Social media, and social networking or messaging apps, can pose a number of security and privacy risks to both organizations and individuals when used in an inappropriate or unsafe manner.
Due to their popularity, social networking or messaging apps are a common way for an adversary to gather information on organizations and their employees, projects, and systems. Even social networking or messaging apps targeted at children or teenagers present the risk that sensitive or embarrassing information will be disclosed. When sensitive or embarrassing information is posted on social networking platforms or shared via messaging apps, it has the potential to harm individuals and Australia’s national interests, security, or economic wellbeing. Information that appears to be benign in isolation could, if aggregated with other information, have a considerable impact.
Personal information posted on social networking platforms, or shared via messaging apps, can also be used by an adversary. Even seemingly benign posts, messages, photos, or videos can be used to develop a detailed profile of an individual’s lifestyle and hobbies. This information could be used in extortion or social engineering campaigns aimed at eliciting sensitive information from or influencing individuals to compromise an organization’s systems.
Information that is posted to social networking platforms (even in private or direct messages), or through social networking or messaging apps, may be accessible to social networking and mobile app companies. Sometimes, this information can be stored outside of Australia and subject to lawful and covert data collection requests by other countries, and you may not be protected by Australian legislation and privacy or consumer laws. The compromise of social networking accounts could also contribute to identifying theft, fraud, and/or reputation damage or embarrassment to individuals.
Social networking for business purposes
The use of social networking platforms for business purposes should be governed by organizations’ social media usage policies.
The following measures should be implemented for corporate social networking accounts:
Ensure that only authorized users have access to corporate social networking accounts. Be aware of any extrajudicial obligations in conflict with Australian law which may apply to social networking or mobile app companies. Ensure users are informed of, and agree to, their organization’s social media usage policies as well as social network platforms’ usage policies.
Ensure users are trained on the use of corporate social networking accounts.
Ensure users are aware of what can and cannot be posted using corporate social networking accounts.
Ensure users are aware of processes for responding to the posting of sensitive or inappropriate information.
Ensure users are aware of processes for regaining control of hijacked corporate social networking accounts.
Ensure users’ access to corporate social networking accounts (either direct or delegated) is revoked immediately when there is no longer a requirement for access.
Securing social networking accounts
The following measures should be implemented for the use of both corporate and personal social networking accounts:
Use a strong passphrase that is unique for each social networking account and is not re-used on any other system. Use multi-factor authentication where possible.
Do not share passphrases for social networking accounts.
Do not store passphrases for social networking accounts in emails or in documents.
Do not elect to remember passphrases for social networking accounts when offered by web browsers.
Avoid configuring social networking accounts to automatically sign in.
Always remember to sign out of social networking accounts after use.
If asked to set up security questions to recover social networking accounts, do not provide answers that could easily be obtained from public sources of information.
Do not access social networking accounts from untrusted devices in internet cafes or hotels.
Use lock screens and a passphrase on devices that have access to social networking accounts.
Where possible, access social networking accounts using devices that are using the latest versions of software and have had all recent updates applied.
Remember to close old social networking accounts when they are no longer required.