Wait! Don’t click on that cat video

Address cybersecurity risks with company policies around social media.
Wait! Don’t click on that cat video

Social media’s biggest headaches for corporate leaders used to be the untold hours employees spent tooling away on personal pages instead of doing actual work.

But as the now-ubiquitous platforms (Facebook, WhatsApp, WeChat, VK, Instagram, Twitter, to name a few) cement their place in society, so has the ability of cyberthieves to use the platforms for their own purposes — namely, stealing money and information. The ploys can include phishing attempts, where hackers send emails, posts through social media networks, or even text messages with embedded malware, hoping to trick an employee into clicking a link that downloads a virus that will give hackers access to corporate computer networks. Data theft can then lead to cyberthieves auctioning off valuable trade secrets or consumer information to the highest bidders on the dark web, the secretive corner of the internet where much of the cybercrime economy is based.

Worldwide, social media-enabled crimes netted about $3.25 billion in the global cybercrime economy, according to a 2019 report published by UK cybersecurity firm Bromium.

As big as that number is, it’s really a floor, and not anywhere near a ceiling. The actual damage caused by cybercriminals via social networks is most likely much higher, said Michael McGuire, a senior lecturer in criminology at the University of Surrey in the UK and the researcher behind the Bromium report.

“That’s just the bits we could measure,” he said.

McGuire uncovered other troubling findings: His research found crimes involving social media grew by a shocking 300-fold from 2015 to 2017 in the US, according to reports kept by the FBI’s Internet Crime Complaint Center, while in the UK, social media-enabled crime quadrupled between 2013 and 2018.

Indeed, the problem is worldwide, with an estimated 1.3 billion social media users having had their data compromised within the last five years.

These social media breaches have been a boon for cyberthieves, as nearly half of the illicit data trading in 2017 and 2018 linked back to breaches on social media platforms, according to McGuire’s report.

Even so, many people are unaware of the risks posed by clicking on advertisements or viral memes shared by friends on Facebook or approving a connection request from an apparent associate on the professional networking site LinkedIn.

Finance officials, from CFOs on down, are not only frequent targets of cyberthieves, given their access to valuable financial information, but are also tasked with minimising the risks the company faces overall, including attacks from cyber invaders. By pushing for adherence to recommended cybersecurity policies regarding social media use, CFOs can help their respective organisations avoid learning first-hand just how costly a cyberbreach can be.

How the schemes get hatched

The majority of issues can be broken into two types of fraud vehicles. In one, the social media platform serves as a type of Trojan horse, with malware or computer viruses delivered through interactions on the platform. In the other vehicle are social engineering schemes, where hackers can use social media to glean important details about business operations and leaders.

McGuire said there’s been an uptick in malware being used to install cryptomining software, which causes a company to unknowingly host malware that’s creating, or mining, bitcoin cryptocurrency with the host’s computing networks. Look for dramatic slowdowns in network ability, or surges in electricity bills, to indicate cryptomining is an issue, he said.

In other situations, hackers on the dark web use titbits of personal information to build profiles about individuals and attempt to infiltrate their networks or email servers. That’s why seemingly harmless quizzes on social media that ask what street you grew up on and a favourite pet’s name may actually be attempts to pick up information to answer common security questions.

Feeling as if it’s inevitable you or your company will be had? No defence is impenetrable, but strong polices can go a long way in ensuring companies have steeled themselves against the continuous onslaught of cyberthreats.

Here’s some advice from McGuire and others on how to shore up corporate policies:

Special caution for finance executives. People who are close to items of value — like a company’s purchasing system or consumer data — are increasingly being targeted by hackers.

Corporations should be identifying who those individuals are, from the CFO down to administrators on the finance team, and giving them special training on how to protect themselves and the company from infiltration through social media platforms, said Winston Hayden, who consults on risk governance and technology issues and is the former president of ISACA (Information Systems Audit and Control Association) in South Africa.

“Their key targets are usually executives; it’s a lot more effective if you can start to defraud the CEO or the CFO,” Hayden said. But anyone in the finance department is likely at risk, as infiltration of that person’s computer means the hackers “could start effectively making payments fraudulently”.

Some companies have policies that restrict how much its finance executives share on social media, with some going so far as forbidding finance executives from identifying their positions and employers.

Know what the reality is. Before drawing up policies, it’s important to know what the current practices and weak spots are in your company, according to Stefan Heissner, Ph.D., managing partner of EY Forensic and Integrity Services in Germany, Switzerland, and Austria.   

Clients rarely come to Heissner and his team at EY just looking for advice on how to develop sound policies for social media use. Instead, they come seeking help in strengthening their cybersecurity response overall. EY will then look at the company’s information sharing, IT systems, and networks and help develop policies and guidelines that include social media interactions.

“Our approach is to look at how policies work in practice, so we can build them around various daily situations where employees handle sensitive corporate information,” he wrote in an email. “Importantly, we focus on the behavioural side of social media use, as well as assessing data and systems.”

“Put yourself into the shoes of an attacker: What information would you find useful to achieve your goal?”

Beware of TMI. Make sure you have policies in place that address oversharing, or TMI (too much information), on social media. What seem to be innocuous comments about upcoming vacations or detailed information about proprietary work activities can be dangerous, Heissner said. Astute hackers are looking to compile personal information to figure out a way to impersonate key corporate officials or use the data in other ways to leverage that information for their own good.

Private and unique information with dates, times, places, and activities shared online will draw interest from hackers, said Heissner, so you, and your staff, should not share that information online.

Avoid blanket bans. If you’re afraid of the dangers that lurk online in social media, banning the use of these networks may at first seem a good idea, McGuire said.

But it’s an impractical one, given how interwoven these networks are with people’s everyday lives, he said. Also, your employees aren’t going to enjoy being told they can’t do something.

“You’ve got to develop policies, that they don’t just ban employees,” McGuire said. “If they do that, the risk is they expose themselves more” by continuing to use the various social media networks. “They create a black hole of ignorance.”

Don’t stop at policies. Policies are no good if they’re not followed, said Hayden.

There needs to be an emphasis on training staff in understanding why the business is implementing policies such as the ones discussed in this article.

“You can’t just have the policy; it just sits on a desk somewhere,” he said. “It needs to be emphasised throughout the company.”

To do that, he suggested companies make a game or competition out of understanding and practising proper cybersecurity safety procedures, such as friendly in-house competitions for phishing simulations, where a company can mimic the methods used by cyberthieves to emphasise smart online behaviour.  

“People get very bored of the usual awareness programmes,” he said. “If you make a little challenge out of it, the message gets out.”

— Sarah Ovaska is a freelance writer based in the US. To comment on this article or to suggest an idea for another article, contact Drew Adamek, an FM magazine senior editor, at