7 Tips for Mitigating Cyber-Risks to Your Corporate Social Media

How to stay safe, even when tech-savvy admins can't tell the difference between a scam and the truth.

4 Min Read
Social media icons
Source: Wavebreakmedia Ltd IFE-210908 via Alamy Stock Photo

Threats to corporate social media are evolving along with perpetrators' social engineering skills at a blistering pace. Sometimes their techniques reach such a high level that even the tech-savvy administrator of a corporate network can't tell the difference between a scam and the truth. Since so many businesses use social media, these threats are relevant to an extremely large number of companies. To help them stay safe, here are a few points of advice to mitigate the cyber-risks associated with today's social media landscape.

Use Caution With DMs, Drafts, Old Messages

Companies should be careful about keeping sensitive information in direct messages — it can pose cybersecurity risks. People often use corporate social media to write directly to brands, asking for help with the account holder's product or service. Also, some partnerships, such as those with bloggers, can be negotiated in direct messages. Sometimes personal or financial information is shared during these conversations, which could remain in the messages folder long after the interaction, vulnerable to intruders.

To avoid this risk, company representatives should make it a habit to delete irrelevant messages when the dialogue is finished and the information it contains is no longer relevant. It's also worth regularly reviewing what's saved in the drafts folder for old posts.

Review Old Posts, Minimize Reputational Risks 

If sensitive or embarrassing information resurfaces from an old post, it can hurt a company's reputation or even result in financial losses. Spend some time reviewing old posts, as they might contain information that doesn't fit into the current reality. That might be anything from inappropriate jokes to controversial advertising campaigns.

The Potential Downside of Success

Having signed a lucrative contract or deal, we often want to post about it. But we also want to avoid unwanted attention from cybercriminals. If a potential attacker knows who your suppliers or contractors are, they could conduct an attack impersonating them or breaching their accounts and acting on their behalf. 

The more clearly you reflect your company's structure and working methods on social media, the easier it is for perpetrators to organize an attack. For example, if it is possible to trace who is responsible for finance, an attacker can pretend to be this person's supervisor and try to lure them into urgently transferring a large sum of money to a fake account to close a deal or purchase equipment.

New Hires and Risks With New-Job Posts on Social Media

Once hired, newcomers usually share the news on social, but they may not yet understand company cybersecurity processes, like how identification works or with whom they can share sensitive information.

Imagine a perpetrator tracks this person on social media and then writes them a malicious letter on behalf of the company's IT administrator, asking to share the password to set up a technical account. The newcomer may not know that the administrators would never write such a letter. They may also hesitate to ask their colleagues if the letter is authentic.

To mitigate the risk, offer newcomers a course on information security immediately, and tell them to be extremely careful when posting about their job. 

Control Account Access, Especially When an Employee Leaves

Logins, passwords, and email addresses used to create a social media account are just as valuable as other internal corporate documents. If an employee who has access to these accounts leaves the company, it is useful to apply the same rules as when blocking their access to the corporate network. Change the password for the email account linked to the corporate social network; then unlink the ex-employee's mobile phone number.

Don't Ignore Other Protections

Any account on a social network, not to mention a corporate one, must be securely protected. Two-factor authentication is an absolutely necessary setting for any type of account.

The email address linked to the account should be as protected as the social media account itself. Often the attack begins with an initial access to email. After breaching an account, an attacker can configure filters in the mailbox settings to delete all support emails from the social network. Therefore, a user will not be able to restore access to their account.

It is best to register a corporate social media account using a corporate email address, since it can be better protected than a personal one.

It's equally important to conduct training for employees on information security, phishing, and other threats. According to recent cyber skills training statistics, just 11% of nearly 4,000 employees demonstrated a high level of cybersecurity awareness in 2022, while 28% could not prove sufficient cybersecurity proficiency.

About the Authors

Anna Larkina

Web Content Analysis Expert, Kaspersky

Anna Larkina is a Web content analysis expert at Kaspersky, contributing to threat research related to privacy. Anna joined Kaspersky in 2009 as a Web content analyst in the content filtering research group. She began her role as the first adult content analyst on the team, building up the research operation almost from scratch and filtering Websites by category. Anna specializes in social media, privacy, and online child safety. She has helped create product features for Kaspersky's "Safe Kids" product and developed a system for evaluating Internet services on how they should comply with GDPR and CCPA.

Roman Dedenok

Spam Analysis Expert, Kaspersky

Roman Dedenok is lead anti-spam analyst at Kaspersky’s content filtering research group. He has been with Kaspersky since 2012, starting as a spam analyst. Over the years, he has taken on various roles within the company, including testing engineer and research development team lead, before becoming lead anti-spam analyst in 2021. With extensive experience and expertise in the field, Roman specializes in targeted email phishing attacks and is dedicated to developing innovative solutions for protecting against these threats.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights