Your Interns, Your New Hires and Even Your TA Teams Are Putting Your Company at Risk

As human resources teams onboard their summer interns, they’ll notice that many are eager to celebrate their first day by sharing photos online. It may even be tempting for social media teams to post a picture on the company’s social media pages to officially welcome the new interns. But before posting that #CompanyName, #WorkLife, or #FirstDayofWork photo, consider the security risks that might pose for your company.

When an intern posts a photo of their desk or company badge or streams a “day in the life” video, sensitive information is often inadvertently revealed and can be used by hackers to cause harm to an organization. Using these social media posts, these hackers may find passwords on sticky notes, software systems on desktop screens and other confidential company data lurking in the background that helps them plan their attacks. They can also replicate security badges to walk into companies, unchallenged, and obtain access to valuable information. I would know — I’m a hacker myself. The difference is, the “victim” company has hired me to do it.

In my role as “Chief People Hacker” for IBM X-Force Red, companies hire us to test their security. I spend my days discovering information about our target via research, and often, using that information to break into their office space. Social media is my first stop for finding information that can help get me through the doors of a company.

Interns’ social media accounts are a goldmine of intelligence as I prepare for an attack. In fact, around 75% of the sensitive information I find on social media comes from interns or new hires. Generation Z’s tendency to overshare online combined with lax security training during internship onboarding is a recipe for disaster when it comes to security and business risks. Fortunately, once you understand what these risks are, there are simple steps you can take to prevent them.

Oversharing online

Gen Z is the most avid generation of social media users to enter the workforce to date. Among those who are between the ages of 18 and 24, 75% use Instagram, 73% use Snapchat, 76% use Facebook and 90% use YouTube, according to Pew Research. Introducing this group of users to their first workplace experience without social media security guidelines is a huge risk that most companies are not considering.

However, interns aren’t the only target for hackers looking to steal this information. New full-time hires pose a risk as well. For companies that don’t include social media security awareness training as part of new hire onboarding, these employees may never be trained on proper social media use. Excited about their first day, they’ll often post a hash-tagged selfie or show off their new desk in a post without realizing that sensitive company information may be in the background.

It’s also too easy for HR and social media teams themselves to put the organization at risk by posting photos and videos that expose sensitive content as they showcase all the fun things that make their workspaces and programs look exciting and alluring to attract new talent.

Article Continues Below

For example, take the case of a “day in the life” video I recently saw posted by an organization’s social media team. They followed one intern with a camera from the start of their day to the end. In the first scene, our team went frame by frame until we found one that showed the intern logging into their laptop at their cubicle. A sticky note was stuck to the laptop with that intern’s new password. This seemingly friendly video contained content that could be used to compromise the organization’s security.

None of your (hacker’s) business

Security awareness programs are generally not the most exciting part of a new job. As a result, this part of the onboarding process is often rushed or forgotten altogether. Even in the most thorough security training, it’s easy to gloss over social media habits to focus on issues like password strength and phishing emails.

Here are a few takeaways to ensure that your interns, new hires and even longtime employees don’t let their enthusiasm for social media expose content that could help a hacker in their quest to infiltrate a company:

  • Don’t skip the security training — Make sure your interns and new hires are getting this as part of their onboarding process. You can make this fun and effective by helping them understand the ways a hacker could use the seemingly harmless information they might consider posting.
  • Rethink your social media security policy — Don’t attempt to draft one long policy that people are unlikely to read. Cover the most important rules, including those that relate to avoiding security risks — not just the privacy and behavior best practices. Have employees read the policy and sign off on it physically during onboarding.
  • Train managers and social teams to spot the risk — Train your social media and digital teams to review visual content posted to social networks or any other external platform through a security lens. Managers, particularly those who oversee new employees or interns, should receive this training as well. Train your employees to ask themselves the following when they review content: “If an attacker saw this, what would they see here that could help them?”
  • Establish a safe photo space — Talent teams should be able to share photos of employees at work safely. Consider designating an area of the office where all sensitive information has been removed — a certain lounge or cluster of couches, tables and desks, for instance — as a safe photo zone. It doesn’t hurt to post reminders for employees to remove their badges when they take photos in this area as well.
  • Review with a seasonal focus — Have your team monitor social media feeds closely during the first week of an internship and other times when employees are likely to post sensitive information. These might include large company events or social outings in the office. By doing so, the team can look to delete any risky posts quickly before they’re found by a potential attacker.

While social networks are a great way to attract new talent and promote personal success, they are also the perfect place for adversaries to look up information and create risks for organizations. Fortunately, by implementing a few simple rules for HR teams, new hires and especially Gen Z interns, these platforms can still safely be used by those who are eager to share.

Stephanie "Snow" Carruthers (@_sn0ww) is the Chief People Hacker for IBM X-Force Red, an autonomous team of veteran hackers within IBM Security. At DEF CON 22 she won a black badge for the Social Engineering Capture the Flag (SECTF) and was on the winning team for SAINTCON'S Vault Physical Security challenge, which won the team a black badge. Stephanie has performed a variety of Red Team and Social Engineering assessments for clients ranging from start-ups, Fortune 100 companies, to government agencies.

Topics