Information Security and Social Media Marketing Campaigns

Social media marketing creates security challenges: marketers need social network access (greater risk exposure), fast-changing campaigns may spawn uncontrolled satellite web servers, brand impersonation attacks target customers, and federated identity authentication loses control to third parties like Facebook.

Organizations large and small have embraced social media as the new venue for marketing campaigns. What security risks should the organizations consider as part of these efforts?

Social media campaigns allow the organization to interact with its customers on social networks—to go where the customers are—rather than bring the customers to the organization’s own website. The business processes associated with these efforts are as new as the understanding of the risks tied to such social media interactions.

Anticipating Fast-Changing Social Media Marketing Tactics

If you have information security responsibilities, you need to think not only of how your employees interact with social networks as end-users, but also how your marketers use social media to interact with your customers. Your company probably has a marketing team that is either planning to or is already using social media.

A good starting point for learning about the role that social media and social networking plays in marketing is the 2010 Social Media Marketing Industry Report. The research data it presents supports the following point:

Most marketers are new to the world of social media and are still trying to figure out how to best use it. Many are also looking for ways to measure the Return on Investment (ROI) of social media campaigns.

This means that your organization’s marketers will be likely to change tactics quickly, trying campaigns and abandoning approaches that don’t seem to work. Information security personnel needs to be prepared to handle fast-changing infrastructure requirements that might drive these short-lived campaigns.

Security Risks of Social Media Marketing Campaigns

Here is my overview of the key risks associated with social media marketing efforts from the perspective of the organization launching the campaigns:

Protect your marketers: Marketers who conduct social media marketing campaigns need to have access to social networking sites, such as Facebook, Twitter and LinkedIn. Organizations who restrict access to social networking sites will probably need to create exceptions for designated marketing personnel. As the result, marketers may be at a greater risk of being attacked through social networks (e.g., phishing, data leakage, malicious links, etc.).
Watch out for satellite web servers: Social media marketing campaigns are likely to be fast-conceived. In addition to making use of social networking sites, they may need to set up landing pages on satellite web servers. If your organization’s IT department cannot set up these servers quickly, marketers might take it upon themselves to provision the websites elsewhere. The satellite servers outside of your control, if compromised, will adversely affect your organization’s security posture by leaking data, undermining good will, undermining compliance efforts, and so on.
Monitor for impersonation attacks: Organizations who are active on social networks might be impersonated by attackers who target the organizations’ customers. For instance, a fraudulent marketing campaign on social networking site might look like it is conducted by the organization, but it might actually be conducted by someone else. In the style of phishing attacks, impersonation incidents put the organization’s customers’ data at risk, and may tarnish the organization’s reputation.
Consider the federated/delegated identity trust: Some websites allow the organization’s customers to authenticate to their favorite social networking site, and use that identity to access personalized content on the organization’s own website. Facebook for Websites is one platform that delivers such capabilities; it was designed to “make your website more personalized and social.” Organizations lose control over authentication when relying on identity attestation provided by a third party, such as Facebook.

Did I leave any key risks out?

My goal was to look at security concerns of social networks from the perspective of having to support the organization’s social media marketing efforts. These types of risks have seen little discussion, so I thought I’d throw in my two cents.

For more on this topic, see my other posts that discuss social networking, social media and security.

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. As CISO at Axonius, he leads the security and IT program, focusing on trust and growth. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.

Learn more →