Include CISO When Building Social Media Policies

By Evan Blair December 22, 2014

When it comes to social media risk management, organizations are only as strong as their weakest link.

Chances are that nearly all of your employees are on social media in some capacity. A recent Radicati Group survey states the average person worldwide has three different social media accounts. Now consider that each account is a target for cyber adversaries: Attackers are i​ncreasingly targeting vulnerable employee, partner, vendor, customer and investor profiles—leveraging phishing, malware and social engineering to slip through traditional security defenses. In fact, four in 10 people surveyed for a Norton Cybercrime Report have fallen victim to social media cybercrime. So send your chief information security officer (CISO) an e-mail and set up a meeting to talk about social media.

*Define social media policies and train employees.

The first line of defense against any social-borne cyberattack is an organization’s people. Establish training programs, create reporting avenues and publish collateral to keep employees informed on the latest threats. Safe online behavior is the key to thwarting cyberattacks. Social media cyberattacks take advantage of the trusting atmosphere created by social networks, where users are likely to let their guard down. Behavior policies alone will not solve the problem of social-borne cyberattacks, but they will create a culture of awareness.

Organizations must establish how social media is used internally. While sales and marketing may rely on social media to hit their numbers, HR likely uses it for recruiting and promoting company culture. Ensure these goals not only align with your CISO’s goals, but that the departments communicate about how social media is being used within the organization. Keep in mind that because human resource professionals are tasked with interacting with outside individuals, they are ripe targets. Hackers can strike in the form of impersonator applicants and recruiters, distributing phishing links and malware.

Once policies have been put in place, human resources and IT security should conduct employee training on both appropriate and safe social media usage. Employees should be aware of what social engineering campaigns, phishing and malware look like, when to disclose information, how to safely connect with co-workers and executives, how to identify impersonator accounts, and how to report potentially malicious activity.

*Inventory and monitor social media, prioritize threats and remediate attacks.

In an ideal world, the measures listed above would be sufficient to combat social media threats. However, sooner or later your organization will likely be the target of a cyberattack that gets through the first line of defense. Information security must consistently monitor the full social landscape, prioritize incoming threats, and combat and remediate in the event of an attack. This is no small task, but one that could save an organization millions of dollars and thousands of hours, and protect a company’s brand.

HR can support IT security by having a strong social media risk management policy and providing effective training. Although a CISO’s technology solution should be automated and scalable, the fewer potential breaches he or she needs to handle, the better. With a robust security solution, clear social media policies, and an informed and alert workforce, an organization is not only protected from attacks but can leverage social media for productive business goals. To do this, ensure that the social media dialogue is occurring throughout your organization.

*HR directors should have the CISO on speed dial.

If there’s one main takeaway, it’s that your CISO must be involved with social media. Collaboration is key to leveraging social media to its fullest potential. Next time you review your social media policy, be sure to include your CISO.

It might be the single most important thing you do.

Evan Blair is chief operating officer of ZeroFOX,asocial media risk management company.


Job Finder

Find an HR Job Near You
Search Jobs
Post a Job

Apply by October 19

Get recognized as an HR expert. Earn your SHRM-CP and SHRM-SCP certification, and set yourself apart.

Get recognized as an HR expert. Earn your SHRM-CP and SHRM-SCP certification, and set yourself apart.

Apply Now


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect