Cybersecurity Expert Shares How to Minimize Risks Related to Social Media
Businesses are increasingly augmenting their online marketing efforts by engaging the audience through social media.
However, there is still a lack of maturity when it comes to handling social media campaigns and capabilities.
According to recent surveys, 66 percent of businesses have tried out social media campaigns in the past 18 months.
While social media can be a powerful tool in marketing, business are also worried of the negative impacts, such as loss of privacy and potential social engineering attacks.
Cybersecurity expert and author, Joseph Steinberg, recently unveiled his latest invention, that he says could transform the way businesses and people handle the risks related to social media usage. I asked him several questions about his latest venture, and about his views on various hot topics in cybersecurity.
Daan Pepijn: Thanks for taking the time to accept this interview Joseph! Please tell me about your latest business, SecureMySocial.
Joseph Steinberg: SecureMySocial is a new, cloud-based system that warns people in real time if they are making inappropriate social media posts. It can prevent all sorts of problems that businesses have to deal with on a regular basis: posts that leak confidential information, violate government regulations, contain problematic language, etc. Depending on the situation, SecureMySocial can also automatically delete such posts if so authorized. The system is sold B2B; it is intended for employers to give their employees, and protects both groups without the need for an employer to monitor its employees’ social media accounts.
Daan: You recently completed editing the official study guide for an advanced information-security management exam, and have been writing thought-leadership pieces on information-security topics for years. You are a known expert on many areas of information security. Why did you decide to focus on the security impact of social media rather than on a more well-known area of information security such as combating nation-state hackers, preventing breaches, or the like?
Joseph: Of course, as you mention, I think and write about many areas of information security on a regular basis. But, everyone has limited time and resources, and I decided to focus on one area which I found was seriously problematic, getting worse with time, and had no already-existing viable solutions.
There are, of course, in-office compliance-type solutions and brand management services that scour the Internet for negative mentions of a company or its products, but, before SecureMySocial there was nothing that can truly address the most dangerous risks of social media - employees posting problematic material from personal accounts.
You can’t generally use a compliance solution on personal accounts – that’s an invasion of privacy – and obviously, general reputational defense systems don’t address all sorts of non-reputational issues, and they aren’t always stopping problems in real time either.
It is important to realize that many people entering the workforce today grew up oversharing information on social media, and businesses are feeling the impact. At the same time, businesses need to increase their social media activities in order to communicate with, and create loyal customers out of, the younger demographic. These factors translate into a growing problem in an area of increased importance – and combine to establish a growing need for SecureMySocial.
Going back to your question, I should note that my focus on social media risks also encompasses a certain element of preventing breaches. Today, most, if not all, major breaches begin with some form of social engineering – it is a lot easier to breach human version 1.0 than firewall version 30.0 – and criminals are known to scour social media for overshared information that they can use to craft effective spear phishing emails or other social engineering campaigns. SecureMySocial helps prevent this type of information from falling into the hands of criminals – at times it actually serves as the first step in preventing major breaches.
Related Article: 10 Things You Need to Stop Doing on Social Media
Daan: What’s in it for employees?
Joseph: SecureMySocial obviously helps protect employees from getting fired or otherwise punished for making problematic social media posts. But, it delivers a lot more: it protects employees from a physical, financial, and personal perspective by warning them if they make a post that can harm themselves in any of these areas. Also, keep in mind that SecureMySocial reduces or eliminates the need for employers to scan employee social media posts – so, in many situations, it also greatly improves employee privacy.
Daan: You have been known not to shy away from taking controversial stands on various cyber-related issues – you expressed skepticism last year about the claims made by major media outlets including the New York Times of 1.2 billion passwords being stolen, and, on the flip side, you were widely quoted as having described HeartBleed as potentially "the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet." What do you think are the most controversial areas of information security today?
Joseph: Certainly among them are the issue of governmental spying and the government’s battle against the use of strong encryption by consumers. There are presently various politicians calling on governments to force firms to cripple encryption and censor social media for the sake of fighting terrorism (ironically, SecureMySocial can warn people if they are making posts that could prompt a government investigation).
I wrote an article about why governments crippling encryption is a bad idea, but, at a bigger picture level, it is important to remember that we have constitutional protections for a reason, and that it is no big deal to uphold them when there is no risk of doing so; the point of the Constitution is to protect and preserve those rights even when the need to do so is not as obvious.
Daan: You wrote a piece in Forbes about smart guns, and are credited with helping influence New Jersey legislators to change the state law that required all guns sold in the state to be smartguns once such technology is available. Are you opposed to government involvement in information security?
Joseph: I am certainly not opposed to proper government involvement in protecting our nation and its informational assets. The New Jersey law that you mention, however, which is in the process of being modified, was counterproductive and led to a near total stoppage of research into smartgun technology – technology that might have saved many lives. In that case, no legislation would have been far better than poor legislation.
The United States is living proof that the free market works wonders when it comes to facilitating the creation of better products, and, if the government wants to help drive smartgun technology it should offer incentives, not make market-busting demands. Likewise, when it comes to cybersecurity, while certain laws are obviously necessary, government funding, facilitation, and other forms of support are likely to produce better results than most mandates could achieve. Increasing the liability for failure to take appropriate action can also serve as a strong incentive to drive improvements.
Sometimes, however, perhaps in part due to lobbying as well as the contrast between quickly-evolving technology and the slow-moving nature of the legislative and regulatory processes, we have seen government action actually set the bar too low – there have been guidances and mandates that were outdated and insufficient by the time that they were established.
When it comes to SecureMySocial, we find that businesses obviously do want to stop employees from making posts that violate government regulations such as those related to disclosing insider information (the leakage of which undermines the fairness of our capital markets), and they want to keep their employees safe and looking professional, but they don’t want the government telling them how to achieve such security, and don’t want regulations that curtail other forms of free speech for reasons of dubious benefit.
Related Article: Post Like a Pro: Social Media Tips for Every Small Business
Daan: Any final thoughts on where cybersecurity is headed?
Joseph: Criminals are increasingly focusing on people as the weak link in the security chain, and I expect more focus on fixing human-related issues in the upcoming years. We will also continue to see the expansion of mechanisms to keep organizations as secure as possible even if a persistent attacker successfully breached the perimeter.
The Internet of Things – and that’s not really the right term, it’s really the Internet of Everything, or the Internet of All Things – means that many new risks are emerging and will need to be addressed. And the success of past attackers means that hackers of all types – nation/state sponsored, criminals, hacktivists, etc. – all understand the potential payoff from hacking – so we’re definitely going to see plenty of hacking going forward.