In a world where oversharing personal information is easy (and all too common), it’s wise for workplaces to provide their employees with guidance on what NOT to post to their social network profiles.  It can even be implemented in a social media policy.  This goes beyond upholding a high standard of morality or etiquette in online profiles and posts. It’s about how revealing enough information about your job and responsibilities makes you a target for spear phishing — a crime which can affect not just one individual, but an entire company.

Cyber crime is most often motivated by monetary gain which includes stealing proprietary information to gain a competitive advantage in business. Even public entities are at risk thanks to the rise in business e-mail compromise (BEC) which involves impersonating a high-ranking official and requesting wire transfers to foreign bank accounts. The FBI states that between 2013 and 2016 (during a period of just 17 months), companies victimized by spear phishing collectively lost more than $2.3 billion.  And that’s only what was reported!

Those that deal with finances are not cyber criminals’ only targets when it comes to spear phishing. ANYONE in a position with access to PII, PHI, proprietary information, administrative access to technology tools, or access to control systems is at risk. This is why training is crucial and should be tailored according to an employee’s level of access to information and the sensitivity of his or her job. Here’s one method to “drive home” the problem with oversharing.

If your company or organization is comprised of many people, have them gather together, then pick one member’s social network profile (such as from LinkedIn where professional profiles are often filled with sensitive information). You can also choose a competitor’s profile. Just pick one that seems to share too many sensitive details. Next, select one that does not.  Blank out the name and picture for each profile before sharing them with your trainees.

Have those that are gathered read the profiles and identify what they know about the individuals.  Pose the question: “If you were a hacker who wants access to the company’s information for [XYZ], which person would you target?”  The point here is to compare and contrast the two profiles and to get users to think like an attacker.  Naturally, they should chose to target the person with more information exposed because there’s more certainty that they’ll get what they’re after. To finish things off, provide some BEC statistics to show just how common scams really are.

It’s hard to give specific guidance on what should and shouldn’t be posted in a public profile unless you’re well-versed in what your organization needs to protect.  There are some details (like the position title “Chief Financial Officer”) that will cause a person to be targeted regardless of any precautions that are taken. However, it is still important to never share the following information:

1.     Project names of projects that are not public
2.     Access to highly sensitive data (EX. Secret clearance)
3.     Specific technologies/tools related to sensitive data or systems

Another point to make during this training:

Remember that when you’re connected to someone online and you’re in the same organization (and potentially the same department), even if you take every precaution to keep your information safe, you can STILL be a target. This is possible if someone who is connected to you is too revealing, allowing criminals to glean that you have similar access to your company or organization’s information. This is yet more proof that what you do online can and does affect others — and it’s very important to keep in mind.

Sharing projects and personal details on your social network profiles seems like a good idea. It helps you appear more knowledgeable, making you much more desirable in the job market. The downside? It’s dangerous. You need to take steps to ensure that you have really good personal security so that you don’t wind up hurt. If you share, you’d better beware.