From Likes To Leaks: Understanding The Security Risks Of Social Media - Anne-Marie O’Donnell

um thank you um good afternoon my name is an Mar odonnell and if the lead up this wasn't nerve-wracking for me it is now so um bear with me this is my first time speaking so um I'm here to talk to you today about understanding the security risks of social media um so a bit about me uh I'm a cyber security consultant I work for BH Consulting uh cyber security consultancy Dublin I've been working for them for 4 years now and um I graduated from Leen it with a cyber security degree and I've also uh graduated with a master's degree from TU Dublin um when I'm not doing my day job with B Consulting I like to volunteer my

expertise with the zero day CTF who are actually running the CTF here today uh I also do some part-time lecturing and I'm a mother to three amazing kids now I say kids um that's kind of an exaggeration because two of them are now growing adults who are immigrating to Australia and leaving me behind um but like I said today is my first time ever talking at a conference and um I'd just like to say thank you to besides belast for giving me this opportunity uh it kind of feels like I've come full circle because this was the very first conference security conference I ever attended as a cyber security student and um I attended everyone that they've

had except for when they had the break for Co and so coming back here today this speak is kind of like coming full circle so um yeah so you're probably wondering what has inspired me today to talk about social media um and what why I'm talking about the risks of social media so most people nowadays have a social media presence out of curiosity is there anyone in this room who has never had a social media account or are we all social media addicts in here anyone no we all use it okay so when we think about social media we think about the nice sides of it when I was a um U about 2010 I was a stay-at-home mother

with my daughter um she was baby so for 5 years I was stuck at home living in a outside a small village and go so my closest neighbors were basically a field for the cows so I had no one to speak to so social media was great you know I could connect with people globally and I could share everything you know whatever was happening every day I shared it I was just addicted to it wasn't until I became a cyber security student that I started to realize the more active I was on social media the more risk I was exposing myself to so so what kind of risks are those we've got like potential cyber bullying we've got that feeling of

fear of missing out when we're looking at other people's social media and we're seeing what they're doing and we start comparing ourselves to it we've also got the argument that uh we can start to feel more isolated and uh anxious potentially and then not to mention we also have the other types of um issues such as fishing scams and those horrible things we hear about the romance scams that happen on on social media so those are the potential risks as individuals using social media we might face but what about businesses in an age where businesses are increasingly reliant on social media for marketing and recruiting and interacting with their customer base basically it's imperative that we start to comprehend the many

types of security that could be lurking for them in the shadows of the platforms uh so you might ask how did this become a topic of interest for me well recently I found that I've had quite a few of my clients coming to me looking for security reviews of their social media accounts uh one client in particular suffered quite uh suffered some reputational damage due to uh following some accounts that didn't quite fit with their company's uh values will'll say so hacking of social media uh 64% of businesses have experienced social media hacking and fraud at least there are at least 30 attempts to take over corporate social media accounts per year per institution and it's $3.25 billion in

annual Global Revenue lost each year due to cyber crimes relating to social media so this isn't a New Concept and has gone on for many years and the motives of these hackers is usually to gain control over accounts um to steal personal information spread misinformation uh engage in other malicious activities such as data theft or identity theft or just spreading malware and as I said scams um it can be financially motivated or politically motivated but sometimes we just have to accept the fact that it's malicious because they can be so here's some examples of companies that had their social media hated so in the last 10 years we're going to look at three of them um July 2022 Disneyland

Resorts so they had their Instagram hacked uh they have a global following of 8.4 million they lost access to their Instagram accounts uh posts were made that were racist uh homophobic and there were even comments of uh threat of a new Co stream now in 2022 that was a big thing because we were just basically coming out of Co and we were reopening and the thought of a threat like that would be damaging to any any business um so the damage was done they actually uh you know um took control of their account again deleted the post everything but the damage was done um the hacker that actually took responsibility for the hack admitted that it was actually a Revenge pack

because he felt that the Disney staff were mocking him so there was nothing there that was actually financially related it was just someone wanting to get revenge because they felt the staff was mocking them in 2014 though this one was interesting it was the house of wolf Pub in is lingon in London now this was a small Pub had their Twitter account hijacked and Facebook account hijacked but this one was a disgruntled employee um they had fired an employee and forgotten that this employee had access to their social media accounts they didn't change the passwords and this employee believed that they were owed money so they hijacked the accounts took control of them basically a the dir

their dirty laundry all over their social media and refused to give back the accounts until they were paid now this uh again is just an example that you know it's not always someone from outside that's doing it there are such things as Insider threats and then in 2013 this one was my favorite um this is Burger King had their Twitter account hacked and the hackers took control of the account and proceeded to uh post a series of unauthorized tweets which included um offensive and inappropriate material uh it also alluded to the fact that Burger King had been taken over by McDonald's and um basically um it went on for a few hours there was a lot of

