Like him or hate him, there's no debating that President Trump loves to tweet. What is up for debate, though, is whether his tweet storms will complicate what is already stressful work for the Secret Service.
Enormous effort goes into protecting the President and his staff from hackers, and any tweets that could be deemed argumentative, hostile, or reactionary could elevate the risk of a targeted cyber attack on the White House.
In the same way, executives at major enterprises also need to be cautious in how they choose to represent the company through social media.
This type of security, said Larry Johnson, ex Secret Service agent and CSO of CyberSponse, is not just protecting the individual. Whether it's the Secret Service or the security team, "They’re protecting the company, the country, the assets."
"The Secret Service protects the office of the President, and social media falls over into their role. No matter what the president says, the Secret Service is protecting that office," Johnson said.
What the President or the CEO or any other executive says on social media has an enormous impact on the security of much more than a Twitter account.
When it comes to social media, it's not the outgoing messages that are most concerning. "It’s the inbound," said Johnson, "what is being said about what he’s saying that could pose a threat. They have to check every threat out. They have to do the due diligence."
That's why it's important for enterprises to have a social media process policy. "There are threats from employees, disgruntled employees, competitors posing as employees, so you really don’t want to say anything without it having gone through quality control," Johnson said.
Even though a lot of larger companies have social media policies and the CEO usually abides by the company policy when using it, some executives use social media for different reasons. "Once you use it, there is more opportunity to entice hackers, competitors, resistors," Johnson said.
Because online presence can invite engagement with bad actors, it's very important to have a process. "You're always in fear that you’re saying the wrong thing online, so there has to be quality control, a piece of the organization where a profession looks at things before they go out and determines that there’s nothing controversial that invites a firestorm."
The responsibility of the executive is to always protect the company’s reputation. "Social media," said Johnson, "is at the forefront. They don’t want an attack or a network intrusion."
John Wheeler, research director, security and privacy, Gartner said, "Executives simply need to use good “common business sense” to protect themselves from cybersecurity threats at work."
From a security standpoint, Wheeler said, "Utilize company secured applications and information resources for sensitive data communication. Avoid using “shadow IT” apps like personal file sharing solutions."
Because email accounts can be so easily compromised, Wheeler said, "Ensure all mission critical directives to employees or third-parties are properly authenticated. For example, do not communicate wire-transfer instructions simply via email."
Being aware, from a threat perspective, of their organization's exposure is also key to protection. Jeff Horne, vice president of corporate at Optiv, said "If the company is part of any legislation or negatively viewed by the public, they might have more risk from a target attack."
It is possible, however, for some executives to be a little more paranoid or have a lower appetite for risk, according to Horne. "They may take extreme measures. One of the most common mistakes they make is constant monitoring."
That's why threat intelligence becomes key in terms of protecting executives. Knowing whether somebody is trying to target their company in forums that pass compromised documents back and forth or whether the company has been targeted is important to consider when determining which protection measures are most critical.
"Self awareness from a social media perspective, often goes beyond the executive," said Horne. "If I'm going after an executive and trying to get sensitive information, they usually say absolutely yes up until the point where their family is associated."
Most high visibility executives have no social media or one that is heavily monitored by the company. "When a hacker learns that they are going to Disney, it is going to come through the children or the wife, those extended branches," Horne said.
That's when executives will see more targeted phishing attacks. Horne said, "I could fake an email from the school their child attends, and then they are clicking on a rogue website."
Engaging in cybersecurity conversations with family members becomes an additional responsibility for high visibility executives. "They probably need to turn off their children's Facebook timeline feeds or restrict them to friends only. Come to a common sense approach on tailoring security controls in Facebook," Horne said.
When traveling, executives need to be extremely aware of the countries they are visiting. "It's about situational awareness," Horne said. "The good news is that executives need fewer applications than a developer overseas. They can give an executive a burner phone or burner laptop that has inherent encryption on it."
If asked to relinquish any devices, they can say yes without the risk of having any sensitive data compromised or stolen.
Wheeler said that while traveling, "Avoid file transfer via external devices such as USB drives, especially drives obtained from third-parties such as vendors or conferences, and avoid public WiFi."
Horne agreed that public WiFi while traveling is risky, but even WiFi at home presents security risks. "Make sure they are using a secure wireless connection. I am not a fan of wireless at home for security reasons. I know everybody uses it and has at least one or two access points. They should be setting them up to use some sort of encrypted communication."
On this point, Horne said, "There will likely be some push back, but it's strongly recommended to make sure that the connection is absolutely secure. It's often a hard sell, but worth the push."
A second mistake many executives make is in keeping massive local archives. "That's a high risk," said Horne. "They want to be able to readily access email for the last five to 10 years, but they need to have a more a common sense retention policy for their email."
A good time frame for local archives is ideally anything under a year, said Horne, but sometimes that's just not possible. "One to three years, maximum because a lot of times the risk is from a legal perspective. The executives want to keep the local archives, but don't understand the risk associated," Horne said.
Holding onto those archives could result in a forensic nightmare and have legal ramifications. "If the company policy is to retain only three years, but an executive has 10 years of email, that is then included as evidence, and the IT team is require to open them up from a discoverability perspective," Horne said.
Putting the company reputation first, adhering to policies and procedures, and having situational awareness when opening emails or clicking on links are the keys to better protection.
Wheeler advised, "If it seems suspicious and/or too good to be true, it is a probably a legitimate cyber threat. “Caveat emptor applies not only to buyers of physical goods/services, but also to users of cyber goods/services."