Introduction Social media and messaging apps can pose a number of security and privacy risks to both organisations and individuals when used in an inappropriate or unsafe manner. Due to their popularity, social media and messaging apps are a common way for an adversary to gather information on organisations and their employees, projects and systems. Even social media and messaging apps targeted at children or teenagers present a risk that sensitive or embarrassing information will be disclosed. When sensitive or embarrassing information is posted to social media, or shared via messaging apps, it has the potential to harm individuals and Australia’s national interests, security or economic wellbeing. Information that appears to be benign in isolation could, if aggregated with other information, have a considerable impact. Personal information posted to social media, or shared via messaging apps, can also be exploited. Even seemingly benign posts, messages, photos or videos can be used to develop a detailed profile of an individual’s lifestyle and hobbies. This information could be used in extortion or social engineering campaigns aimed at eliciting sensitive information, or influencing individuals to compromise an organisation’s systems. Information which is posted to social media (even in private or direct messages), or through messaging apps, may be accessible to social media and messaging app companies. Sometimes, this information can be stored outside of Australia and subject to lawful and covert data collection requests by other countries, and Australian legislation and privacy or consumer laws may not apply. The compromise of social media or messaging app accounts could also contribute to identify theft, fraud, reputation damage or embarrassment to individuals. Social media for business purposes The following measures should be implemented for corporate social media accounts: Ensure only authorised users have access to corporate social media accounts, and that access (either direct or delegated) is revoked immediately when there is no longer a requirement for access. Ensure users are informed of, and agree to, their organisation’s social media usage policies. Ensure users are trained on the use of corporate social media accounts. Ensure users are aware of what can and cannot be posted to social media using corporate social media accounts. Ensure users are aware of processes for responding to the posting of sensitive or inappropriate information to social media. Ensure users are aware of processes for regaining control of hijacked corporate social media accounts. Social media for personal purposes The use of social media for personal purposes should be governed by common sense and a healthy level of scepticism. For example, there have been numerous incidents where social media has been used to distribute inaccurate information (i.e. ‘fake news’). Furthermore, other incidents have involved accurate information being redistributed by a very large number of automated accounts in an effort to draw additional attention or to sway reader opinion. The following measures should be adopted by individuals for the use of personal social media accounts: When creating social media accounts, use an alias rather than disclosing full names. Use a personal email address rather than a business email address. If possible, use a separate personal email address for social media. Ensure privacy options are understood and applied. Use a private profile where appropriate. Restrict the amount of personal information posted to social media, such as home or work addresses, phone numbers, place of employment, and any other sensitive information. Within reason, monitor information posted about you by others to prevent disclosure of personal information. If locations or movements are sensitive, be aware of social media and messaging apps that automatically post such information. Remove location data from any pictures before posting to social media or shared via messaging apps. Carefully consider the type of information posted to social media or sent via messaging apps, as it can be very difficult to remove or recall what was previously posted or sent. Be wary of accessing shared links or attachments, including via social media and messaging apps. Be wary of unsolicited contact. Avoid accepting requests from unknown people. Securing social media accounts The following measures should be implemented for the use of both corporate and personal social media accounts: Where possible, use multi-factor authentication. Otherwise, use a unique passphrase for each social media account. Do not share or email passphrases for social media accounts. Do not elect to remember passphrases for social media accounts, unless stored in a password vault. If asked to set up security questions to recover social media accounts, do not provide answers that could easily be obtained from public sources of information. Do not use social media accounts from untrusted devices, such as in internet cafes or hotels. Do not configure social media accounts to automatically sign in on shared devices. Always remember to sign out of social media accounts after use on shared devices. Use lock screens and a passphrase on any devices that have access to social media accounts. Remember to close old social media accounts when they are no longer required. Securing mobile app permissions Most social media companies provide a mobile app for use on the go. These mobile apps can create additional security and privacy risks which should be considered before installation, and be reviewed regularly: Be aware of social media companies’ policies, which may include collection of data about users and their devices. Ensure devices use the latest available operating system to provide control over individual mobile app permissions. Only install mobile apps from trusted stores, such as Google Play or the Apple App Store. Be wary of mobile apps which require or request excessive permissions for the functions they provide. Make sure to check mobile app permissions and security settings after updates, as these can change over time. Be mindful that mobile app permissions and security settings cannot completely remove the risk of information being compromised. Mobile apps may collect more information about users and devices than they openly declare. Be aware that information collected and transmitted offshore may not be protected by Australian legislation and privacy or consumer laws. Further information The Information Security Manual is a cyber security framework that organisations can apply to protect their systems and data from cyber threats. The advice in the Strategies to Mitigate Cyber Security Incidents, along with its Essential Eight, complements this framework. Further information on detecting socially engineered messages is available in the Detecting Socially Engineered Messages publication. Further information on common types of scams, and reporting if you have seen or are a victim of a scam, is available from the Australian Cyber Security Centre. Further information on securing personal devices is available in the Security Tips for Personal Devices publication. Further information on enabling multi-factor authentication for social media accounts is available in the following publications: Turning on Two-Factor Authentication – Apple ID Turning on Two-Factor Authentication – Facebook Turning on Two-Factor Authentication – Facebook Messenger Turning on Two-Factor Authentication – Gmail Turning on Two-Factor Authentication – Instagram Turning on Two-Factor Authentication – LinkedIn Turning on Two-Factor Authentication – Microsoft Accounts Turning on Two-Factor Authentication – Signal Turning on Two-Factor Authentication – Twitter Turning on Two-Factor Authentication – WhatsApp and WhatsApp Business Turning on Two-Factor Authentication – Yahoo!. Contact details If you have any questions regarding this guidance you can write to us or call us on 1300 CYBER1 (1300 292 371).