Understanding Social Media Security Risks
There are two beginner-level courses in this social media security module (the other being 'Social media security best practices’). The beginner modules can be completed in any order. Visit the main Social media security training Pillar page to view the entire module.
This module will identify how the importance of social media for business can create serious security threats, and then explain five of the most common social media security threats and their potential consequences.
Why is social media important for business?
Social media has become a critical component of modern business communications. In fact, the level of a company’s social media presence and engagement can make a significant impact on audience reach and interaction.
There are an estimated 4.59 billion social media users worldwide in 2022, coming close to 50% of the global population. This number is only set to increase further, passing 5 billion in 2024 and reaching close to 6 billion (5.85 billion) by 2027.
An effective social media presence helps to build valuable relationships and increase brand awareness. Delivering high-quality content consistently will also contribute towards increased traffic, generating leads, and communicating brand messages. In addition, increased interaction with customers through social platforms can be used to promote new products and engage with your audience.
Can social media pose a security threat?
As with any online platform, social media can present security risks for businesses to consider. For example, the collection of information from business and staff accounts could be used for a social engineering attack, or spoof accounts could impersonate a legitimate business to manipulate customer trust for phishing.
Having used social media channels to gather information, it is possible for hackers to gain access to business accounts, resulting in a data breach or ransomware attack. For this reason, social media cybersecurity best practices should include securing social media accounts for the business and its staff.
Quite often, information can be shared too readily on social media. This can mean that a hack doesn’t need to take place for cybercriminals to obtain sensitive information. Scraping is a technique that gathers information from publicly available sources. In Spring 2021, the information of over 1 billion social media users was leaked online, but the companies involved (Facebook, LinkedIn, and Clubhouse) had not suffered a data breach – the information was already freely available.
Building awareness of cybersecurity threats of all types is therefore vital for helping protect social media for businesses from data breaches. Despite this, one study found that 60% of small business owners believe that they were too small to become the victim of a cyberattack.
Five major social media security threats
Below are some of the top social media security risks for business:
- Social engineering/Phishing
- Human error
- Unmonitored accounts
- Fake pages
With social media becoming so prevalent, it is not surprising that it is increasingly being used to infiltrate businesses with malware. The most common way that malware infection occurs is by opening an attachment or clicking a link in a malicious email, which many people are familiar with - but what isn't always considered is how easy it could be to click on an unsafe link in a social media platform, potentially granting access to devices and accounts on your business network.
In 2022, Avast researchers discovered that a password stealer called Redline Stealer was being spread through hacked Facebook business pages in Brazil, Slovakia, and the Philippines. The ISP Viu Internet from Brazil, which had 15,000 Facebook followers, had posts offering free downloads of tools, apps, wallpaper, and games that appeared on their page. By clicking to download, the user would instead get infected with Redline Stealer. This type of approach is fairly easy to identify as a hacked page, but demonstrates how businesses should closely monitor all of their social media accounts to help protect their reputation and the safety of their visitors and followers.
Social media might be a relatively new platform, but it should be treated with as much consideration as email. It also needs cybersecurity protection and for best practices to be established in order to help prevent an attack.
2. Social engineering/Phishing
Phishing and social engineering are two types of fraud that aim to trick victims into providing private information – typically personal information or login details for an account. This information can then be collected and sold, or used to access a network where they could launch malware resulting in data loss and possibly even encrypt data for use in a ransomware attack.
Phishing is one of the most common types of internet scam. Using emails, text, or social media, a communication will be sent by the attacker, hoping to convince the victim to interact – either by clicking a link, downloading an attachment, or providing details.
Other types of phishing include:
- Creating spoofed websites or social media accounts to trick people into attempting to log in
- Smishing, which is SMS-based. Victims receive a text message asking them to click a link
- Social media phishing, which creates fake accounts and profiles to trick people into engaging with what appears to be a legitimate company
Unlike phishing, which is a very broad approach, spearphishing attacks are highly targeted and often seek to trick a specific individual. Social media sites like LinkedIn, where individuals provide their work history and offer a detailed source of personal and business information, are commonly targeted - this information helps a hacker create a convincing profile, making a spoof message appear more legitimate.
Attacks like these that manipulate the user into sharing private information falls under the banner of “social engineering”. They rely on human error to be effective, which highlights the need for businesses to grow social media security awareness and train their workforce to identify and flag suspicious correspondence.
3. Human error
Human error is one of the most common causes of a data breach. The same rings true for social media, where employees can mistakenly share sensitive information, giving attackers an opportunity to gain clues that could be used for guessing passwords and usernames.
Human error can occur for many reasons. For instance, the sheer number of accounts used in a modern workplace, each requiring unique passwords, can be frustrating. Without access to solutions like a password manager, employees may choose to reuse passwords or make them easier to remember, creating a social network security weak point. This type of lapse often occurs when the importance of cybersecurity best practices has not been reinforced, resulting in ignorance or complacency.
