Threat Intelligence Blog

Posted December 5, 2019

We’ve all heard a social media security horror story – like the ones that have plagued Facebook in the past few years. 

First there was the Cambridge Analytica scandal, where researchers harvested Facebook data belonging to some 87 million users. The data was then used for political advertising purposes. 

Then in 2018, Facebook fell victim to another scandal. On this occasion, hackers exploited code to gain access to an estimated 50 million accounts

But it’s not just Facebook, and it’s not just data breaches. Cyber criminals can exploit any number of social networks to steal personal information and credit card numbers, extort users, distribute malware, and commit fraud. Both at home and in the workplace, a poorly secured social media presence is a liability. 

Taking greater accountability for the security of your social media presence – personally and professionally – is a great starting point. Here are a few best practices you can begin implementing right now.

Never Share Highly Sensitive Information

This includes Social Security numbers, banking information, account logins, and passwords. Most people have enough sense to not Tweet out this information or include it in a Facebook post. However, you shouldn’t even share this information over private messaging. 

Operate under the assumption that your account will be hacked at some point. And when it is hacked, any and all information that you’ve shared via the messaging features on Instagram, Facebook, LinkedIn, or other social networks will be exposed. In the workplace and at home, there are more secure ways to share sensitive information than social media. These include a phone call, in person, and – if absolutely necessary – over a secure email service and in a password-protected document. And let’s face it — most of us use social media on our work computers. When your accounts are compromised, it compromises your organization as well.

Manage Your Privacy Settings

The more information you share via social media, the greater the risk. This doesn’t mean you have to withhold everything. After all, social media can be a great way to promote your business’s products or services as well as your personal accomplishments and creative endeavors. 

Nevertheless, managing your privacy and security settings is a great way to control what information you actually provide to the likes of Facebook and Twitter, and who can see that information. 

On Facebook, for instance, you can decide whether your photos, status updates, activity, and friend list is open to the public, or just to friends. You can also control who is allowed to send you friend requests – whether that is anyone, or just friends of friends – and messages. You even have the option to review any content you’re tagged in before it’s posted to your Timelines.

Similar privacy settings are available through Twitter, Instagram, Snapchat, LinkedIn, etc.

Also keep in mind that you have the option to share location with most of the major social media channels. Just be aware of the risk involved in doing so.

Post With Care

Even if you’ve set your profile to private, or are being careful about curating who can see what post, it may not be enough.

For one, there’s never any guarantee that it is, in fact, private. Case in point, in late 2018, Facebook accidentally made millions of users’ private posts public.  

In a perfect world, you would be able to assume some level of trust when it comes to cybersecurity. However, even the most advanced security analysts are now touting the benefits of zero-trust security – a mindset in which no system, user, or device is ever presumed trustworthy. 

Likewise, you should assume that even a well-guarded social media account is not inherently safe, and that means:

  1. Not uploading highly secure information (even in private messaging features).
  2. Not posting anything to your private networks that you wouldn’t want released to the public.

Other posting tips to keep in mind:

  • Avoid posting from your vacation destination, as this tells people you’re away from home, possibly endangering your physical security. 
  • Always double-check pictures before you post them to make sure personally identifiable information (address, email, phone number, driver’s license, etc.) is not accidentally included in the frame.  
  • Once it’s on the web, it’s usually there for good. 

Make Unique Passwords for Each Account

This one is pretty straightforward. If you use the same password for all of your accounts, then a hacker who hacks one hacks them all. 

The same goes for online banking, email, subscriptions, business accounts, etc. Given the massive quantity of records that have been exposed in the past, the likelihood of you not having been affected at some point are incredibly slim (even if it was an old account that got breached).

This matters because it means that whatever password you used for that account is no longer secure. Hackers actively employ a tactic called credential stuffing, which involves plugging stolen credentials into as many sites as possible with the hopes of a match. 

By the way, there was a massive data breach of LinkedIn in 2016 that exposed more than 100 million email addresses and passwords. If you haven’t updated your LinkedIn password in a little while, that might be a good place to start. 

Otherwise, we’d recommend getting a good password manager, and running your email address on Have I Been Pwned to see if there’s any record of your email being leaked online. Another easy way to secure your accounts is to start using a password manager that creates strong and unique credentials for your accounts.

Use Multi-Factor Authentication (MFA)

Most social media platforms will let you set up a second factor for authenticating your login. This simply means that when you log into your account on a new device or browser, you’ll receive an out-of-band authentication challenge. 

That usually takes the form of a text message or an email asking you to verify your login attempt. 

The beauty of MFA is that it can protect your accounts even if your password has been compromised, and it can clue you into that theft because you’ll receive verification requests that didn’t originate from you. 

Be Wary of Phishing Schemes and Click With Caution

Many instances of data theft, hacking, malware intrusions, and account takeovers start with phishing schemes that are meant to trick users into giving away information. Don’t take the bait:

  • Don’t open links from unknown senders. 
  • Be very suspicious of random emails or messages from someone you haven’t talked to in years that says something to the effect of “Is that you in these pictures?” And if you do click on the link, definitely don’t log in if it takes you to a social media login page. It’s most likely a trick to steal your credentials. 
  • If you receive an email that says “Your account has been compromised, click here to reset your password,” don’t. Instead, manually navigate to your social media page and reset your password there. 
  • Use your judgement. If someone you know and trust starts sending you weird messages or promoting products to you over messaging, it could be a sign that they’re hacked.

If something looks off, then it probably is. 

Get Cyber Awareness Training

Last but not least, employers can help protect workers’ information on the web and instill social media security best practices by offering staff formal cyber awareness training. 

To that end, LookingGlass provides 14-day free trial for its Cyber Safety Awareness Training. Check out the details here.  

Otherwise, if you have any questions about how to better protect your business and personal accounts, we’re all ears at LookingGlass

 

Additional Posts

A Year in Review: Cyber Trends in 2019

Each year, the cybersecurity industry is bombarded with threats to be concerned about. In the ...