Since the shift from a static Internet presence to a dynamic online participatory presence associated with social media technologies, a growing number of businesses and individuals are communicating online. Social networking sites such as Facebook, Twitter, and LinkedIn have revolutionized the way people and businesses interact with one another on a daily basis at very little or no cost. Online networks allow businesses to interact with customers, build their brands, and dialogue with employees at “higher levels of efficiency than can be achieved with more traditional communication tools” (Kaplan & Haenlein, 2010, p. 67). Discussions about the benefits of corporate social media are easy to find; however, social media is not all favourable. Alongside the well-established and repeated benefits of social media lie the very real and often ignored risks of privacy and security. According to Ernst & Young’s 2010 Global Information Security Survey, “sixty percent of respondents perceived an increase in risks due to social networking, cloud computing, and personal mobile devices in the enterprise” (Ernst & Young, 2010). It is important for every business using social media to understand the considerable risks involved, including these main three: reputational damage, social engineering, and data breach. These security risks can have a pernicious effect on an organization’s operation, employment practices, and privacy, among other significant ramifications.
The first main security risk of a corporate social media presence is reputational damage. In “Social Media – The New Corporate Playground,” Agarwal, Mondal, and Nath (2011) argued that social media tools have turned consumers into “prosumers” because they now have the ability to produce their own online content (p. 696). Online self-publishing creates a risk to the organization’s reputation because any unhappy employee or consumer behaving emotionally has the ability to post his or her thoughts on Facebook or Twitter for everyone to read. Aula (2010) argued that social media creates an extensive reputational risk for organizations because content cannot be controlled in advance and it is almost impossible for organizations to regulate what is being said about themselves online (p. 44). In “Social Networking: The ‘What not to do’ Guide for Organizations,” McKenna (2010) argued that social media technologies have given consumers the power to destroy an organization’s reputation “within twenty minutes” (Get Out of the Way section, para. 3). It is very important for businesses to carefully monitor what is being said about them on social media sites and, if necessary, deal with the issues to avoid reputational damage (Greenwald, 2010, para 1). Organizations need to keep in mind that what goes online cannot be taken back. Another risk to an organization’s reputation is computer hackers. If one such cybercriminal hacks into an organization’s social medium, he or she can then hijack the account and start sending out posts from the organization’s profile. This situation could cause a reputational disaster for any organization. According to “Five Top Social Media Security Threats,” the best defense an organization can have against reputational damage is to create a well-organized social media policy that identifies “who is allowed to use social media on behalf of the organization and what they’re allowed to say” (Nerney, 2011, p. 2). Several important elements to keep in mind about social media policies is that they set guidelines and boundaries to help prevent reputational damage and provide an action plan when reputational damage does occur.
The second main security risk of a corporate social media presence is online social engineering. Wikipedia describes social engineering as “the art of manipulating people into performing actions or divulging confidential information,” (Social engineering (security), 2012) and Townsend (2010) in “The Art of Social Engineering,” defines it as a “psychological manipulation to change the behaviour of a particular target” (top section, para. 2). In other words, social engineering describes deceit for sensitive information, to steal money, or to gain access into a computer system. There are plenty of online social engineering scams, such as phishing (an online technique used by cybercriminals to gather sensitive information for a malicious use by appearing to be from a trustworthy source), auction fraud, counterfeit goods, disaster appeals, extortion, money laundering, and malicious software (Townsend, 2010). According to an article entitled “ISACA Identifies Top Five Social Media Risks for Business,” social engineering takes advantage of the fact that social networks are built on trust and regularly exploit companies and individual users (Infosecurity, 2010). Social media has trained users to be too trusting, as people participate and share online personal details about their lives for everyone to see. People are quick to click on links, open photos, download files from their social networks without even thinking about potential risks. According to Banerjee et al. (2009), 90 percent of Twitter users do not take any action to secure their profiles or posts from the public, “thereby exposing a vast amount of data over the Internet” (p. 1824). Social networks provide cybercriminals with the information they need to conduct their scams. For example, an individual could get personal information about a business from the social networking site LinkedIn, such as employees’ emails. He or she could then use phishing techniques to attempt to gather sensitive information by sending a malicious email that appears to be from the organization to the employee list exploited from the social networking site. The employees who receive the email believe it to be from a trustworthy source and provide the information requested. Cybercriminals regularly use social networking sites to monitor and collect information about an organization or individual to make their scams appear more real in hopes to get clues that would reveal a user’s password. The best defense an organization can have against social engineering is to stay informed about the risks and remember to be careful about what information is shared online.
