4 tips for partnering with marketing on social media security

If you ask cybersecurity execs where the biggest risk to their companies lies, 41.33% will tell you it’s marketing tech. At least, that’s what research provider Pollfish contends in its October 2020 report of 600 American professionals. Not just any martech, though: 25.67% are specifically worried about executives’ personal social media accounts.

The concern is for good reason. Those in the industry three years ago may remember a picture from Twitter of a Hawaii Emergency Management Agency employee standing by his computer with system passwords on Post-it notes behind him. The photo was taken by the Associated Press, then shared online. Whether it led to a January 13, 2018, alert that incorrectly warned Hawaiians a ballistic missile attack was coming, who knows. It doesn’t take a social media expert to know the photo was a bad idea.

Be it pictures or posts or anything else people share, Harman Singh, founder of risk assessment startup Cyphere, calls social media “low hanging fruit” for hackers—a great “test of [a] company’s security awareness and policies.” If a company is sloppy with best practices in one way, it might be vulnerable in others.

Enterprise social media is typically run by marketing, a department that can sometimes have more clout than security with its own seat in the c-suite. Marketing and security don’t always connect or necessarily even get along. Singh points out that a “difference in vision” affects the way the two approach their jobs: Marketing wants as much information about the company out there as possible; security holds it back. “Marketing department[s] often find it hard to talk to techies in their language and vice-versa,” Singh says.

How threat actors exploit social media

It’s not so much that hackers want the company’s Twitter or Facebook credentials; it’s everything they lead to. If marketing uses similar passwords across accounts, successfully hacking Twitter is a possible entry to the company website. Hack from there to Adobe Experience Manager, the website’s translations, customer mailing lists, or anything else someone could steal or use to damage reputation.

If that’s not enough to scare any marketing department into cooperation, there’s even more data nefarious actors can garner from posted information. “Pictures uploaded over Twitter, Instagram, and other social media channels often give away … geolocation information, device model, [and] software and related information,” says Singh.

Take your everyday conference tweet, for example (well, before COVID, that is): Marketing sets up a booth and takes pictures of sales chatting with clients. “We love helping customers optimize real-time widget potential,” they Tweet, “#WidgetConLive,” then, below the picture, a line: “Las Vegas Convention Center / Tagged into this photo” with top executive names. Voila! Thanks to this tweet, hackers know which employees are traveling where. They click on the tag to link to those individuals’ personal accounts, where they then glean even more company information: “Waiting for my plane at LAS,” “On layover at SLC,” “Great meeting Bob at WidgetCustomer.com!”

Once hackers are monitoring personal and corporate accounts, they soon have access to an executive’s larger travel schedule, which Singh says can be analyzed to tell where “company locations or clients exist…. This information can then be fed to social engineering attack vectors—for example, impersonating a senior director who is travelling and then calling [the] IT support team to reset [your] password due to important tasks being stuck when you are at an airport.” Because of Twitter, they know exactly which airport to name.

That’s why Singh says, “Marketing and communications teams should work in tandem with cybersecurity,” whether the departments naturally understand one other or not.

4 tips for effectively partnering with marketing

Amir Tarighat, CEO of threat detection provider Achilleion, agrees, noting the security/marketing barrier is overcome by mutual respect: “Social media security needs to be approached as a process and partnership with the marketers. Security professionals should respect the creative nature of marketers’ work,” which is often done at odd hours from odd places. While heavier authorization might fend off those I’m-on-layover attacks, Tarighat says it’s also important to “understand [marketers] might need to use a BYOD [bring your own device] smartphone to send a tweet at 9 p.m.”

“Because of the nature of social media, the infosec team has no control over any social media … technology and policies beyond configuring privacy settings,” says Tarighat, explaining that since social media platforms are “beyond password control and device security, the rest of the infosec toolkit doesn’t help here.” Partnership is security’s only way not to be powerless.

Tarighat and Singh offer these four tips for partnering with marketing.

Develop simple guidelines. Marketing is charged with protecting company brand. They don’t want to clean up reputational damage, intellectual property exposure, or similar liabilities any more than security does. While they may not know what personally identifiable information (PII) is right away, once explained, they’re not going to want their home addresses in the wrong hands either. Approach social media security as something that helps marketers protect themselves and do their jobs.

Avoid coming down too hard. While Singh suggests setting up “social media account safety and regular inspections,” this relationship comes with its own power balance. Marketing typically has a seat in the c-suite, whereas security may not, and the best policies in the world don’t mean anything if marketers don’t follow them.

“Marketing departments might be wary to give into infosec collaboration on social media if it becomes invasive or gets in the way of their creativity. Infosec teams have to treat marketers differently because they have more discretion on how they do their creative work than other departments with traditional workstations. Things like letting marketers choose their own MFA [multi-factor authentication] method is a great way to share that oversight,” says Tarighat.

Address BYOD concerns. Tarighat also recommends letting marketers use their own devices, something Singh staunchly disapproves, saying security should “ensure that company staff do not use company accounts on their mobile devices if not allowed by security teams,” claiming that BYOD “could lead to staff being targeted…and in some cases, shared passwords could lead to staff accounts being hacked.”

Push this guidance too hard, though, and the partnership may break. Tarighat says, “The most important aspect of social media infosec is BYOD devices. BYOD is already very popular, even more so for marketing departments”—something that was true even before marketers started working from home due to the pandemic. “Negotiating BYOD security isn’t easy because employees are hesitant to hand over full MDM [mobile device management] control to their employers. Alternatively, issuing company devices doesn’t help much as it can be costly and less efficient for employees,” he adds.

In other words, companies may be stuck with all those personal devices whether security likes it or not.

Try meeting in the middle. Ask marketers with Android phones to use enterprise work profile. Originally built into Android 5.0, Google updated the feature through operating system 11 last September. Tarighat says, “It allows for the creation of a complete, separate user that can be managed by a traditional MDM while keeping the personal profile totally separate.”

Tarighat also says security and marketing can create “a procedure to check devices and applications logged into the social media platform.” For example, when Twitter sends a new login alert, where does it go? If security can convince marketing to make them the recipient, you’ll know about breaches sooner and they’ll have less to do. “Security professionals should regularly check platforms for logins from unknown devices or places. Seeing unapproved devices or apps is either a sign of an attack or more likely that your infosec collaboration isn’t going well,” he adds.