Skip to main content

One CISO, one fake LinkedIn account: Here's what he found out about his staff

Do you know what you staff are saying about your company and your competitors on social media sites and the costly risk you are taking if you don't monitor it?

Graham McKay, Chief Security Information Officer for DC Thomson, one of the UK's leading media organisations and publisher of The Sunday Post (left), gave an eloquent and compelling presentation to the Gartner Conference in London last week at which he amply illustrated the risks and the policy decisions which are essential if you are to protect your brand and your reputation from those risks.

McKay set up a fake LinkedIn account and invited his staff to connect. Within a week 28 had accepted his fake personality and 89 per cent of them blindly accepted via email. A classic phishing ploy which, if sent by an attacker would have massively opened the company to malware and ongoing attack.

"I then sent a message to all the staff telling them that this is the type of spear phishing people will do but many days later these people were still accessing it. I asked them all why they accepted the email and many said that had it been received at home they wouldn't have trusted it but because was work-based they didn't suspect it. But spear phishers are skilled at impersonation."

And this was only one of the social media risks which McKay outlined. DC Thomson own Friends Reunited, and recently a member of staff posted a seriously inappropriate Tweet about the tragic Woolwich shootings. Had his team not been monitoring the social media postings then the company reputation faced a serious beating. But within a short time it had been spotted and taken down. And a message posted said:

"An inappropriate tweet was put up by a member of staff this afternoon. It was done without the approval of the company's management and was taken down within minutes. The member of staff now faces disciplinary action. We will make sure this never happens again."

A social media policy which your staff know and accept is a critical foundation of any company's management of its reputation, says McKay. And the best practice will involve setting this up, educating the company's social media spokespeople on the correct content and tone and ensuring all employees are aware of the policy.

That being so then the company can monitor social media about your brand and take action where necessary.

McKay cited an example of an Apple employee in the UK who had posted derogatory comments about the company on his Facebook page. "Apple have a social media policy which prohibits any commentary on Apple products or any critical comments about the brand itself," he said.

The employee was taken to an Employment Tribunal where he claimed that his comments were private and only visible to friends. But the tribunal held that because his friends could easily copy and share the comments they were not protected communications.

Decision: Apple could limit the right of its employees to freedom of expression where it was for the purposes of protecting its commercial reputation.

McKay monitored a staff posting where he gave away details of clients of the company which were not public, despite the employee having no authority to comment on company matters.

"This is all about trust and responsibility" says McKay. "No posting of confidential information and only speak about work if you are an authorised spokesperson. And if you are then we provide training on the content and tone of the messaging which is put up on social media. If you have an acceptable and commercial use policy then the staff have to accept it and be responsible for their actions."