A few years back, there was an Irish enterprise that based its whole business model on its social media presence. This was a vital part of the enterprise’s business strategy, and it prided itself on its use of social media channels. So, it was no surprise when the chair of the audit committee realized that this might be an area worthy of review and requested an internal audit.
This is not the type of request that fills an auditor with enthusiasm. First, by the time the auditor conducts a review of the marketing department, its members may have already awarded themselves numerous trophies and copious accolades highlighting their brilliance. Second, this is not a true IT audit; it is an audit of a business function that just happens to use tools based on the Internet. Third, this is a system over which the enterprise has no control and is often operated by people with no understanding of control, who, no matter what the auditor reports, will likely continue to use the same service.
How does an IT auditor add value to a system such as this? The auditor needs to identify key risk factors and bring them to the enterprise’s attention, evaluate those risk factors and recommend the implementation of pragmatic controls that enhance the use of social media without impeding the benefits.
Social Media Are Cloud Services
The first concept that everyone who uses social media must understand is that they have signed up to a cloud system. Often, people in marketing, communications and human resources (HR) departments have not made this connection. But the truth is that all social media have the characteristics of Software as a Service (SaaS). If SaaS is defined as a model for the distribution of software whereby customers access software over the Internet and the service provider hosts the application at its data center, which is accessed via a standard web browser, then every social media site fits this definition.1 Thus, the auditor can conduct the same type of audit appropriate for any other cloud service.
The first step is certification. Any cloud service provider will start by asking for some sort of security certification, such as ISO 27001,2 ISAE 3402,3 or System and Organization Controls (SOC) 2.4 This is vital to any audit, as there is virtually no chance a service provider will allow the auditor to carry out an audit of the service on their own. A key insight into the control framework and the attitude of the service provider is the certification of controls. The internal controls of many of these providers appear to be weak and have been exposed on numerous occasions, so the auditor’s only insight into controls is certification.
For those involved in social media, security appears to be a low priority. It is unlikely that any individual responsible for signing an enterprise up for Twitter, LinkedIn, Facebook or any other social media platform has checked to see whether the service is secure and has any form of internal controls. In fact, not a single provider of social media is actually certified. For example, Facebook claims that it has “top-rate security measures in place to help protect you and your data when you use Facebook,” without saying who has rated its security.5 Flickr is even more blasé about security: “Flickr takes physical, technical and administrative measures to help protect information about you from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction. However, no security measure is perfect. Flickr cannot and does not promise that any information will remain secure.”6 Twitter basically makes security the user’s problem,7 and although WhatsApp claims that “Privacy and Security is [sic] in our DNA,” these attributes are not evident in any easily retrievable certification.8
Not all social media providers are bad. LinkedIn has a page detailing its ISO 27001, SOC 2 and Payment Card Industry Data Security Standard (PCI DSS) compliance.9 Facebook provides security for its corporate product, Workplace. The question the auditor has to ask is why social media providers do not routinely get security certification. The most likely reason is that none of their users or customers have ever asked for it. For example, individual users are probably not going to delve deeply into WhatsApp’s control environment when all they want to do is send out messages to parents whose children participate in a local football club. However, it is surprising that enterprise customers that will be selling goods, advertising, branding, putting out their corporate communications and public relations materials, and responding to publicly reported crises have not checked this out.
IT IS UNLIKELY THAT ANY INDIVIDUAL RESPONSIBLE FOR SIGNING AN ENTERPRISE UP FOR TWITTER, LINKEDIN, FACEBOOK OR ANY OTHER SOCIAL MEDIA PLATFORM HAS CHECKED TO SEE WHETHER THE SERVICE IS SECURE AND HAS ANY FORM OF INTERNAL CONTROLS.
It is likely that an enterprise’s award-winning marketing team has signed up for cloud services without checking their security. Does it matter whether social media are certified? The fact that each of these social media providers regularly has incidents involving their own staff hacking into customers’ accounts suggests that they lack certifiably strong security processes. High-profile incidents, such as the Twitter employee who deleted Donald Trump’s Twitter account10 and Facebook’s storage of up to 600 million user passwords without encryption and viewable as plaintext to tens of thousands of company employees,11 indicate that a level of skepticism about their security is prudent.
