Below is an article I republished to our internal employees via our monthly news letter, which I felt is very applicable these days. The why is an interesting topic. Companies operating today varying opinion on social media in the work place is truly a mixed bag. Ultimately, it depends on culture. Internet access and social media coupled with privacy data equal a degree of risk. This article highlights the legitimate reasons, where privacy and risk collide.
Data loss (i.e. data exfiltration, data extrusion, data leakage) is the unauthorized transmission of sensitive information from inside a privileged access point. Because it can closely resemble the normal flow of data traffic, it is difficult in practice to detect and therefore right the sinking ship. Traditionally viewed in the context of the network, endpoint or email, data exfiltration can enact huge financial and reputational losses upon victimized organizations and individuals.
Social media is a formidable and porous attack surface due to its sheer size. With ever-increasing volumes of data being poured across different networks on a daily basis, detecting data exfiltration posts can be like finding a needle at the bottom of the ocean. The tides have shifted even for the largest and most talented security teams, as it’s become humanly impossible to navigate through this information to identify harmful threats. Social media poses additional risks that are not typically encountered on traditional points of access like email. From hashtags to mentions to lists, it provides a flood of different ways for users to instantly broadcast data to large global audiences. Social media also lacks any industry security precedent as a platform like email, which has weathered wave after wave of high-profile attack.
It comes as no surprise then that organizations both large and small are woefully unequipped to address data loss prevention when it comes to social media. The security industry readily admits these shortcomings too, with 43% of fraud prevention managers and IT directors recently reporting that employee access to social media websites and services is their biggest obstacle when it comes to data loss prevention.
Fig 1 outlines three different ways that data loss can occur through social media. At a high level from left to right, we identify 1) Inadvertent data loss involving sensitive information posted directly to the social network, 2) The Insider Threat involving a disgruntled employee divulging company secrets through encoded social channel data, and 3) Intentional data exfiltration by bad actors looking to hack into the corporate network and establish Command and Control (C&C) to maintain their data siphon.
Such accidental social media data loss is an all-too-common occurrence for employees who take selfies at the workplace, which may display personally identifiable information (PII) or sensitive organizational information like product roadmaps, architecture diagrams, software stacks or customer information. The cost of social media data loss can multiply when culprits unknowingly violate industry-wide compliance mandates, potentially resulting in hefty financial penalties for the organization in question. Embarrassing moments have affected one of Instagram’s most followed users and the Twitter CFO. Indeed, if one of social media’s own executives isn’t even immune to this risk, this demonstrates the realistic situation every organization faces.
** This article was republished.