The context of this writing: I took a course on Designing and Building a Cybersecurity Program and have written many papers during the course. Below is a revised/shorten snippet from one of my essay papers.
According to the New York Times, hackers are having a field day targeting employees on their social media platforms. This type of targeting isn’t anything new; however, it has been increasing and is attracting new hackers. For most employees, their activities outside of work, like social media platforms, are a personal endeavor they use to connect with friends and family members. Some don’t see how it can be a gateway for a hacker(s) or State-sponsored hackers to infiltrate their company’s infrastructure.
If we take a look a the Defence in Depth framework, there are 5 layers:
- Policy, Procedures, and Training
- Physical Security
- Network Management
- Host Management
- Application and Data Management
Companies that use this framework do a good job executing their security controls, which helps to keep bad actors from entering the front door of the company’s infrastructure. However, if we look at the first layer of the Defence in Depth framework, the Policy, Procedures, and Training, most companies’ policies don’t extend into employees’ personal outside activities regarding social media security. We see policies around code of conduct or occasional how to conduct yourself on social media via a “Social Media Participation Policy.” We really want to see policies on social media security protocols first and then promote information second.
What is social media security first?
This is simply training your employees to configure their accounts to be more security-minded first, and config their accounts to use stricter settings like two authentications or using text guidelines and phrases that reduce the amount of information they put online about their job duties and configure their account to only be seen by connected friends and family.
These simple measures will help reduce the digital information about themselves online, especially those closer to critical systems.
Circling back to the main point, how does this reduce reconnaissance and information gathering by 50%? We know hackers target social media accounts, so if we can improve our policies to think security first and train our employees to be better security stewards of their own social media accounts, they can make it harder for hackers to gain access to their accounts or scrape information about them.
Continue to Part 2…