Any time a service is provided by a third party, the contract should be reviewed to ensure that it is appropriate and meets the enterprise’s requirements. A full analysis of the terms and conditions, preferably by the legal department or the procurement team, should be carried out before signing up, and all the implications for the enterprise should be considered and understood.
Security Vulnerabilities
Of course, none of this would be an issue if social media providers were, in fact, secure, but unfortunately, they are not. There is a constant stream of news stories about security breaches from the individual user level up to the loss of millions of records. If the Twitter accounts of US President Joe Biden, Microsoft founder Bill Gates, Tesla chief Elon Musk and Apple can be hacked,12 it is fair to say that anyone’s account can be hacked.
When looking for controls, a good starting point is considering known vulnerabilities. The first step is checking the common vulnerabilities and exposures (CVEs) for the social media used by the enterprise; these are particularly relevant to usage on mobile phones. For example, there are quite a few publicly known CVEs on WhatsApp.13 There is not a lot that can be done about this, other than periodically warning employees and customers to upgrade the applications on their phones. Anyone who signs up for the service should be aware of these CVEs.
Slightly more amenable to control is access to the site. Social media sites do not enforce any kind of password complexity rules, and any guidelines that do exist are likely not as rigorous as the enterprise’s password policy. For example, Facebook advises users that “longer passwords are usually more secure,” but it does not enforce any password criteria.14 This is the most commonly exploited vector, so it is surprising that none of the social media sites have addressed this issue. For a benchmark to gauge password security, consult the digital identity guidelines published by the US National Institute of Standards and Technology (NIST)15 or the SANS Institute’s password protection policy.16
THE FACT THAT EACH OF THESE SOCIAL MEDIA PROVIDERS REGULARLY HAS INCIDENTS INVOLVING THEIR OWN STAFF HACKING INTO CUSTOMERS’ ACCOUNTS SUGGESTS THAT THEY LACK CERTIFIABLY STRONG SECURITY PROCESSES.
In addition to enforcing a strong password policy, multifactor authentication (MFA) should be set up where it is available. However, MFA may not be completely adequate. The problem with MFA is whose mobile phone is being used as the second factor. In one case, a disgruntled staff member changed the password to the enterprise’s social media accounts. Because both the accounts and the mobile phone used for MFA were in the employee’s name, it was difficult to get those accounts away from him. In fact, once the employee realized this, he started posting false comments about the enterprise and bad-mouthing it. It was a disaster. This is a common event; auditors and consultants are often called in to resolve these disputes, and it can often be difficult to regain control.
Similarly, a password policy is only as good as the people who know the passwords. Employees typically share passwords and user IDs, create easy-to-remember passwords and reuse the same password on all their sites, so if one gets hacked, they all do. This is the most important area to audit. It is frequently possible to hack into social media accounts by either guessing an easy set of passwords or locating the password file on the network.
In addition to being inherently insecure, social media sites collect users’ data. WhatsApp is a good example. A quick check of one’s mobile phone reveals the status of all the user’s contacts (i.e., whether they are online or not at that moment)—a worrisome situation to begin with. But this is what WhatsApp tells users about its data collection policy:
We collect device and connection-specific information when you install, access, or use our Services. This includes information like hardware model, operating system information, battery level, signal strength, app version, browser information, and mobile network, connection information including phone number, mobile operator or ISP [Internet service provider], language and time zone, and IP [Internet Protocol], device operations information, and identifiers like device identifiers (including identifiers unique to Facebook Company Products associated with the same device or account).17
When installing any other IT system, the enterprise would not send the vendor all its technical information on an ongoing basis. But that is exactly what the marketing department signed up to do. Did anyone bother to check the privacy policy? Probably not. And the section of the contract on third-party service providers most likely states that the social media site will be sharing a lot of data with other entities. This is almost like knowingly installing spyware.
The best an auditor can do is make sure that employees have configured the best security and privacy parameters within the limits set by the social media site—that is, provide only the level of data required to maximize the service within the enterprise’s social media policy and strategy without compromising security. Once the configuration is set, monitor changes to the site, as vendors often alter applications or websites and reset users’ privacy settings.
