At the root of any infosec program, regardless of sector, resource availability, maturity or any other measure, is the idea of mitigating risk to a level that is acceptable to an organization. The idea of information security assumes that the framework to identify and measure risk exists in the first place. Unfortunately, this is easier said than done, especially given the day and age in which we live in.
In the last year we’ve seen an already robust adoption of cloud services further accelerated in response to Covid19. Video conferencing services saw usage grow exponentially; physical conferences made the quick transition from large in-person gatherings to all digital delivery. As such, platforms such as social media became a needed means of communication as well as a way to stay connected in a physical-less world.
Unfortunately, what can be used to build and connect can and has been used to both innocently and maliciously spread false information. Besides the ethical and business dilemmas that have played out with platforms like Twitter and Facebook, there is the overarching issue of misinformation and disinformation. One need look no further than the 2020 elections. Throughout the year social media was filled with theories of conspiracy, pointing the finger at anyone and everyone, except the truth in some instances. The examples of this are too numerous to list but it is not hyperbole to say that many of these disinformation campaigns have resulted in harm or even death. The article “COVID-19–Related Infodemic and Its Impact on Public Health: A Global Social Media Analysis” published in the American Journal of Tropical Medicine and Hygiene talks about how at least 800 people may have died due to misinformation related to Covid19. This type of information is a serious concern and one that information security professionals need to take into consideration, from both a risk profile perspective as well as source of intelligence.
The risk associated with social media is multi-layered. It has become this generation’s version of the newspaper, telegraph, and television. According to Statista.com, there are 3.6 billion social network users in the world, with that number projected to be 4.41 billion by 2025. There is no other digital vehicle in the history of the world with a wider reach. This fact alone should be cause for information security programs to take note. We should be asking ourselves what is being shared on these platforms and can this hurt our organizations?
In addition to its proliferation is the risk of how fast information can be shared and disseminated on these platforms. Velocity of information sharing can often impede one’s ability to correct misinformation or disinformation on social media. By the time social media vendors or those affected by mis/disinformation attempt to address and/or refute incorrect information shared on social media, the damage is often already done and irreparable. One significant difference between print and social media is the rules by which they operate. Print media, such as newspapers (at least credible ones) follow journalistic standards and will formally acknowledge when information is incorrectly printed/shared. Social media has implemented its own controls but because they are a social sharing platform, the rules that journalists (again reputable ones) follow don’t apply.
So why suggest social media needs to be added to infosec’s radar? It fundamentally comes down to risk and intelligence. Social media is oftentimes a barometer of not only organizational cyber risk but also kinetic, or physical ones as well. For example, when the 2020 elections occurred social media was not only used to share opinions about the elections but it was also used as a tool by which protests and other activities were coordinated. The use of these platforms wasn’t limited to logistics but also extended to activities such as doxing and threatening physical harm towards elected officials across the country.
The primary risk associated with social media is the propagation of dis and misinformation. Granted this impact may be felt in different ways by different organizations and sectors, but the one thing that everyone can agree upon is that they care about their brand and its perception. Whether it’s a government agency or a marketing firm or a small brick and mortar retailer, everyone is acutely aware of what a negative perception, lack of trust, etc. can have on an organization. Frankly, there is no quicker way to negatively impact one’s view of a company than to take to social media.
This has become the new norm, one that many infosec programs are just beginning to explore. At the end of the day, information security programs across all sectors need to account for social media, both from a threat vector perspective as well as that of a source of information about organizational risk.