How To Change Security Behaviors: Social Media

smartphone_shocked_group-100685294-primary.idge-1Changing behaviors is never an overnight fix. There’s no special formula for an annual training session that will transform employees into security-savvy superhumans.

But there are some areas of life where changing behaviors is particularly difficult — usually areas where bad habits are repeated multiple times per day.

Social media falls into this category.

Many of your employees spend hours on social media every single day, while simultaneously displaying a whole range of poor security behaviors. And if you intend to maintain a low level of cyber risk, you’re going to need to change those behaviors.

What Could Go Wrong?

For a medium designed to encourage friendly networking, social media use comes with a surprising array of potential downsides for organizations. Here are some of the most common threats posed by employee use of social media:

Phishing or Account Compromise

Yes, that old chestnut. Many consumer-focused phishing attacks are designed to facilitate the takeover of social media (and other) accounts. Once an account has been compromised, it is typically used to send out messages with malicious URLs to all of the victim’s connections. This tactic has proved highly effective in recent years, so you can expect to see it continue for the foreseeable future.

Also keep in mind that since many people use the same password for everything, compromised personal credentials could also jeopardize a victim’s business accounts.

Social engineering

Remember the old Nigerian prince scam, where a threat actor would reel victims in with a tall tale about making them rich if only they could provide some cash up front? Well this type of scam has skyrocketed in recent years thanks to the success of social media. Instead of cold-emailing random people, threat actors now setup fake social media profiles, send out thousands of friend requests, and then run their scams using the built-in instant messaging functionality.

Of course, these days not too many people are likely to accept random friend requests from people they don’t know. To make up for this, threat actors often create profiles on other sites (e.g., dating sites) in order to make first contact with a potential victim, and then befriend them on social media sites.


While some social media sites are reasonably good at weeding out malicious advertising, many others show no evidence of even trying to do so. As a result, by combining clickbait headlines with paid advertising, threat actors have a tailor made distribution mechanism for their latest malware variants.


Got any important company secrets to keep? If so, you’d better ensure none of your employees accidentally share them through social media before you’re ready to announce them to the world.

Sabotage and Defamation 

Not every leak happens by accident. Disgruntled employees have been known to intentionally leak sensitive information, or publish inappropriate and/or damaging posts publicly.

The Ostrich Approach and Why it Doesn’t Work

It can be tempting to simply block employees from visiting social media sites, and assume that the problem is solved. Sadly, it isn’t.

The thing is, there’s nothing at all you can do to prevent employees from using social media when they’re at home, or even when at work if they’re using a personal mobile device. If you choose to block social media sites outright, there’s a good chance you’ll simply push poor security behaviors underground.

And since there are a whole bunch of ways for employees to endanger your organization which don’t involve direct infection, burying your head in the sand like an ostrich isn’t a great long term strategy.

Training users to adopt strong security behaviors may take time and resources, but it will ultimately yield much better results.

Think Bite-Sized

There’s plenty wrong with traditional security awareness training. Unfortunately, one that’s often overlooked is the format: long, annual training sessions.

Quite simply this approach has almost nothing going for it. For starters, long security training sessions have been sending people to sleep since time immemorial. At the same time, 12 months is way too long a gap to have between sessions. Most people will have forgotten everything within 12 weeks, possibly much less.

So before you start thinking about content, here’s our first tip: Train your employees in short, regular microlearning lessons, in place of longer, less frequent training sessions. For obvious logistical reasons, online training (preferably multimedia) works best for this approach, as nobody wants to be dragged away from their desk to sit in a classroom multiple times each month.

Each lesson should be highly focused, timely, and completely devoid of fluff. Your users should get the information they need, precisely when they need it, and nothing else.

There are two benefits to this approach:

  1. Your employees are far more likely to retain learning if lessons are provided in the context of their normal daily routine, and;
  2. Frequent lessons never give employees the chance to forget about your security awareness program.

Quite simply, if your employees are thinking about the specific aspects of security that affect their roles on a regular basis, they’re far less likely to make unnecessary mistakes.

Social Content

Once you have your training mechanisms in place, it’s time to consider the topics you’ll need to cover. Thankfully the dangers of social media for organizations are (mostly) well established, so there are some definite places to start.

Here are some of the top contenders:

Password hygiene

Helping employees understand the need for different, hard-to-guess passwords is a huge step towards reduced cyber risk. Password reuse attacks are consistently popular and highly successful, so help your employees understand what makes a good password, and encourage them to use that knowledge both at work and at home.


Malvertising and other link-based threat vectors are all the rage right now, and can easily lead to malware and/or ransomware infections. Once again, if you teach employees that following links blindly can be hazardous you’ll be doing everybody a favor.


For some people, sharing every moment of their day on social media is normal. Unfortunately, this habit can easily lead to unintentional data leaks and/or breaches of information security.

Profile Skimming

On a similar note, threat actors have often been known to use publicly available information from social media profiles to identify and profile targets. Explain to your employees the potential downside of having a public profile, and show them how to make their accounts private. If necessary, you may consider asking them not to include your organization’s name in their social media profiles.


Social engineering via social media has become popular with threat actors in recent years. Using built-in private messaging functionality, threat actors befriend their victims in order to achieve their objectives, which could be anything from a BEC scam to industrial espionage.

Reinforcement, Reinforcement, Reinforcement

Social media was intended to be a force for good. And while there are certainly risks for both individuals and organizations, there’s no reason why people shouldn’t enjoy using it for both business and personal purposes.

So while many organizations choose to forego training their users in the use of social media, we just can’t recommend that approach. Your employees are going to use it anyway, so it only makes sense to help them use it safely.

To that end, your training program will live and die on its ability to keep your message at the forefront of employee minds. Reinforcement is key.

In our experience, online multimedia training is the simplest and most effective way to go. If employees can easily navigate and complete micro learning sessions from the comfort of their own desk, they are far  more likely to learn, and far less likely to become frustrated and disengaged.

*** This is a Security Bloggers Network syndicated blog from The PhishLabs Blog authored by Stacy Shelley. Read the original post at: