CIOs Have To Treat Social Media With Care

Hackers can learn a lot from a CIO's social media
Hackers can learn a lot from a CIO’s social media Image Credit: Blogtrepreneur

Every person with the CIO job knows what social media is. In fact, we all probably have Facebook, LinkedIn, and other social media accounts. We use these tools during our off hours to stay in contact with people that we don’t see all the time. We browse family photos posted by people that we know and we may even upload pictures of our cat doing goofy things at times. However, it turns out that there is a downside to social media that we may not be aware of. Everything that we post on any social media platform just might come back to haunt us.

Beware Of Social Media

Armed with all the information that you have posted on your social media accounts, a cybercriminal can cobble together a profile of you. Once they have done this they can use it in countless ways to break into your company’s network. One way that they could do this would be to craft an email tailored to your interests (“Hello fellow cat lover!”) that gets you to click on a dubious link, inadvertently giving them access to the network. They could also send you insider details about service providers like your health-insurance company, so they can launch a ransomware attack. Alternatively, they might pretend to be you to trap somebody else at your business. And so on it goes.

About 60% of the information that a hacker needs to craft a really good spear phish is found on Instagram alone. By scouring somebody’s social media accounts a hacker can usually find everything they need within the first 30 minutes or so. The person in the CIO position needs to understand that it isn’t just things that you post, either. We have to realize that every ‘like’ we make on Facebook and heart we tap on Instagram can be aggregated together to paint a fairly clear picture of who we are and what we are into. The potential for attack is even greater given the data breaches that have occurred like the recent hacks at Facebook and LinkedIn, which exposed hundreds of millions of users’ personally identifiable information. Then there’s the fact that so much of this criminal snooping can be done automatically: Hackers can use powerful AI and software tools to scan your social-media accounts at incredible speeds looking for details. The bad guys can actually automate all that reconnaissance using AI, which criminals are increasingly doing at scale in hopes of finding a lucrative victim.

CIO Need To Think Twice About What They Post And Then Think Again

All CIOs know that this is a classic piece of advice for protecting our online security, but it bears repeating. We need to stop posting private information on public platforms. Private information includes such things as travel plans, personal interests, details about family members or specific news about a work product. The reason that this is a bad thing to do is because all of that information can be used to gain your trust or deceive your co-workers. For example, a hacker might find out personal histories from your social media, then send a phishing email that says things like: “I’m sorry about your brother’s passing. I feel like I remember his 16th birthday party.”

Although we may not think of it, even the smallest details, which malicious actors can aggregate from more than one platform, may be unintentionally revealing. Always take off your employee ID in photos so hackers can’t use yours as a model to create their own. Don’t tag images. The reason is because geotags alert threat actors as to where you have recently been, which is just the sort of kernel needed to send a malware-embedded survey about last week’s hotel stay. They can also search on Twitter for tags like “#LifeAtCompanyX” to get intel on you or your business. In photos, you need to move a bit away from any workstations because it can easily reveal which software you’re using so bad guys can customize phishing attempts. Additionally, you’d be surprised how often there is a Post-it Note with a username and password hanging there. Given this information the hacker is in.

CIOs Need To Stop Sharing Their Work Email

One of the easiest ways for hackers to do mischief in a company network is to get into your email account and send phishing messages. And one of the easiest ways to stop the bad guys from doing this is to make sure they don’t get your address in the first place. That means using your work email for work only and never showing it openly on your social-media profiles. In theory, this should be easy: The good news is that on sites like LinkedIn and Facebook, users can keep their emails invisible to anyone but themselves. However, most people continue to make them public, thus leaving personal contact information open to data-mining firms or malicious actors. The consequences can, of course, be alarming. With your email, an attacker can use spear phishing to infect other employees, exploit the company’s defense perimeter and potentially gain access to other employees or spy on a company’s internal communications. CIOs should have at least four email addresses: one for personal messages, one for work, one for spam and one just for social media. The key is that they should never use their work email for anything else.

CIO Should Always Use Different Profile Pictures On Different Platforms

CIOs have to keep in mind that AI and powerful software programs can quickly search social-media accounts looking for profile-picture matches, as well as other common characteristics such as usernames, friends, interests, etc. across accounts. For example, if someone uses the same profile picture on Instagram and Pinterest, the AI can tell that the accounts belong to the same person, even if the usernames are different. Hackers have the ability to build up a huge trove of information about you to impersonate you more effectively to your co-workers. The good news for CIOs is that there’s one simple line of defense: Whenever it is possible, don’t use photos of you or people you know in profile pictures. If your profile image is not a photo of your spouse or your kids or you, then it makes it difficult for a hacker to make a positive correlation across platforms.

What All Of This Means For You

Just like the rest of the world, CIOs are using social media to remain in contact with friends and family members. We like to keep the people that we are in contact with up to date on our status and so we post update notices, pictures, and even our current schedule. However, hackers have learned that we are doing this and they have started to use our social media postings as a way to break into our company’s networks.

CIOs have to understand that everything that they post online can be used by a hacker to create a profile of them. The bad guys have upped their game and now they are using AI and software tools to quickly gather great deals of information. CIOs have to stop posting private information. Even the smallest details that we post can be used to go after both ourselves and the people that we work with. CIOs should never use their work emails when posting on social media. They also should always use different profile pictures for each social media platform.

Social media is here to stay. We really can’t expect CIOs to not make use of it during their time off. However, when we do make use of it we need to be careful. We need to understand that there will be people out there who will be collecting everything that we post and trying to build a profile of us that they can use to imitate us to others. Limiting what we post and being careful about what information we are willing to share can help to keep our identities safe from hackers.

– Dr. Jim Anderson Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™

Question For You: What social media platforms do you think that CIOs should avoid?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.
P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!

What We’ll Be Talking About Next Time

If you think about it, CIOs are responsible for everyone who works for the company. They need to make sure that the right technology gets placed into the right hands. However, their responsibilities go even further than that. They are also responsible for making sure that every worker is able to use the technology that they provide them with. For your younger workers this may be no big deal – they’ve been using new technologies literally since they were born. However, when it comes to your older workers this may not be the case. How are CIOs supposed to help older workers who may struggle with the introduction of new technologies?