The third main security risk of a corporate social media presence is the breach of sensitive proprietary data. In “Effects of Feedback and Peer Pressure on Contributions to Enterprise Social Media,” Brzozowski, Sandholm, and Hogg (2009) observed that employees’ use of internal social media systems at Hewlett-Packard facilitated collaboration and helped to develop and maintain a sense of community among co-workers. While this online participation and interaction may have many benefits to the organization, it does present serious risks to the organization’s information privacy. Data or company secrets shared online amongst employees is vulnerable to hackers, prying eyes, or careless mistakes. According to Ernst & Young’s 2010 Global Information Security Survey, “the habits of sharing personal information online are being transferred to sensitive business information, where they are not appropriate” (Ernst & Young, 2010). Another social media risk to an organization’s privacy and data is malware, short for malicious software. Malware is software programmed to exploit a computer, without the owner’s permission, for a malicious purpose or the data it contains. According to Verizon’s 2012 Data Breach Investigation Report, “hacking and malware remain significant threats…because they allow attackers remote access, automation, and an easy getaway” (Rashid, 2012). Malware is used by hackers to reveal private information from a user’s computer, such as “payment card information, personal identifying information, and authentication credentials” (Rashid, 2012). Twitter is particularly risky to use because of its shortened and unrecognizable URLs that can easily “trick a user into visiting malicious sites that can extract personal and corporate information” (Nerney, 2011, p. 1). Education about social media security settings and what information can or cannot be shared publicly is critical to the prevention of a data breach.
While some businesses today take the stance not to participate in social media, many organizations depend on a strong online presence for their success. The benefits of having a real-time connection with employees and customers are convenient, but the risks must not be ignored either. Reputational damage, social engineering, and leakage of sensitive data are risks that any businesses with a social media presence must be aware of. A well-organized and promoted social media policy with plenty of training will go a long way in preventing a social media disaster.
Agarwal, S., Mondal, A., & Nath, A. (2011). Social media – The new corporate playground. International Journal of Research and Reviews in Computer Science, 2(3), 696-700.
Aula, P. (2010). Social media, reputation risk and ambient publicity management. Strategy & Leadership, 38(6), 43-49. doi:10.1108/10878571011088069
Banerjee, N., Chakraborty, D., Dasgupta, K., Joshi, A., Mittal, S., Nagar, S., . . . Madan, S. (2009). User interests in social media sites: An exploration with micro-blogs. Proceeding of the 18th ACM Conference on Information and Knowledge Management, China, 1823–1826. doi:10.1145/1645953.1646240
Brzozowski, M. J., Sandholm, T., & Hogg, T. (2009). Effects of feedback and peer pressure on contributions to enterprise social media. Proceedings of the ACM 2009 International Conference on Supporting Group Work, USA, 61–70. doi:10.1145/1531674.1531684
Ernst & Young. (2010). 13th global information security survey 2010. Retrieved from http://www.ey.com/GL/EN/Home
Greenwald, J. (2010, August). Social media creates risks to reputation. Business Insurance, 44(33), 3. Retrieved from http://www.businessinsurance.com/article/20100822/ISSUE01/308229968
Infosecurity. (2010, June). ISACA identifies top five social media risks for business. Retrieved from http://www.infosecurity-magazine.com/view/10210/isaca-identifies-top-five-social-media-risks-for-business
Kaplan, A., & Haenlein, M. (2010). Users of the world, unite! The challenges and opportunities of social media. Business Horizons, 53(1), 59-68. doi:10.1016/j.bushor.2009.09.003
McKenna, B. (2010, October). Social networking: The ‘what not to do’ guide for organizations. Infosecurity, 7(5), pp. 22-24. Retrieved from http://www.infosecurity magazine.com/view/13507/social-networking-the-what-not-to-do-guide-for-organisations
Nerney, C. (2011, May). Five top social media security threats. Network World. Retrieved from http://www.networkworld.com/news/2011/053111-social-media-security.html
Rashid, F. (2012, February). Malware, hacking most common attacks in 2011 data breaches: Verizon DBIR. Retrieved from http://www.eweek.com/c/a/Security/Malware-Hacking-Most-Common-Attacks-in-2011-Data-Breaches-Verizon-DBIR-210278
Social engineering (security). (2012, March 2). In Wikipedia, The Free Encyclopedia. Retrieved 03:38, March 10, 2012, from http://en.wikipedia.org/w/index.php?title=Social_engineering_(security)&oldid=479796662
Townsend, K. (2010, September). The art of social engineering. Infosecurity. Retrieved from http://www.infosecurity-magazine.com/view/12787/the-art-of-social-engineering