As mentioned previously, users are not even safe from social media providers’ staff. The July 2020 Twitter hack used Twitter employees’ personal pass codes to get into the company’s internal systems. The attack targeted at least 130 accounts, including those of former US president Barack Obama, Amazon founder Jeff Bezos, Bill Gates and Elon Musk. Tweets posted by the intruders duped people into sending US$100,000 in bitcoin, supposedly in exchange for double the amount sent.18 That was not the first time Twitter employees were involved in an incident. In November 2017, a Twitter employee, on his last day of work, was able to shut down Donald Trump’s Twitter account.19 Similarly, “millions of Instagram user passwords were exposed to [Facebook] employees in a searchable format in an internal database.”20 This would not be acceptable to any enterprise, so why tolerate it in a third party?
Know the Customer
Possibly the biggest underestimated control weakness is users’ anonymity. No one knows who anyone really is on social media. Despite all the scrutiny social media come under for trolling, fake news, fraud and hacking, it seems that no social media platforms have established a “know the customer” process. They collect data from mobile phones and browsers without users’ knowledge, including location, websites visited, type of device used, and when and how it is used, but at no stage do they actually find out who is the user. They want to obtain all the usage data needed to enhance their advertising of products, but they do not want to discourage users from signing up by demanding proof of identity, age or residency. So enterprises must attain this information themselves.
The question for the auditor is: How does the enterprise determine with whom it is interacting? At what point does the enterprise need proof of who posters say they are? Some enterprises use a stepwise guide for obtaining information, starting with the initial engagement with the user; then, at certain points of interaction, additional data may be requested, along with appropriate forms of proof. But at some point, such as in the event of a customer service issue, the enterprise needs to establish that the person with whom it is interacting is genuine.
SOCIAL MEDIA SITES ARE INSECURE, YET THEY COLLECT LARGE AMOUNTS OF DATA THAT ARE ACCESSIBLE TO THEIR EMPLOYEES.
Often, the auditor discovers that the enterprise has no process or policy to ascertain this information. The scale of the problem is huge. Facebook estimates that “50 million to 100 million of its monthly active user accounts are fake duplicates, and as many as 14 million of those are ‘undesirable’ on the site.”21 LinkedIn openly admits, “We don’t have a reliable system for identifying and counting duplicate or fraudulent accounts.”22 So it is up to users to establish with whom who they are interacting.
Conclusion
Social media sites are insecure, yet they collect large amounts of data that are accessible to their employees. They do not actually know who their customers are, yet they are an inherent part of enterprises’ business operations.
The good news is that auditable controls can be put in place. Because social media platforms use a cloud system, they can be audited like any other cloud system using the following steps:
- Check the contract, policies, and terms and conditions.
- Obtain a cloud audit work program and work through it.
- Check the security certification (if any).
Because social media sites are insecure, it is also necessary to take the following steps:
- Review known security vulnerabilities and ensure that it is someone’s job to keep checking for new threats.
- Check security and privacy configuration settings and ensure that they are adequate. Do not trust social media providers. They must have a process to test and retest settings.
- Patch and update web browsers, third-party plugins, applications and operating systems used to access social media sites. This includes making sure that employees are updating their mobile phone operating systems and applications.
- Make sure that the owners of social media sites have business continuity and response plans. Sooner or later, something is likely to go wrong.
- Determine whether the enterprise’s password policy is being implemented.
No one knows who anyone is on social media, so it is important to establish “know the customer” processes and procedures.
The second part of this two-part article series, “ - zations Control Their Use of Social Media, Part 2,”23 addresses how enterprises are actually using social media and what risk factors are inherent in their approach.
To learn more about privacy and social media, watch Findlay discuss his article in this video interview.
Endnotes
1 Techopedia, “Software as a Service (SaaS),” 5 December 2017, http://www.techopedia.com/definition/155/software-as-a-service-saas
2 International Standards Organization
(ISO)/International Electrotechnical
Commission (IEC), ISO/IEC 27001, Information
security management, Switzerland,
http://www.iso.org/isoiec-27001-information-security.html
3 International Standard on Assurance Engagements,
“ISAE 3402 Overview,” http://isae3402.com/ISAE3402_overview.html#:~:text=ISAE%203402%20was%20developed%20to,organization’s%20system%20of%20internal%20control2
4 American Institute of Certified Public
Accountants (AICPA), SOC 2—SOC for Service
Organizations: Trust Services Criteria, USA,
http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpasoc2report.html
5 Facebook, “How You’re Protected,”
http://www.facebook.com/about/basics/stay-safe-and-secure/how-youre-protected#1
6 Flickr, “Flickr Privacy Policy,” 23 November
2020, http://www.flickr.com/help/privacy
7 Twitter, “About Account Security,”
http://help.twitter.com/en/safety-and-security/account-security-tips
8 WhatsApp, “WhatsApp Security,”
http://www.whatsapp.com/security/
9 LinkedIn, “Trust and Compliance,”
http://security.linkedin.com/trust-and-compliance
10 Anapol, A.; “Twitter Employee Who Deleted
Trump’s Account Reveals Himself,” The Hill, 29 November 2017, http://thehill.com/homenews/administration/362468-twitter-employee-who-deleted-trumps-account-reveals-himself
11 Fitzgerald, M.; “Facebook Says Its Employees
Had Access to Millions of Instagram
Passwords,” CNBC, 18 April 2019,
http://www.cnbc.com/2019/04/18/facebook-says-employees-had-access-to-millions-of-instagram-passwords.html?&qsearchterm=facebook%20employees%20passwords
12 Iyengar, R.; “Twitter Blames ‘Coordinated’
Attack on Its Systems for Hack of Joe Biden,
Barack Obama, Bill Gates and Others,” CNN, 16 July 2020, http://edition.cnn.com/2020/07/15/tech/twitter-hack-elon-musk-bill-gates/index.html
13 CVE Details, “WhatsApp: Security
Vulnerabilities,” http://www.cvedetails.com/vulnerability-list/vendor_id-19851/product_id-54433/year-2019/Whatsapp-Whatsapp.html
14 Facebook, “How Can I Make My Facebook
Password Strong?” http://www.facebook.com/help/124904560921566?helpref=topq
15 Grassi, P. A.; M. E. Garcia; J. L. Fenton; NIST
Special Publication 800-63-3: Digital Identity
Guidelines, National Institute of Standards
and Technology (NIST), USA, June 2017, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf
16 SANS, “Password Protection Policy,”
http://www.sans.org/information-security-policy/?&category=general
17 WhatsApp, “WhatsApp Privacy Policy,” 24 April 2018, http://www.whatsapp.com/legal/privacy-policy-eea
18 RTE, “Twitter Service Restored After Global
Outage,” 16 October 2020, http://www.rte.ie/news/technology/2020/1016/1171887-twitter-outage/
19 Marcus, E.; “Twitter Employee Who Deactivated
Donald Trump’s Account Breaks His Silence,”
US Magazine, 30 November 2017,
http://www.usmagazine.com/celebrity-news/news/twitter-employee-who-shut-down-trumps-account-speaks-out/
20 Op cit Fitzgerald
21 McAfee, “How Cybercriminals Target Social
Media Accounts,” http://www.mcafee.com/enterprise/en-us/security-awareness/cybersecurity/cybercriminal-social-media.html
22 Hayes, N.; “Why Social Media Sites Are the
New Cyber Weapons of Choice,” Dark Reading,
6 September 2016, http://www.darkreading.com/attacks-breaches/why-social-media-sites-are-the-new-cyber-weapons-of-choice/a/d-id/1326802
23 Findlay, R.; “How Do Organizations
Control Their Use of Social Media, Part 2,”
ISACA® Journal, vol. 4, 2021,
http://h04.v6pu.com/archives
Robert Findlay
Is currently the global head of IT audit at Irish dairy leader Glanbia. He has more than 30 years of global IT, audit, and security experience, including programming, project management and data center operations. He also has significant experience as an IT auditor, chief information security officer and head of IT. Findlay has set up and managed IT audit functions in global businesses such as British Airways, Aer Lingus, ARYZTA, Paddy Power and EY. He has been a presenter at multiple ISACA® and Institute of Internal Auditors (IIA) conferences in Asia, Europe and North America and is an ISACA® Journal reviewer and a contributor to #IamISACA.