CISOs shouldn't wait until retirement for social security

A security industry expert says CISOs should be responsible for cyber defending the social media accounts belonging to employees at their organizations... and they should be doing it now.

rocking chair farmer
Credit: Library of Congress

U.S. CISOs are eligible for Social Security at 62 years of age, same as all American citizens. One industry expert says employees of all ages at all U.S. organizations should be on the receiving end of social security -- from their CISOs -- now.

To be clear, we are talking about social media security -- namely security wrapped around LinkedIn, Twitter, and Facebook accounts.

Joseph Steinberg is a social media expert, and his credentials include CISSP, ISSAP, ISSMP, and CSSLP. He is a contributing columnist at Inc. Magazine covering cybersecurity, and author of (ISC)2's information-security management textbook, i.e., the official textbook for the CISSP-ISSMP (Information Systems Security Management Professional) CBK and exam. Steinberg is also founder and CEO at SecureMySocial, which protects against reputational harm and the leakage of confidential information by social media users.

Steinberg agreed to the following Q&A -- which includes CISOs and whether they should be responsible for cyber defending social media accounts belonging to employees at their organizations.

Which is the most popular social media target for hackers - Facebook, LinkedIn, or Twitter?

The various social media platforms are abused differently because they create different opportunities for criminals. LinkedIn contains a treasure trove of information vis-à-vis professional contacts; breaching a LinkedIn account – or, to a somewhat lesser extent, even “connecting” with the right person – can help criminals effectively spear phish. When it comes to oversharing of corporate information or posts that may harm from reputational, regulatory, or competitive viewpoints, Facebook and Twitter are the biggest culprits.

Ironically, one of the great strengths of social media – its facilitating the process of connecting with people and sharing information – is also its weakness from a security standpoint. Often, a criminal does not need to actually breach an account in order to abuse information in that account; by simply connecting with a person, the crook may be able to obtain both access to the target’s contacts as well as information that can be used to trick those contacts into taking inappropriate actions.

What are the hackers after when they breach a social media account?

Hackers breach accounts for a variety of reasons. If the account belongs to a public figure, for example, the hacker may be looking to embarrass the person who owns the account, to exploit the account to spread some message to a large number of followers, or to get attention or press coverage for his or her hacking accomplishment. Other hackers might be trying to manipulate stock prices or release other false information in a fashion that makes criminals’ money. Breaches of Facebook or LinkedIn accounts allow criminals access to peoples’ contact lists and private posts or communications between victims and their contacts – greatly increasing the ability of criminals to effectively spear phish the victims’ colleagues, “virtually kidnap” victims, obtain personal information that can be used for identity theft, or worse.

[ ALSO ON CSO: The rise of LinkedIn fraud ]

What are people doing - if anything - to protect their social media accounts now?

There's a couple of areas of social media security:

1. Securing the official business social media accounts themselves – these should be secured with multi-factor authentication, and as limited a number of people as possible should have access to these accounts. If possible, access to such accounts should be made strictly through mechanisms that provide auditing capabilities as to who is accessing what, who is making what posts, etc.

2. Securing against problematic posts – this is a much more challenging problem to address, as businesses do not have the right to monitor employees’ posts when made from personal accounts used from outside of the office, yet those are precisely the posts that cause businesses the biggest problems. I personally heavily invested both time and money in SecureMySocial to address this problem by creating technology that can warn people in real time if they are making posts that can harm themselves or their employer (or even auto delete the posts in real time) – without their employers having to monitor anything.

What are the top two things social media users should be doing (if they are not already)?

Technology, and user action.

1. Use multi-factor authentication to better secure the accounts. The multi-factor authentication provided by the social media platforms is certainly not perfect, but it is far better than relying on just a password. And, obviously, do not use weak passwords for social media accounts, and do not reuse your passwords to social media accounts anywhere else.

2. Think before posting – could the information that you are sharing be used against you? Could it lead to physical harm, professional harm, or harm to your personal relationships? Businesses should be deploying technology like SecureMySocial to warn people about inappropriate posts, but the absence of such technology may not work as an excuse if you act stupidly. In most cases, businesses do not have the right to monitor employee personal posts, but those posts can cause the business significant damage.

Should corporate IT i.e. CIOs and CISOs be responsible in any way for security around social media accounts (for individuals), or no?

Absolutely. There are multiple important reasons why corporate CISOs and CIOs must address security related to social media:

In recent years, many serious breaches have begun with hackers doing reconnaissance on social media and then using the information that they learned to craft effective social engineering campaigns – so addressing oversharing on social media isn’t simply a matter of preventing problematic posts, it’s a matter of taking action to prevent major breaches. As we have learned repetitively over the last few years, many CIOs and CISOs don’t dedicate enough attention to the human first steps in the “kill chain” of a cyberattack – and, eventually, they pay a hefty price.

Posts from individual accounts can cause significant problems for their employers so CIOs and CISOs need to action as they would against any other IT risk. Problematic posts can leak information and give competitors an edge up on future plans, may break laws, may lead to activist boycotts, etc. Firing people for making such posts – even in cases where employees flagrantly violated corporate social media policies – has led to terminated workers suing their employers, some claiming that they did not know when making the posts in question that those posts would get them fired.

Of course, personal social media usage resulting in data leaks, compliance problems, or damage to a brand is a relatively new area of information security that does not conform to past models – for example, data loss prevention classically referred to leaks from official equipment, social media compliance meant from within the office and official accounts, etc. – but if a business does not address emerging and growing risks it will ultimately pay the price.

An infographic from Cybersecurity Ventures (Disclaimer: Steve Morgan is founder and CEO of Cybersecurity Ventures) shows that every second, 12 people online become a victim of cyber cybercrime, totaling more than 1 million victims around the world every day. Social media accounts belonging to employees are a rapidly expanding part of the cyber attack surface, and they need to be protected... with help from CISOs and their security teams.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.