• United States



Contributing Writer

Social media use can put companies at risk: Here are some ways to mitigate the danger

Dec 21, 20226 mins
Risk ManagementSecurity AuditsSocial Engineering

Using social media can expose company and employee data, and misuse could harm organizational reputation. Here are some tips that can help reduce the risk.

Social media threats / risks / dangers / headaches  >  Text bubbles bearing danger signs
Credit: Thinkstock

We live in a social world, but should our businesses? For many, the answer to that is increasingly no—that’s why laws and regulations have recently been put in place restricting access to some social media in certain situations because of the hidden risks of these seemingly innocuous platforms. The United States federal government and some US states, for example, have barred government-issued devices from the use of Chinese-owned TikTok, which allows users to create and share short videos with music, special effects, and other features.

The concern is that foreign-owned applications might share the information they collect with government intelligence agencies. That information includes personally identifiable information, keystroke patterns (PII), location information based on SIM card or IP address, app activity, browser and search history, and biometric information.

Personal use of social media by employees can impact the company’s brand as well as endanger the firm or employees themselves—bad actors could use social media to identify where a person works, the division in which they work, and possibly their physical location. The potential harm is higher for high-risk employees such as senior executives or those with authority to execute financial transactions.

Of course, there are plenty of good reasons for employees to use social media. It can enhance marketing campaigns, announce news or critical information, and otherwise raise the profile of an organization. Social media channels can be used to monitor risks and threats against a government or critical infrastructure. Firms may also want to monitor social media channels for trending information about their organizations. Whatever the reason for embracing the beneficial side of social media, it’s crucial to be aware that using it can also invite unwanted exposure for both employees and the organizations they work for.

What are the employee risks of social media?

Here are some of the risks that social media platforms can pose to employees:

Privacy concerns: TikTok, for example, has faced criticism for its data collection and privacy practices, as the app collects a significant amount of information about its users, including location data and device information.

Cyberbullying and online harassment: Social media platforms can be a breeding ground for cyberbullying and online harassment, even when an employee uses them for professional reasons. Users may be targeted for their appearance, race, gender, sexual orientation, or other personal characteristics.

Inappropriate content: Social media users may encounter inappropriate or offensive material while using these platforms for personal or professional reasons. This could include explicit or violent content or content that promotes harmful or illegal activities.

Addiction: Like any social media platform, social media can be addictive, and users may spend excessive amounts of time on it. This can lead to problems with time management and potentially interfere with daily activities and hamper productivity.

Security risks from cyberattacks:  Because of the large volumes of data popular social media platforms collect, these apps are an attractive target for attackers. For example, in November 2022, a database of 487 million WhatsApp users’ mobile numbers from more than 84 countries was put up for sale on the hacking community forum.

What are the business security risks of social media?

Risks that businesses might face when using social media include:

Reputational damage: Social media allows anyone to post comments or reviews about a business, which can be both positive and negative. Negative comments or reviews can damage a business’s reputation and may require the business to respond and address the issue in a timely manner.

Employee misconduct: Similarly, employees who use social media to represent their employer may accidentally or intentionally post inappropriate or offensive content, which can damage the business’s reputation.

Exposure due to data breach: Businesses’ data might be at risk should a social media platform experience a data breach. Simple LinkedIn career updates could trigger “new hire SMS” phishing attacks or screens in the background of an innocent workplace selfie posted on Instagram or Facebook could inadvertently expose sensitive corporate data.

Legal liability: Businesses may face legal risks on social media such as defamation, copyright infringement, or violations of consumer protection laws.

How to mitigate risk from social media

To minimize these risks, consider the following:

  • Limit the use of social media applications to company-owned devices, especially for firms with high security requirements. In any high-risk firm, the separation of business versus personal use should be clear and distinct. While employees might need to carry two devices—one for business and another for personal use—the policy aims to keep a barrier between the two uses. Businesses that mandate this sort of deployment should enroll in a mobile management tool to monitor device patching level, and the types of applications that are installed.
  • Create an acceptable use policy for both company- and employee-owned devices. Such policies set expectations for social media engagement to ensure that the firm’s culture and reputation are maintained, especially if employees are allowed to use personal devices for business apps. You’ll want to review recommendations for both Android phones and Apple iPhones. Here’s an example of a social media acceptable use policy from Stanford University.
  • Protect computers and mobile devices used to participate in social media engagement and potentially isolate them from other systems that present higher risk. High-risk organizations might want to provide devices and computers that are dedicated to social media interactions or consider outsourcing these functions to firms that specialize in social engagement.
  • Ensure that permission levels are set appropriately on multi-user tools used to manage social media posting. You may need to also document guidelines for multi-user use of social media. Monitor and review the use of such tools. As platforms and trends change you may need to reevaluate engagement or move to additional platforms.
  • Document and monitor all social media channels used for official communication by the organization. The US Cybersecurity and Infrastructure Security Agency (CISA), for example, regularly publishes security information on social media platforms and identifies those channels that are authoritative. Ensure that users know which social media channels are used by your firm and assign someone to monitor their use. Recently, some major firms were spoofed on Twitter and fraudulent tweets affected the stock price of the companies.
  • Set up multi-factor authentication (MFA) for all social media accounts. There have been many cases where an unauthorized person obtained access to social media channels and put forth statements and comments that damaged a company’s profile.
  • Enhance email protections for employees that handle your social media outreach to make them less susceptible to phishing attacks.
  • Provide guidance to employees for protecting themselves when using social  This includes how to block direct messages and deal with harassment. Make sure they are mindful of the content they share and who they interact with, and that they understand their options for privacy settings to control the information that is shared with others.

For more detailed advice, CISA released resources in 2021 on recommended methods to protect social media channels. Social media constantly changes. It’s wise to review your engagement and protection policies on a regular basis and adjust as necessary.

Contributing Writer

Susan Bradley has been patching since before the Code Red/Nimda days and remembers exactly where she was when SQL slammer hit (trying to buy something on eBay and wondering why the Internet was so slow). She writes the Patch Watch column for, is a moderator on the listserve, and writes a column of Windows security tips for In real life, she’s the IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun, where she manages a fleet of Windows servers, Microsoft 365 deployments, Azure instances, desktops, a few Macs, several iPads, a few Surface devices, several iPhones and tries to keep patches up to date on all of them. In addition, she provides forensic computer investigations for the litigation consulting arm of the firm. She blogs at and is on twitter at @sbsdiva. She lurks on Twitter and Facebook, so if you are on Facebook with her, she really did read what you posted. She has a SANS/GSEC certification in security and prefers Heavy Duty Reynolds wrap for her tinfoil hat.

More from this author