How Can CISOs Work with CMOs to Secure Social Media?

By Otavio Freire, CTO & Co-Founder, SafeGuard Cyber

Recent reports indicate that over half of the global population now uses social media – up 10.5% on last year’s 3.5 billion users. For businesses, being able to engage with customers and users on social media is no longer a side strategy. It is an absolute must.

However, unlike email, social media lacks a robust security system. Social media channels exist outside traditional cybersecurity architecture and are vulnerable to a range of dangerous digital risks. And here’s the real challenge: Despite this risk, CISOs don’t own these channels. Typically, the marketing department does. Even though executive leaders, spokespeople, and brand reputation are all at risk on social media, marketing usually doesn’t prioritize security. It isn’t their job.

How can CISOs effectively work with their CMOs to protect social media assets, so that everyone benefits? By offering a clear picture of the risks, and communicating the benefits of security in such a way that collaboration becomes a no-brainer. Social media security isn’t only a defensive initiative. It drives revenue and growth. Once this is understood, the organizational buy-in is far easier to acquire.

Social Media Has No Security Infrastructure

Decades ago, when email began to be broadly adopted by large organizations, security threats evolved. By the early 2000s, software vendors entered the market to help businesses secure their email channels. Today, email security is a $3B industry, but it took nearly a decade for solutions to catch up to the risks.

Social media protection is currently caught in a similar security gap. Brands and companies have only been seriously leveraging social media for a few years – and the cybersecurity industry is yet to catch up. The massive adoption of cloud SaaS and mobile apps to streamline communication and improve the customer experience has created a new gap between the developing threats and the security infrastructure. Solutions are emerging, but they never appear as quickly – or in as well-formed a fashion – as CISOs require.

Because social media channels live outside the traditional security premier, IT teams are deprived of visibility. Bad actors know this, and they are circling. A study involving 1.2 billion social media interactions found that 53% of all social media logins were fraudulent, and 25% of new accounts were fake. Even popular celebrities on Twitter aren’t safe.

This is why 73% of cybersecurity professionals say that web-based threats are far harder to deal with than their email counterparts, and 80% think that attacks launched via Facebook pose serious threats to their organizations. What’s more, brand threat intelligence is increasingly becoming part of the CISOs overall risk management responsibility. The threats are legion: social engineering, spear-phishing, account impersonation, sophisticated profile hijacking, insider threats, and more.

COVID-19 Complications

Remote work mandates during lockdowns accelerated enterprise adoption and use of social media platforms. This expanded the attack surface, creating huge risk exposure for the enterprise. Cybercriminals and nation-state actors are targeting people where they, are relatively unprotected. These attacks include (but are not limited to) infiltrating collaboration platforms, and phishing employees with malware-laced files or conducting espionage on LinkedIn and even WhatsApp.

Bringing Marketing Onboard

If CISOs don’t own social media channels, how can they repel these threats? By showing the departments that do own social media that social media security is about more than security. The following questions should be posed to CMOs:

• Would you like to guarantee that your products and services are accurately represented online?
• Would you like the proper visibility of malicious actors on the dark web?
• If rules and policies could ensure security, compliance, and visibility on social media channels, would you be able to increase productivity without increasing headcount?
• Would you benefit from securely enabling the executive team and recruiters to communicate effectively on channels like LinkedIn?

The answer to these questions will, of course, be yes! And once marketing realizes that the right security tool will help drive outreach and growth, a win-win is created. In terms of securing social media, everyone now has skin in the game.

What kind of software will ensure that the whole organization is satisfied? Social media security software needs to be lightweight, and not get in the way of the user. Social media tools are now crucial to operations, so any cybersecurity software cannot make them any trickier to use. If this happens, employees will find a way to sidestep the software, and sales and marketing will be irked.

As well as being invisible to the user, social media protection needs to be automated. The fact is that, with the volume and velocity of digital communications being what they are, people cannot be trusted to protect themselves. Human error featured in 95% of all security breaches, according to a study by IBM. Enterprises can train employees in cybersecurity best practices to keep them vigilant and responsive to possible threats, but this will never be enough. CISOs need to lean on AI and ML.

Above all, social media protection needs to meet the platforms where they are: in the cloud. The only cloud-based defense can stymie attacks at the app level, and stop them from moving laterally into endpoints and onto enterprise networks. An effective platform should offer:

• Comprehensive Visibility

Security teams need to be able to find and onboard all authorized social accounts. They need the ability to inspect messaging for malicious content, track new connection requests, and archive account activity.

• Threat Detection

All social media accounts need to be monitored around the clock for suspicious activity and correspondence. All files, attachments, and links must be automatically scanned for malware, and connections must be evaluated for known or potential bad actors.

• Incident Response

Malware and other threatening content must be immediately quarantined, in real-time, at the app level. IOC notification details should be sent to SOC/SIEM for evaluation, and social attacks need to be correlated with EDR.

Social media platforms are only going to become more central to enterprises. In line, bad actors are going to get more sophisticated, COVID-19 is going to continue to exacerbate things, and the security stakes are going to continue to rise. CISOs need to communicate this reality to their CMOs in a way that brings them onboard. Once marketing realizes that real security can drive growth and revenue, bringing in the right software will become a priority for the whole organization.

About the Author

As the President, CTO, and Co-Founder of SafeGuard Cyber, Otavio Freire is responsible for the development and continuous innovation of SafeGuard Cyber’s enterprise platform. He has rich experience in social media applications, internet commerce, and IT serving the pharmaceutical, financial services, high-tech, and government verticals. Mr. Freire has a BS in Civil Engineering, an MS in Management Information Systems, and an MBA from the University of Virginia Darden School of Business, where he currently serves as a visiting executive lecturer. Otavio can be reached online via LinkedIn and on our company website.