Social Media Awareness (Part 7 of 20: CERT Best Practices to Mitigate Insider Threats Series)
The seventh practice described in the newly released edition of the Common Sense Guide to Mitigating Insider Threats is Practice 7: Be especially vigilant regarding social media. In this post, I discuss the importance of having clear social media policies and conducting social engineering training to help mitigate issues with unintentional insider threat.
The CERT Division announced the public release of the fifth edition of the Common Sense Guide to Mitigating Insider Threats in December 2016. The guide describes 20 practices that organizations should implement across the enterprise to mitigate (prevent, detect, and respond to) insider threats, and provides case studies of organizations that failed to do so. The seventh of the 20 best practices follows.
Practice 7: Be especially vigilant regarding social media.
If an organization is unable to manage the information its employees post online, social media sites can create an additional attack surface. External attackers can gather intelligence through public posts and information to conduct spear phishing campaigns, map an organization's hierarchy, or even recruit disgruntled employees to participate in malicious insider attacks. Organizations must develop and implement training, policies, and procedures to provide all employees with a clear picture of which social media practices are acceptable and which are not.
Social media accounts can provide personal information to an attacker who can, in turn, use that information to compromise individual accounts. Even an action as simple as requesting troubleshooting advice on an online forum can spell danger for an organization if it unintentionally reveals sensitive information such as the hardware and software running on a particular piece of networking equipment or some of the organization's internal IP addresses.
Organizations need to establish clear social media policies and procedures that address what is and is not acceptable online employee behavior. When writing these policies, the National Labor Relations Board's acting general counsel recommends consulting the organization's general counsel to ensure appropriate wording of the policies to ensure language does not
- prohibit posting non-specified, employer nonpublic or confidential information and legal matters
- prohibit employees from making statements that are detrimental, disparaging, or defamatory to the employer (i.e. speaking up when issues are seen)
- prohibit employees from discussing dissatisfaction with the workplace
- threaten employees with discipline or worse for failing to report other employees who violate an unlawful social media policy
In addition, all employees need to receive social engineering and social media awareness training. This training can include a demonstration that involves visiting an actual profile, viewing the publicly available information, and explaining the impact the information displayed can have on the organization and the individual. If the organization pulls examples from its employees' social media pages, personally identifiable information should be removed or anonymized properly.
Organizations that choose to monitor employee social media accounts need to do so with a high degree of caution. If your organization uses this approach, there are key areas to be aware of:
- Employees must not be punished for protected speech, such as discussing pay or complaining about their supervisor.
- Viewing social media accounts for potential new hires may lead to discrimination lawsuits.
- Multiple states have legislated against employers who requested access to an employee's social media password.
While there are pitfalls to avoid, organizations that effectively and securely manage their use of social media can find an incredible resource for workplace communication and community outreach while protecting themselves and their employees from internal and external threats.
Refer to the complete fifth edition of the Common Sense Guide to Mitigating Insider Threats for a comprehensive understanding of the issues and recommendations mentioned.
Check back next week to read Practice 8: Structure management and tasks to minimize insider stress and mistakes, or subscribe to a feed of the Insider Threat blog to be alerted when a new post is available.