In February 2021, the data from 500-million LinkedIn users were leaked by hackers. In June 2021, more than 700-million LinkedIn users had their data leaked and put up for sale. In June 2022, the FBI said that the fraud on LinkedIn posed a significant threat to the platform and its users. The site has become one of the riskiest social media platforms to date. It allows for users to reveal deeply personal and relevant business information without authorisation; it allows for fraudsters to impersonate employees, and gain trust and access to information which can potentially put a company’s reputation on the line if an employee posts libellous or unpleasant content.
By now, most people recognise that social media isn’t the place to put personal information or sensitive credentials. However, LinkedIn introduces a very different dynamic as it’s geared around sharing certain personal information more related to company insights, and career-related data. All these slices of information can be used by bad actors to impersonate people and, if they do this well, they can gain access to information that can do immeasurable damage to the company or that employee.
One concern is how information sourced by someone impersonating an employee could be used to infiltrate the organisation itself. The hacker could use personal details, passwords and other shared data to enter the primary system and cause untold damage. On the flip side, they could use the information for extortion – they steal the account and demand a ransom to release it. And this account can be either personal or the business account. It sounds dramatic. It sounds crazy. LinkedIn is about bragging and brands, right? Yes, but it is also the most impersonated brand for phishing attacks according to research.
Users often perceive LinkedIn as safe and this introduces a false sense of security – it’s a business-focused platform, surely that makes it secure? The SA Social Media Landscape report from World Wide Worx and Ornico underlines the stability and appeal of the platform to serious users.
The problem is that this platform is incredibly popular and populated which means that the people who use it, and the companies they represent, are at risk. This risk can take many forms – hacking, fraud, impersonation, phishing and libel – and companies need to be prepared to handle these challenges today.
One of the most significant risks is the credentials people use to access social media. People tend to use the same credentials on their social pages as they do to log into the business. This is often because the credentials provided to them by the business are designed to be secure, but also because people don’t want to remember hundreds of different passwords. As a result, if LinkedIn passwords get compromised then organisations are compromised.
To mitigate this problem, ensure that people posting on behalf of the business follow the same password policy as they do when operating within the business. This, at least, is something you can enforce. Then, introduce training within the company that underscores the importance of not using business credentials anywhere else, especially not on social media. Finally, if you have a business account on LinkedIn, don’t accept connections from everyone – you need to vet all connections to ensure that you’re not adding credibility to a hacker by adding them to your network.
In addition to the ongoing security risk presented by this platform there is the reputational risk. There is a fine line between a personal profile and how a person represents a company. It’s tricky. If a person is posting content that goes against the company ethos, how can the company tackle the issue? On one hand, social media platforms are personal portals and not subject to corporate control. On the other hand, if a person is posting content that upsets people, or that can be labelled as hate speech, they are crossing all kinds of business lines.
This is a tricky problem to resolve as people have the right to social media and to post on their profiles. However, it’s worth including limitations around offensive behaviour and language in an employment contract. It’s not unreasonable to ask for ethical behaviour when a person represents the company, and if a person isn’t comfortable with that, then they may not be a good fit, to begin with.
As the world of social media continues to evolve and change, companies need to adapt and change along with it. Security must remain a priority across all aspects of social media engagement, and even though few companies are fans of introducing constraints on personal freedom, safeguards do need to be put in place to protect other employees and the business as a whole.