offensive language and imagery but um they shut down the Twitter account but the interesting fact on this one was that in the time that they were hacked there was so much social media news about it and just general news that they gained 30,000 new followers during that hack so um this was actually analyzed by an advertising company and it came out with the the line positive or not you know so um although you know no one wants to see their their um their social media hacked this one went in Burger King's favor so um these attacks are basically highlighting the potential reputational damage that can occur when a Brand's official account is compromised and the need for businesses

to have um a plan in place place for responding to social media CR crisis and handling public relations when you're in the middle of a crisis so how do we go about doing this well the very first thing that any business should do when using social media at the first place they should start is with a very strong social media policy and we must always ensure that all of our staff are on board with this social media policy regardless of whether they're actively Pro posting for the business or whether they're posting for themselves they need to um they need to be on board with the policy because regardless of what we think social media has the power to influence both

positively and negatively on a company so this is crucial for any business and in the current digital age it helps establish guidelines and expectations for employees behavior and interactions um on these social media products platforms so what's the first thing that we need to look at in our social media policy the first thing is we need to identify and name who is responsible for our social media and who is responsible for our social media team uh we need to basically these people are going to be this people I say person or um unit whatever it is they need to be responsible for ensuring that they've set up the social media accounts so one unit is setting up all the social media

accounts and that they're being set up with one particular generic email because there's no point in me uh an employee at BH Consulting setting up our uh social media accounts with my personal email attached to it and then tomorrow I leave and my email gets shut down so how do we control our accounts then because these accounts are all linked to me so it needs to be a generic uh email account belonging to the business that anyone within that unit can actually access when they leave when when that person leaves uh they're they also need to be responsible for everything relating to those platforms so uh deciding who's going to have access to those platforms

uh regularly reviewing security settings on the social media platforms because as we know Facebook Instagram Twitter they all go in the back they all change things on their on their platforms and we're unaware that they've done that and then we don't find out until later on when we're looking around saying oops I wasn't secure here or I wasn't secure there and then we have to readjust things so constant monitoring of your social media platform is imperative uh deciding how the social media platform will be used to promote your brand is a very important this needs to be considered and who will be posting on your social media and how often you're going to soci uh post on

your social media and the and does your content need to be approved um monitoring your social media looking for oh sorry um monitoring your social media and uh looking for um other accounts that might be set up uh so brand impersonation that's another important thing uh and then also having um a a a procedure in place for decommissioning accounts that aren't being used because these are all very important things and um this is something that one of my clients actually discovered when they were when we were reviewing them was that their social uh media policy was not strong enough they were using a large team of um of social media people uh they were using One login and sharing it amongst

each other and sharing the a password uh without any SP of secure sharing and um they basically found themselves in a position where it was impossible to track and audit things and then they got into trouble and we couldn't identify who it was uh the next step is if you're going to use social management tools now social management tool media management tools are a wonderful thing they can manage all your social media Accounts at once and you can basically set things up so that um that that your posts are going out whenever you want uh you can control your social media accounts from it uh your social the next thing is join as move as leave as policy this needs to

be brought into your social media policy because we need to be able to control when someone joins your company and they need to access social media then they need it straight away so we need to access that and set that up straight away if they're moving from that unit from the social media team then we need to identify that straight away and move them out or if they're leaving like the house of Al wolf Pub we need to shut them down and change passwords and remove their access and we also need to look at formalizing a training for your social media team this is also very important as your team needs to be able to

acknowledge and and understand your social media policy and work within the confines of your social media policy as well as um as showing that they understand what they're doing and then we also need to include procedures for how to close down your old accounts and uh decommission your

accounts when it comes to formal training programs in relation to your social media accounts it is important that all of your your members have signed your social media policy and acknowledge it the best way to ensure that we are doing our training for this is to ensure that we have some form of um acceptable usage of the business social media accounts so we need to identify with them that this is how you'll be using the accounts um what is appropriate to post on these accounts how are we going to guidelines for uh how we're going to access the accounts will we be accessing the accounts fire um office machines or office-based uh mobile phones will we be allowing um

access to uh social media only within business hours or will we be allowing them to post outside of business hours um training relating specifically to social media security issues as well we have to think about the potential for fishing uh through social media accounts we also need to think of malware or use of vulnerable third party apps without our social media and guidance on responsible posting and interacting uh with your follow followers online um we need to be very wary of the types of um we need to be very wary of the types of individuals and businesses that we are connecting with on social media platforms um we need to review the connections because not everyone that we

