A 2015 joint study by IBM and the Ponemon Institute estimated that the average cost of a data breach from a company’s information systems network was $3.79 million. This represents a 23 percent increase over a two-year period. Over the same period, social media participation has grown roughly 10 percent annually. Studies have not shown a direct statistical correlation between social media growth and the increase in the cost of a data breach, but increased social media participation does create greater opportunities for hackers to find new victims and to exploit weaknesses in corporate cybersecurity defenses.
Hackers have long since learned to use social media sites as a source of information for identity theft. Individuals who would hesitate to divulge personal information in person do not hesitate to list their employment and education history and other identifying data under their social media profiles. Hackers use this data to guess passwords that then give them access to an individual’s financial and other resources. With that information, cybercriminals can easily take the next step of accessing the corporate networks of that individual’s employer.
Hackers have also learned to use the psychology of social media to attack companies directly. For example, hackers targeted a Portland, Oregon company with false complaints posted on social media and other sites to elicit a rebuttal from the company, and that rebuttal then gave them access to additional information about the company and its employees.
Controlling company information that is posted on social media sites, both by company employees and by the company itself, is a key defense against cybercriminals that are trolling for information to get deeper into a corporate network. Cybersecurity experts have developed other recommendations to improve corporate cybersecurity with respect to social media use:
- Internal security teams should work with the company’s marketing function to monitor and control information posted on the company’s social media sites.
- Those teams should also have leeway to monitor those accounts continuously for cyber threats.
- Monitoring should include developing a list of malicious URLs and IP addresses that connect into a company’s social media presence.
- Social media posts and profiles that expose a company to cybersecurity risks should be promptly deleted.
- Employee policies should include social media and cybersecurity guidelines that impose allowable restrictions on the type of information that employees can post on social media sites.
- Employees should receive regular training on social media risks.
A company’s marketing department will generally not have the expertise to address cybersecurity risks, and will naturally be more concerned with connecting and engaging a company’s customers and clients with its products. Rather than allowing a company’s security department to impose control over its marketing department, the better practice is to create a collaborative effort that engages both departments equally. Collaboration will benefit marketers by eliminating counterfeits and fake followers from the company’s social media presence. Security teams will also sleep better knowing that their marketing counterparts are not undermining their efforts to defend hacking attacks that creep through social media.
Not even the most vigilant and robust collaboration will stop every cyberattack on a company, either through its social media presence or via some other avenue. The company’s ultimate protective layer is a data breach coverage insurance policy that reimburses the company for direct and third party losses stemming from a cyberattack. Cyber insurance companies can also help a company to establish strong social media monitoring policies and practices that can reduce the company’s data breach risks without impairing its social media marketing efforts.