Businesses need to have a social media strategy and engage in social networking as part of their branding. You also, however, need to protect your company from the data risks inherent in social media activities.
Social media risk management is not limited to your public relations team; it should also be an integral part of your IT security risk management process. So what do you need to know?
Managing Risks of a Social Media Presence
What are the primary social media risks?
Presumably you already recognize the point that with great marketing comes great responsibility. You’re already out there creating a strong voice for your brand. Unfortunately, using social media in any capacity puts your company at risk for both reputational damage and cyber attacks.
Modern hackers try constantly to access your data using social media accounts, and breaches that begin on social media can spread, threatening the personal data of your customers.
If you use Facebook as your primary login, then your data is at risk. It’s that simple.
A more complicated explanation is this: user authentication tokens allow you to use your Facebook login as a single-sign-on option. When you start using a new application, you’ll get the “Sign on with Facebook” or “Sign on with Google” options. Using a secondary site to login creates a new point of entry for potential hackers — one that may not be as secure as you think.
Social media sites like Facebook (or Google, or LinkedIn) are constantly under threat from hackers. Therefore, you need to think about how you log into your social media accounts and how you use them to log in to other applications.
Phishing scams continue to plague us. Now, however, attackers have begun targeting messenger applications. For example, maybe you’ve automated your direct messages to send discounts to your customers.
Hackers will try to take over these automated applications and send out messages that look like yours. When they put links in the messages, they use the same social engineering tactics of fake links that look real. To protect your branding, you need to make sure that you monitor your messenger applications regularly for these kinds of intrusions.
Poor Password Hygiene
That’s right. If you use a risky password for your corporate social media accounts, you’re putting them at unnecessary risk to be compromised by attackers. You’re putting your corporate data environment at risk.
Think about it this way: all the information you collect as part of your social media marketing strategy is linked to those social media accounts. Any customer or potential customer information is at risk if a hacker gains control of your social media account.
Are you tracking potential leads based on social media analytics and using a weak password? You’re putting everything from your information landscape to your reputation on the line. All for the ease of remembering a password.
Why Managing Social Media Risk Matters
You’ve probably focused on the importance of handling employee social media use as part of the social media policy embedded in your Bring Your Own Device (BYOD) policy.
As a marketer, however, you also need to work with your IT department to manage your own social media activities.
Sitting down with your chief information security officer gives you the opportunity to understand how your marketing practices might make his or her job more difficult. For example, your social media accounts may not be third-party vendors, but your third-party social media tools are. Buffer, Hootsuite, and IFTTT all connect to your systems and networks. You need to talk with your CISO to identify the risks that these tools pose.
If you’re using a work browser connected to your work network from a company device, then managing your social networks affects your security risks. Here’s an example.
You’re sitting down to review posts on LinkedIn. You click on something to read an article. The article, however, is a phishing attempt. Clicking on the link now downloads malware to your browser that can capture any passwords you use on the browser. You log into the web platform for your marketing database. The login information (name and password) could be compromised.
All of this happened because you were using a social media account to do your job. Now, your IT department’s security attempts are compromised.
What Strategies Mitigate Social Media Risk?
Three steps can help you mitigate the data risks inherent in social media marketing.
1) Social Media Policy
Create a policy specific to your social media marketing strategy. This includes making sure that you have clear expectations about:
- Password strength
- Content monitoring
- Access lists
- Interacting with the public
- Security breaches
- Crisis response
You need to talk to your CISO about how you report and handle the aftermath of a social media hacker getting into your accounts. You need to make sure that you and the IT security team are working together rather than isolating yourself from a department that helps you protect your client lists.
You’re the first line of defense for protecting all the information you access. More importantly, since you focus on protecting brand identity and image, you need to make sure that you’re creating a safe place for customers.
To do this, you need to make sure that you’re staying updated on the most recent threats to your social media accounts. Whether it’s another Facebook vulnerability or a Twitter hack, you have to educate yourself about how your activities threaten the whole company.
If you have multiple people working with your social media accounts, you need to make sure that you create a chain of command reviewing the activities. Who has access to the accounts, and what devices are they using to login? If your staff is using their personal computers or phones to access company-owned social media accounts you may want to consider additional security for those devices.
Oversight is also critical for the posts and direct messages that originate with your social media team. Sharing a phishing link or opening an attachment from an unknown account can compromise your security and put your followers at risk. Make sure to review posts before they are scheduled and to have protocols in place for answering any messages you receive via social media.
Performing a Social Media Risk Assessment
Let’s start with the difference between a security assessment and a risk assessment. A security assessment is a test of your various controls that will highlight any security vulnerabilities and expose any issues that must be resolved. A risk assessment is a thorough exploration of any potential risks that your company could face, to prepare yourself for future problems. While security assessments are an important part of your risk management strategy, an assessment is a key tool for avoiding risk in the first place.
Social media risk assessments aren’t much different from any other risk assessment. The scope is more narrow, but the five principles of risk assessment remain:
- Identify. Examine your social media channels and take note of any areas where risks may occur.
- Assess. Take into account who or what might be harmed by these risks occurring.
- Evaluate. Take a closer look at the risks and determine what you need to do to prevent them from occurring.
- Decide. Are your current controls sufficient? If not, what will you do to improve your security?
- Record. Keep detailed documentation of your assessment so you are able to review and revise in the future if need be.
The key difference is in the dangers that are specific to social media usage. User authorization (as discussed above), accidental posts from staff members, and fake accounts are all risks inherent to marketing your business on social media.
Rather than search for tools to manage social media separately, you can incorporate social media risk assessment into your overall risk management plan. The “siloing” of different threats can create gaps in your security plan, and may also cause redundancies as you attempt to solve the same problem more than once.
Instead, consolidate your risk management into one place that will allow for full transparency and easy collaboration between teams.
How ZenGRC Enables Social Media Risk Management Workflows
With ZenGRC’s platform, you can connect your social media cybersecurity activities to the overarching data security requirements set out by your IT department.
Your IT department can prioritize tasks that help you focus on real-time tracking for vulnerabilities in your social media networks. As soon as they hear of a risk, they can tag you. If you hear of a risk, you can tag them.
With our intuitive interface, you don’t even need to be an IT professional. You can easily create and follow tasks so that you work as a team.
Our centralized dashboard offers the IT department actionable key performance indicators (KPIs) that lets the team see into the company’s information security protections. Connecting the marketing department’s data strategies to overall company policies will support your company’s enterprise risk management strategies.
For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.