Threat actors watch social media accounts to gather intelligence about a targeted company. Here's how to get marketing to work with security to minimize the risk. Credit: Thinkstock If you ask cybersecurity execs where the biggest risk to their companies lies, 41.33% will tell you it’s marketing tech. At least, that’s what research provider Pollfish contends in its October 2020 report of 600 American professionals. Not just any martech, though: 25.67% are specifically worried about executives’ personal social media accounts.The concern is for good reason. Those in the industry three years ago may remember a picture from Twitter of a Hawaii Emergency Management Agency employee standing by his computer with system passwords on Post-it notes behind him. The photo was taken by the Associated Press, then shared online. Whether it led to a January 13, 2018, alert that incorrectly warned Hawaiians a ballistic missile attack was coming, who knows. It doesn’t take a social media expert to know the photo was a bad idea.Be it pictures or posts or anything else people share, Harman Singh, founder of risk assessment startup Cyphere, calls social media “low hanging fruit” for hackers—a great “test of [a] company’s security awareness and policies.” If a company is sloppy with best practices in one way, it might be vulnerable in others.Enterprise social media is typically run by marketing, a department that can sometimes have more clout than security with its own seat in the c-suite. Marketing and security don’t always connect or necessarily even get along. Singh points out that a “difference in vision” affects the way the two approach their jobs: Marketing wants as much information about the company out there as possible; security holds it back. “Marketing department[s] often find it hard to talk to techies in their language and vice-versa,” Singh says. How threat actors exploit social mediaIt’s not so much that hackers want the company’s Twitter or Facebook credentials; it’s everything they lead to. If marketing uses similar passwords across accounts, successfully hacking Twitter is a possible entry to the company website. Hack from there to Adobe Experience Manager, the website’s translations, customer mailing lists, or anything else someone could steal or use to damage reputation.If that’s not enough to scare any marketing department into cooperation, there’s even more data nefarious actors can garner from posted information. “Pictures uploaded over Twitter, Instagram, and other social media channels often give away … geolocation information, device model, [and] software and related information,” says Singh. Take your everyday conference tweet, for example (well, before COVID, that is): Marketing sets up a booth and takes pictures of sales chatting with clients. “We love helping customers optimize real-time widget potential,” they Tweet, “#WidgetConLive,” then, below the picture, a line: “Las Vegas Convention Center / Tagged into this photo” with top executive names. Voila! Thanks to this tweet, hackers know which employees are traveling where. They click on the tag to link to those individuals’ personal accounts, where they then glean even more company information: “Waiting for my plane at LAS,” “On layover at SLC,” “Great meeting Bob at WidgetCustomer.com!”Once hackers are monitoring personal and corporate accounts, they soon have access to an executive’s larger travel schedule, which Singh says can be analyzed to tell where “company locations or clients exist…. This information can then be fed to social engineering attack vectors—for example, impersonating a senior director who is travelling and then calling [the] IT support team to reset [your] password due to important tasks being stuck when you are at an airport.” Because of Twitter, they know exactly which airport to name.That’s why Singh says, “Marketing and communications teams should work in tandem with cybersecurity,” whether the departments naturally understand one other or not.4 tips for effectively partnering with marketingAmir Tarighat, CEO of threat detection provider Achilleion, agrees, noting the security/marketing barrier is overcome by mutual respect: “Social media security needs to be approached as a process and partnership with the marketers. Security professionals should respect the creative nature of marketers’ work,” which is often done at odd hours from odd places. While heavier authorization might fend off those I’m-on-layover attacks, Tarighat says it’s also important to “understand [marketers] might need to use a BYOD [bring your own device] smartphone to send a tweet at 9 p.m.”“Because of the nature of social media, the infosec team has no control over any social media … technology and policies beyond configuring privacy settings,” says Tarighat, explaining that since social media platforms are “beyond password control and device security, the rest of the infosec toolkit doesn’t help here.” Partnership is security’s only way not to be powerless.Tarighat and Singh offer these four tips for partnering with marketing. Develop simple guidelines. Marketing is charged with protecting company brand. They don’t want to clean up reputational damage, intellectual property exposure, or similar liabilities any more than security does. While they may not know what personally identifiable information (PII) is right away, once explained, they’re not going to want their home addresses in the wrong hands either. Approach social media security as something that helps marketers protect themselves and do their jobs.Avoid coming down too hard. While Singh suggests setting up “social media account safety and regular inspections,” this relationship comes with its own power balance. Marketing typically has a seat in the c-suite, whereas security may not, and the best policies in the world don’t mean anything if marketers don’t follow them.“Marketing departments might be wary to give into infosec collaboration on social media if it becomes invasive or gets in the way of their creativity. Infosec teams have to treat marketers differently because they have more discretion on how they do their creative work than other departments with traditional workstations. Things like letting marketers choose their own MFA [multi-factor authentication] method is a great way to share that oversight,” says Tarighat.Address BYOD concerns. Tarighat also recommends letting marketers use their own devices, something Singh staunchly disapproves, saying security should “ensure that company staff do not use company accounts on their mobile devices if not allowed by security teams,” claiming that BYOD “could lead to staff being targeted…and in some cases, shared passwords could lead to staff accounts being hacked.” Push this guidance too hard, though, and the partnership may break. Tarighat says, “The most important aspect of social media infosec is BYOD devices. BYOD is already very popular, even more so for marketing departments”—something that was true even before marketers started working from home due to the pandemic. “Negotiating BYOD security isn’t easy because employees are hesitant to hand over full MDM [mobile device management] control to their employers. Alternatively, issuing company devices doesn’t help much as it can be costly and less efficient for employees,” he adds.In other words, companies may be stuck with all those personal devices whether security likes it or not.Try meeting in the middle. Ask marketers with Android phones to use enterprise work profile. Originally built into Android 5.0, Google updated the feature through operating system 11 last September. Tarighat says, “It allows for the creation of a complete, separate user that can be managed by a traditional MDM while keeping the personal profile totally separate.”Tarighat also says security and marketing can create “a procedure to check devices and applications logged into the social media platform.” For example, when Twitter sends a new login alert, where does it go? If security can convince marketing to make them the recipient, you’ll know about breaches sooner and they’ll have less to do. “Security professionals should regularly check platforms for logins from unknown devices or places. Seeing unapproved devices or apps is either a sign of an attack or more likely that your infosec collaboration isn’t going well,” he adds. Related content news FBI probes into Pennsylvanian water utility hack by pro-Iran group Federal and state investigations are underway for the recent pro-Iran hack into a Pennsylvania-based water utility targeting Israel-made equipment. By Shweta Sharma Nov 29, 2023 4 mins Cyberattacks Utilities Industry feature 3 ways to fix old, unsafe code that lingers from open-source and legacy programs Code vulnerability is not only a risk of open-source code, with many legacy systems still in use — whether out of necessity or lack of visibility — the truth is that cybersecurity teams will inevitably need to address the problem. By Maria Korolov Nov 29, 2023 9 mins Security Practices Vulnerabilities Security news Amazon’s AWS Control Tower aims to help secure your data’s borders As digital compliance tasks and data sovereignty rules get ever more complicated, Amazon wants automation to help. By Jon Gold Nov 28, 2023 3 mins Regulation Cloud Security news North Korean hackers mix code from proven malware campaigns to avoid detection Threat actors are combining RustBucket loader with KandyKorn payload to effect an evasive and persistent RAT attack. By Shweta Sharma Nov 28, 2023 3 mins Malware Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe