GUEST ESSAY: A breakdown of the cyber risks intrinsic to ubiquitous social media apps

By Mark Stamford

More than half of the world—58.4 percent or 4.62 billion people—use social media.

Related: Deploying human sensors to stop phishing.

And while that’s incredible for staying connected with friends, organizing rallies, and sharing important messages, it’s also the reason we are facing a cyber security crisis.

A record 847,376 complaints of cyber-crime were reported to the FBI by the public, according to the FBI’s Internet Crime Report 2021—a 7 percent increase from 2020. This is now catching the attention of elected leaders like Senator Mark Warner and Senator Marco Rubio.

They recently called on the Federal Trade Commission (FTC) to investigate TikTok and parent company Byte Dance over its data handling. But why is social media such a catalyst for nefarious behavior?

As the founder of the leading cyber security firm OccamSec, I’ve seen first-hand how and why social media is such a weak point, even for the most careful people and companies. Here are the three main reasons.

Social Engineering

Social media lends itself to social engineering. What is that exactly? Well, old-school social engineering is when a criminal phones someone up pretending to be a CEO of your company, for example, claiming they’ve lost a document you need to send. You send it, and that person has a lot of private information about the company. Social engineering has gone from face to face or phone to phone to social media and the internet.


Social media provides an effortless mechanism for manipulation. You create a profile on a platform, start friending people, and then you can gain more access to those people’s connections because you begin to look more legitimate. So, when someone reaches out to you, and you have mutual contacts, it’s easier to ask for personal or company information. It magnifies their trust and simultaneously removes the gut instinct.

If you met someone in a bar who said, “Hey, I work in the same company as you, give me access to your computer,” you would say, “No.” Your gut instinct would be this guy’s just creepy.

In social media, that’s taken away. If I connect to you, you link to me; then we have more mutual connections. From an attacker’s perspective, it lends itself massively to harvesting data, making manipulating people easier because it takes away the face-to-face element.

Attack Surface

There’s this concept of attack surface in hacking. So, if you think of your house, you’ve got the doors, windows, and maybe a skylight. If I’m a robber, that’s your attack surface. I increase the attack surface by adding more windows, a garage, and a yard.

What social media does, if you’re a company, is it blows your attack surface wide open. Now every single employee is online posting and is reachable. So, for example, if I want to breach Sony, I’ll go on LinkedIn, search for Sony, and get everyone who works there. Then I can look at TikTok, Instagram, and Facebook, find out my interests and friends, and be able to connect and get information eventually.

Convenience is Key

Convenience trumps security. A CEO needs to get a document sent to him on vacation and doesn’t have his laptop. So, it just gets sent to his phone. There’s an immediate breach of security due to convenience. Plus, it’s been proven you get a dopamine response from social media, leading to the cyber security risk. So many people are on social media that it’s easy for criminals to blast through that surface area.

Ultimately, companies and people need to consider how much they’re exposing. But, sadly, cyber security is difficult to maintain unless you stay off all social media. However, if we adopt some European privacy laws, we might be able to have more protection. Understanding the risks posed by social media, from social engineering to an increased attack surface, is the first step for organizations to take control of their cybersecurity to keep their employees, and business, safe.

About the essayist: Mark Stamford is the founder and CEO of OccamSec. He began dabbling with computers at age 8 and has over 20 years of experience in technology operations, including cybersecurity. He previously worked at UBS and KPMG.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone