Government spending on defense contracts topped $445 billion in 2020. These contractors inhabit a realm where classified and top-secret information is their focus. It stands to reason, then, that security should be at the highest level.
Although budgets are often allocated to defend the perimeter, there’s another potential exposure point that’s too often overlooked: social media. And while this is true across sectors, it’s particularly concerning for defense, given that these organizations are often dealing with matters of national security. Minimizing these exposure points reduces the overall risk of compromise for not only these executives but the company networks that they are an integral part of.
The cybersecurity risks of social media
The advent and growth of social media has opened new avenues for personal communication and corporate messaging and positioning. These are all benefits, but there are negatives, as well. It’s well-known by now that one wrong tweet can get an individual or company cancelled, but what’s lesser known is the cybersecurity risk it introduces. This risk affects not only individuals but the organizations they work for, as well.
Once you have an online presence, your information becomes public, for all to see. That includes malicious actors, who can harvest it for their criminal purposes. That means every piece of personal information you put online puts you at greater risk. This isn’t just the case for celebrities and other high-profile individuals; there’s not a single person who doesn’t hold some level of interest for a criminal.
The risk doesn’t just come from the content you share, either; social media memes or quizzes are just two examples of how bad actors obtain information about you. For instance, you’ve seen memes that say something like “Your superhero name is your mother’s maiden name plus the make of your first car. Post your answer below!” Those answers represent two more data points about you – and specifically, two potential password recovery answers that a criminal can use to reset your account passwords or create realistic phishing emails.
One or two points of information aren’t likely to be dangerous, but if you become the target of an attack, the bad actor will look for more crumbs of information across your social accounts. Any content that’s publicly available is a potential risk. It’s not just the public content you share or that’s shared with you that poses potential risk. There’s still risk if your social accounts are private.
For instance, your Facebook profile image is public, and your connections can comment on your profile image if you’ve changed it recently. Even if you don’t reveal your interests, history, education or location, a bad actor can conduct life pattern analysis or pattern analysis across relationships. They can gather information about you based solely on your relationships, whether you share it or not, which is one highly valuable method attackers use to glean data from “private” accounts.
Examining executive risk in the defense sector
In a social media risk assessment of 165 U.S. defense contractor executives, PiiQ Media researchers identified available social media accounts for each executive across LinkedIn, Facebook, Twitter and Instagram. They then applied PQ Risk’s analysis and scoring.
Researchers were able to identify a business email address for 100% of executives; more than 64% of executives had three or more social media accounts that were easily discoverable.
They also found that 46% of executives had email accounts that lacked proper security and authentication protocols, which enables attackers to impersonate valid email accounts more easily.
The phishing threat
The above factors magnify the risk of social engineering-based attacks, also known as phishing – the most successful and popular attack vector and one of the most significant threats to organizations overall. According to the 2021 Verizon Data Breach Investigations Report, such attacks have increased by 11% from the prior year.
The first step attackers take is usually to identity persons of interest based on an association with a company, job title or other organization that is based on membership or interest. PiiQ’s analysis found that a majority of executives publicly offer this information, and relationships related to employment and interests were accessible for 99% of the executives researched.
Best practices for social media safety
As with most cybersecurity initiatives, overcoming social media risk must begin with education. Most people probably don’t realize that their seemingly innocuous social media activity could actually be putting their company at risk.
The only way to effectively lower organizations’ risk of advanced social engineering-based attacks is to adopt more detailed guidelines for corporate social media use, incorporate regular employee social media risk assessments and provide more tailored awareness training for employees, especially to those at higher risk – the executives.
Minimize your risk
Defense contractors take on a sacred trust when they agree to provide products and services intended to safeguard the networks and data of the federal government. The defense sector deals with some of the world’s most sensitive information, which means cybersecurity needs to be top of mind and top-of-the-line. The social media threat vector is one that is often overlooked, but its potential for harm is too great to remain unaddressed. Survey analysis proves that executives within the defense industry have easily accessible public information online that criminals can collect and use to target their organizations. Use the best practices noted above to re-examine your social media policies and exposure.
Written by Darren Millar.
Track Latest News Live on CEOWORLD magazine and get news updates from the United States and around the world. The views expressed are those of the author and are not necessarily those of the CEOWORLD magazine. Follow CEOWORLD magazine on Twitter and Facebook. For media queries, please contact: firstname.lastname@example.org