to detect and respond to suspicious activity in real-time.
Implementing monitoring tools for mentions, tags, and unusual account activity can provide valuable insights and help quickly address potential threats, thereby enhancing overall cybersecurity posture.
- Subscribe to All Things Human Risk to get a monthly round up of our latest content
- Request a demo for a customized walkthrough of Hoxhunt