Another type of human error can come from a lack of certainty about how to identify or deal with potential threats. This could result in the misdelivery of information and would be considered a decision-based error. Decision-based errors can be resolved through improved awareness training to help individuals become more confident in identifying and avoiding suspicious communications.
4. Unmonitored accounts
It is important for companies to claim their brand's handle and its variations across all social platforms, even if they are inactive. In fact, inactive accounts should be regularly monitored to ensure they have not been targeted by hackers.
If an account is no longer used, it could take some time to notice if hackers have breached it. During that time, they can do some serious damage, like publishing content posing as your brand, which could impact your reputation or even trick people into downloading malware.
Every organization should have a designated person responsible for monitoring all social media accounts and deleting those that are no longer in use, since most platforms will not automatically delete inactive or deactivated accounts.
5. Fake pages
Similar to invading unused profiles, cybercriminals may set out to trick users by creating fake accounts and pages to impersonate a business. Here, they can convince users to share their personal and financial information, perhaps by fooling them into thinking they are joining a mailing list or entering a competition.
Some social media platforms provide a ‘blue check’ or other indicator to demonstrate which accounts are authentic, but these can be difficult to acquire for individuals and smaller companies. As a result, users could easily be fooled by a fake account when scrolling through their newsfeed.
This could have a very negative impact on brand reputation – either attributing suspicious activity to the brand or creating a lack of trust around your social media output. Regularly checking for copycat accounts and reporting them to the platform can help mitigate this.
Social media security consequences
We have looked at the types of social media security risks businesses can face - but what are the potential consequences a business could face, not just from the attack itself, but for failing to prevent a data breach from occurring on the network as a result of inefficient cybersecurity and endpoint protection?
Loss of reputation
While it is not possible to be 100% secure, businesses are expected to develop security processes to minimize the risk of a data breach. Failure to do so, or downplaying a breach rather than being transparent, could result in a significant loss of trust that could take a very long time to repair.
While a cyberattack originating from a social media breach at a large company could be more high profile than one on a small business, enterprise businesses are more likely to have the resources to recover. SMBs might not be so lucky, and the damage to customer perception makes it difficult to retain existing clients and attract new ones in order to make up the shortfall.
According to the CNBC Small Business Survey for Q4 2022, just 37% of small business owners are concerned about their business becoming the victim of a cyberattack in the next 12 months, despite the FBI’s cyber division reporting a 64% annual increase in potential losses from reported cyberattacks and malicious cyber activity and hackers increasingly targeting small and medium-sized businesses.
A hit to your reputation is almost inevitable if a breach occurs, but providing transparency and clearly demonstrating that there is a recovery plan in place will help confidence recover more quickly. Most customers know that data breaches are common – it is how they are managed that will determine how much trust is lost.
Social media might feel like a relaxed forum, but hackers will not hesitate to use these platforms to gather information for phishing, imitating brands, or launching malware. Poor security could result in social media accounts being hacked, creating a major security threat.
Preventing accounts from being attacked can be done with strong passwords and careful monitoring, but failure to take the necessary steps could have a very damaging effect on your business’ future. Social media is a crucial element to modern marketing and promotion, and being unable to use it, even temporarily, is likely to have a negative impact on brand reputation and customer service.
Taking the following steps can help prevent a social media hack:
- Review access permissions and account holder information
- Limit app access so that a breach of any apps or tools connected to the social media account are less likely to provide attackers with access.
- Enable 2FA/MFA and ensure that passwords are suitably strong and unique
- Implement effective business antivirus and security software on your network to help prevent malware from being installed on your network.
Find out more in this blog post: Defend your social media against hackers with these 5 easy tips.
If employees are tricked by a social engineering attempt on your business’ social media account(s), they could inadvertently provide enough information to help a hacker gain access to the accounts they control (both business and personal). This can result in a cybercriminal obtaining sensitive documents and data, resulting in a damaging data breach.
A data breach could also be the result of a malware attack. However, not all malware is loud and disruptive. In some cases, like with a Trojan, there might only be slight hints that it is there, as it quietly monitors activity and collects data.
Depending on the accounts targeted, financial information and private client data could be stolen from the network or encrypted for use in a ransomware attack.
Data protection laws will vary across industries and from country to country – and even between regions within a country – so close attention must be paid to ensure compliance.
One of the most prominent data protection regulations is GDPR, which is implemented in EU member states, but applies to any organization that processes the personal data of EU citizens, regardless of where the organization is located. Compliance must be demonstrable and failure to apply can be expensive. Fines can be up to €20 million or 4% of a business’s global annual turnover – whichever is higher.
In terms of how it applies to social media, GDPR is generally covered by the terms and conditions of respective platforms for general use. However, if user data is extracted and stored elsewhere – through cookies, tracking pixels ads, etc. that information must be stored and processed correctly. Should a data breach occur and these files are compromised, you would be at risk of getting hit with significant fines.