follow will have the same values as us or the business um a perfect example of this would have been um a client who had followed uh an account that was anti-trans and this created quite a an issue for them when they realized what had happened they tried to unfollow them and this then created quite a backlash uh they had to shut down their social media accounts and essentially they relied on their social media this was how they interacted this was how they got their posts out this was how um they they brought people into their business and unfortunately they had to close down their their social media because um essentially it was um creating quite rep

it was it was ruined there was reputational damage and it was becoming um a process that needed to be dealt with and this was where we came into it social media management tools um now this is a very good one because um a lot of social media management tools come with free licenses and this one in particular was being used um sorry this one in particular was being used again uh it was a free version with only one login and everyone was using it so again it was impossible to actually track so the most most important thing when you choose to use a social media management tool is to ensure that it's licensed correctly that there's a service level

agreement and that everyone who is using that tool has their own login so that um they can their posts and uh logins can be audited and tracked so logins and posts being regular regularly audited is the next most important step that should be done uh it's important to identify that you know um and recognize though the logins and the IP addresses and locations of where those tools are being logged in from and that they belong to your staff um if using social media platforms for posting have you appropriately secured your social media accounts that's something else you don't think of because although you're accessing all your social media accounts through a platform you're forgetting that your your actual social media

accounts are still sitting out there there and they're not they might not be being used by you per se uh by the you might not be accessing them yourself but they're still sitting there and they're still open to being attacked so this is another important thing that you should have them appropriately secured and using MFA and if that's unavailable you should be accessing them with an authenticator app and are these social media platforms being regularly checked and passwords changed at regular and appropriate

intervals old accounts so when we talking about decommissioning old accounts follow uh proper the main thing I can say to you is you need to follow proper procedures to disable these accounts because these accounts can be taken over and used by hackers to to try and represent themselves as uh genuine accounts for your to F your followers so it's important that you don't leave accounts sitting there being unused if you cease using an account uh then go through the proper procedures to disable those accounts officially um yeah so what are my key takeaways from this actual talk today so first of all my main one to you is that a strong social media policy is

necessary for any company uh without that then your your employees don't have actual guidelines to follow in how you want them to use your social media accounts next is to keep track of the of who of your social media accounts and who is accessing your social media accounts so again it's bringing in your join as move as leevers policy it's um ensuring that only those that need access have access access uh implementing a formalized staff security training program for social media this is incredibly important because although we all use social media um we all use it in a different way so we need to acknowledge that the way I would post on social media as myself personally would be

completely different to the way a business would expect you to be posting on social media so having a formalized training program where you're telling your staff this is what we do and this is how we do it is the best way for going forward and ensuring that your staff don't actually uh do things that will reflect badly on your on your company I also recommend um having a uh crisis management playbook in play so that in the event that there is a breach your staff actually know how to proceed um and what to do in the event of a particular type of crisis and tabletop exercises are another great way of training your staff because there's

nothing better than sitting down and throwing a real life scenario around a table and then putting the pressure on them with some time and saying this is what's happening this is where we're at what are we doing now how do we deal with this and the best way you can come from that is basically at the end of that not only have you worked your way through a scenario a real life scenario but you're able to turn around and say okay I think this may have worked or this might not have worked but maybe we should look at this next time um and continuously monitoring your social media accounts with potential threats this is also very important we

can't just assume that because we've secured our accounts with a password and we've got MFA on there that there isn't the potential for someone to get through um this is very important so continual monitoring of your social media accounts don't let them sit there and finally multiactor authentication that is another major um uh important thing for your social media accounts don't leave them sitting there with just a password always have multiactor authentication I can only tell you that there's not a day goes by where I don't get a text message or an email from Microsoft telling me that someone's trying to access my Hotmail account I am changing my password every few days and it doesn't take long before I start

getting these little codes through telling me that someone's requested a code so um it's very important to have those alerts on so that you can identify this and I know that I've spoken about this from a business perspective today but it is very important to understand that this what I'm saying here today doesn't just apply to businesses of course I'm not telling everyone here you need to go home and create a social media policy for yourself uh but we do have value vales and ideas of what we consider is safe to share uh what we consider how we want to use these platforms how much information we're willing to give away about ourselves these are all things that we need to

consider every day um because yeah the amount of information that can be gathered about us from social media is it's it's infinite so you know a happy just has to find out one little thing about me from LinkedIn and they could figure out my my employer my my work email even you know because they identify where I work they can figure out how my work email looks or they might figure out where I live or they might from a photo of my kids figure out what school they go to so these are all things we need to think about and keep in mind and as I said although this was mainly targeting businesses Um this can

all be applied to you personally as well um thank you