For the past decade, organizations around the globe have been grappling with how to handle the social media revolution. Certain industries, like retailers and technology companies, have embraced it with open arms, driving up their follower counts, engaging customers and being as vocal as possible. Others, such as finance and healthcare, have taken an understandably more cautious approach to the platforms.
Why all the hesitance? For many industries, the risks of social media are a big bigger and badder and are not as heavily outweighed by the benefits (we strongly maintain that the benefits always outweigh the risks in any industry, it’s just a matter of using social safely and effectively). Highly regulated industries have to think about maintaining compliance both internal and external. Any organization with loads of sensitive informations — like healthcare and finance — recognize that the more employee, executive and brand accounts, the easier it is for a cybercriminal to profile an organization, launch an attack against endpoints and distribute or advertise their haul to the hacker community after a breach. The risks of social are diverse and manifold, and some industries are forced to be more careful.
The question we then must ask is, should these industries use social media at all? Will ignoring, banning or blocking social media solve the problem?
Many risk-averse, tech-skeptical folks would say, yes! In some ways, they have a point. If you don’t have a Twitter account, it can’t get it compromised. If your employees are banned from creating accounts, they can’t be sent a phishing link. Blocking social media at work might make sense from a productivity perspective (although that’s a topic for another time). However this is a narrow and dangerous perspective.
Consider the situation from the cyber criminal’s point of view. A company without a social media presence is the most vulnerable of all! If an organization doesn’t own their own accounts, even a non-technical criminal can make incredibly convincing impersonation. All they need is 15 minutes and a coffee shop internet connection. Employees, customers and prospects expect that every business is on social media, and they will assume an official looking account is official, especially if your business isn’t maintaining a genuine one. With nothing to compare against, your people and stakeholders with fall victim to the account 10 times out of 10.
Once a cybercriminal runs a credible account with what should be your followers, the digital world is their oyster. Fake coupons, phishing schemes, slander and inappropriate content, malware and ransomware will all be assumed to be coming from an official account. They can target pretty much anyone under the auspices of your brand. Of all the worst-case-scenarios that ZeroFox encounters, this is one of the most devastating for the business and the most difficult to come back from.
What about owning brand accounts, but blocking social media for employees?
Many social media risk live and die on social media without ever touching your owned accounts or network infrastructure. Think financial scams, fake coupons and data loss. Because you don’t control the social media network, because you can’t stop your customers or partners from making accounts, and because realistically, you can’t fully block or ban employee social media usage, an attacker can launch an end-to-end attack without ever triggering any alarms. Even if you have owned accounts, an attacker can hijack your hashtags and brand to scam a customer right under your nose. You need defenses and visibility.
Without employees or marketing and sales teams on social media, you lose a critical layer of defense. Yes, these accounts can act as endpoints for attacks, but they also create a crowd-sourced line of defense and visibility, especially if you don’t use a digital risk monitoring tool like ZeroFox. These people are at the front line for detecting social risks and are often the first to alert a security or risk team that something is amiss.
In this situation, being prepared and having visibility is a must have. Blocking social is the fast track to putting your organization in the attacker’s crosshairs because they know that the probability of them being caught is incredibly low. An attacker looking to invest time in targeting an organization will naturally pick the one that they can do the most damage. Do you attack the castle with soldiers manning the walls or the one thats empty? One with no visibility or front line defense, that organization is the most vulnerable target.
Moreover, many employees use social on their personal devices, even if they aren’t supposed to. Many employees find ways to use employees on work devices, even if they aren’t supposed to. All the same issues surrounding BYOD apply to social media. And just like you would expect to have security visibility over devices, so must you have security visibility into social. Consider it a BYOSM (bring your own social media) policy.
Long story short, every business in every industry should be on social. You absolutely should not block, ban or otherwise not use social media. While blocking might mitigate some risks, it exacerbates other risk to a greater degree and puts a massive target on your back. When you don’t use social media, the risk to your organization increases greatly. So will blocking social media solve the problem? No. Should these organizations use social media? A resounding yes. Own that space, get visibility and learn to protect yourself.
However, the main reason you should be on social media has nothing to do with risks. At ZeroFox, our goal is not to scare people into not using social media — quite the opposite. We recognize its unprecedented value to businesses. That’s why we use social media (despite the risks), it’s why we partner with Hootsuite, the most widely-used social media management platform on earth, and it’s why, frankly, we started the company.
The main reason you should be on social is simple: it works. It’s a monumental business tool, ripe for growing your business in new, highly-scalable ways. Social media has become perhaps the single business driver for many businesses in many industries around the globe. Learning to use social safely and effectively with respect to the challenges faced by your business and your industry might just be the most mission critical goal for your company in the next 12 months.