If you ask cybersecurity execs where the biggest risk to their companies lies, 41.33% will tell you it\u2019s marketing tech. At least, that\u2019s what research provider Pollfish contends in its October 2020 report of 600 American professionals. Not just any martech, though: 25.67% are specifically worried about executives\u2019 personal social media accounts.The concern is for good reason. Those in the industry three years ago may remember a picture from Twitter of a Hawaii Emergency Management Agency employee standing by his computer with system passwords on Post-it notes behind him. The photo was taken by the Associated Press, then shared online. Whether it led to a January 13, 2018, alert that incorrectly warned Hawaiians a ballistic missile attack was coming, who knows. It doesn\u2019t take a social media expert to know the photo was a bad idea.Be it pictures or posts or anything else people share, Harman Singh, founder of risk assessment startup Cyphere, calls social media \u201clow hanging fruit\u201d for hackers\u2014a great \u201ctest of [a] company's security awareness and policies.\u201d If a company is sloppy with best practices in one way, it might be vulnerable in others.Enterprise social media is typically run by marketing, a department that can sometimes have more clout than security with its own seat in the c-suite. Marketing and security don\u2019t always connect or necessarily even get along. Singh points out that a \u201cdifference in vision\u201d affects the way the two approach their jobs: Marketing wants as much information about the company out there as possible; security holds it back. \u201cMarketing department[s] often find it hard to talk to techies in their language and vice-versa,\u201d Singh says.How threat actors exploit social mediaIt\u2019s not so much that hackers want the company\u2019s Twitter or Facebook credentials; it\u2019s everything they lead to. If marketing uses similar passwords across accounts, successfully hacking Twitter is a possible entry to the company website. Hack from there to Adobe Experience Manager, the website\u2019s translations, customer mailing lists, or anything else someone could steal or use to damage reputation.If that\u2019s not enough to scare any marketing department into cooperation, there\u2019s even more data nefarious actors can garner from posted information. \u201cPictures uploaded over Twitter, Instagram, and other social media channels often give away ... geolocation information, device model, [and] software and related information,\u201d says Singh.Take your everyday conference tweet, for example (well, before COVID, that is): Marketing sets up a booth and takes pictures of sales chatting with clients. \u201cWe love helping customers optimize real-time widget potential,\u201d they Tweet, \u201c#WidgetConLive,\u201d then, below the picture, a line: \u201cLas Vegas Convention Center \/ Tagged into this photo\u201d with top executive names. Voila! Thanks to this tweet, hackers know which employees are traveling where. They click on the tag to link to those individuals\u2019 personal accounts, where they then glean even more company information: \u201cWaiting for my plane at LAS,\u201d \u201cOn layover at SLC,\u201d \u201cGreat meeting Bob at WidgetCustomer.com!\u201dOnce hackers are monitoring personal and corporate accounts, they soon have access to an executive\u2019s larger travel schedule, which Singh says can be analyzed to tell where \u201ccompany locations or clients exist.... This information can then be fed to social engineering attack vectors\u2014for example, impersonating a senior director who is travelling and then calling [the] IT support team to reset [your] password due to important tasks being stuck when you are at an airport.\u201d Because of Twitter, they know exactly which airport to name.That\u2019s why Singh says, \u201cMarketing and communications teams should work in tandem with cybersecurity,\u201d whether the departments naturally understand one other or not.4 tips for effectively partnering with marketingAmir Tarighat, CEO of threat detection provider Achilleion, agrees, noting the security\/marketing barrier is overcome by mutual respect: \u201cSocial media security needs to be approached as a process and partnership with the marketers. Security professionals should respect the creative nature of marketers' work,\u201d which is often done at odd hours from odd places. While heavier authorization might fend off those I\u2019m-on-layover attacks, Tarighat says it\u2019s also important to \u201cunderstand [marketers] might need to use a BYOD [bring your own device] smartphone to send a tweet at 9 p.m.\u201d\u201cBecause of the nature of social media, the infosec team has no control over any social media ... technology and policies beyond configuring privacy settings,\u201d says Tarighat, explaining that since social media platforms are \u201cbeyond password control and device security, the rest of the infosec toolkit doesn\u2019t help here.\u201d Partnership is security\u2019s only way not to be powerless.Tarighat and Singh offer these four tips for partnering with marketing.Develop simple guidelines. Marketing is charged with protecting company brand. They don't want to clean up reputational damage, intellectual property exposure, or similar liabilities any more than security does. While they may not know what personally identifiable information (PII) is right away, once explained, they\u2019re not going to want their home addresses in the wrong hands either. Approach social media security as something that helps marketers protect themselves and do their jobs.Avoid coming down too hard. While Singh suggests setting up \u201csocial media account safety and regular inspections,\u201d this relationship comes with its own power balance. Marketing typically has a seat in the c-suite, whereas security may not, and the best policies in the world don\u2019t mean anything if marketers don\u2019t follow them.\u201cMarketing departments might be wary to give into infosec collaboration on social media if it becomes invasive or gets in the way of their creativity. Infosec teams have to treat marketers differently because they have more discretion on how they do their creative work than other departments with traditional workstations. Things like letting marketers choose their own MFA [multi-factor authentication] method is a great way to share that oversight,\u201d says Tarighat.Address BYOD concerns. Tarighat also recommends letting marketers use their own devices, something Singh staunchly disapproves, saying security should \u201censure that company staff do not use company accounts on their mobile devices if not allowed by security teams,\u201d claiming that BYOD \u201ccould lead to staff being targeted...and in some cases, shared passwords could lead to staff accounts being hacked.\u201dPush this guidance too hard, though, and the partnership may break. Tarighat says, \u201cThe most important aspect of social media infosec is BYOD devices. BYOD is already very popular, even more so for marketing departments\u201d\u2014something that was true even before marketers started working from home due to the pandemic. \u201cNegotiating BYOD security isn\u2019t easy because employees are hesitant to hand over full MDM [mobile device management] control to their employers. Alternatively, issuing company devices doesn\u2019t help much as it can be costly and less efficient for employees,\u201d he adds.In other words, companies may be stuck with all those personal devices whether security likes it or not.Try meeting in the middle. Ask marketers with Android phones to use enterprise work profile. Originally built into Android 5.0, Google updated the feature through operating system 11 last September. Tarighat says, \u201cIt allows for the creation of a complete, separate user that can be managed by a traditional MDM while keeping the personal profile totally separate.\u201dTarighat also says security and marketing can create \u201ca procedure to check devices and applications logged into the social media platform.\u201d For example, when Twitter sends a new login alert, where does it go? If security can convince marketing to make them the recipient, you\u2019ll know about breaches sooner and they\u2019ll have less to do. \u201cSecurity professionals should regularly check platforms for logins from unknown devices or places. Seeing unapproved devices or apps is either a sign of an attack or more likely that your infosec collaboration isn\u2019t going well,\u201d he adds.