Employee social media use can threaten cyber security

Cyber crime prevention tips for businesses will often focus on having the right IT security software and processes in place but what about the risk posed by employees?

Almost half of UK firms were hit by a cyber breach or attack in the year up to April 2017, and the proportion was higher for bigger companies.

While malicious hackers operating from remote locations are a real threat, it’s often said that the biggest risk to a firm’s security comes from the employees themselves. A simple error or lack of judgement by an employee can put systems and data at risk.

There are many ways that an employee or employees can compromise a company’s security from sending confidential information to the wrong email address to letting slip a password to sensitive documents.

Businesses can take steps to ensure systems are secure but outside of office hours when employees are using their own social media accounts can be a problem.

Risks posed by employees’ social media use

  • An employee listing their work email address on social networking sites such as LinkedIn could leave them open to spear phishing attacks
  • Employees who reuse work passwords on social media accounts. If their social media account is hacked, the criminal could try the passwords against other accounts they hold – including work accounts
  • Posting about sensitive projects or accounts that an employee is working on could leave the business open to social engineering attacks in which fraudsters trick people into breaking normal security procedures
  • Posting pictures or videos which inadvertently disclose sensitive information such as passwords or customer information – passwords written on notes stuck to the bottom of computer monitors is one example
  • Work telephone number listed on social media sites could leave the person open to social engineering attacks
  • Rogue friend requests. Criminals create fake profiles and add people at random in order to harvest information to carry out attacks. Or for identity theft purposes
  • A picture of an employee wearing an ID badge shows that they work for a particular business and leaves them open to targeted attacks. A skilled criminal may even be able to make a fake ID badge that would give them access to sites

Aside from these IT threats, social media use also has the potential to be damaging from a reputational point of view. If an employee criticises their employer or brings any part of the business into disrepute through an ill-informed or ill-judged comment the nature of social media means that comment can be amplified causing untold damage.

Social media is widely used and monitoring each individual employee’s use at all times isn’t practical and would be seen as intrusive. However, there are some practical ways which a company can protect itself.

Protect yourself with a social media policy

A social media policy should feature in all employees’ contracts of employment and give clear guidance about what is and isn’t acceptable when it comes to using social media both during and outside of work.

Typically, a social media policy may:

  • Remind employees not to send sensitive information held by or about the company
  • Prevent the use of a company’s logo or other branding
  • Describe expectations surrounding appropriate behaviour and any company or industry-specific rules
  • Outline guidelines for overall conduct, like “act respectfully”
  • Explain the need for confidentiality around commercially sensitive information, such as a new product release
  • Give guidance about how employees should react (or not react) if they see negative content regarding your business
  • Offer online etiquette guidelines such as how to respond to complaints respectfully