ACSC programs and advice are being migrated to cyber.gov.au (see sidebar)

Security and Safety Tips for Social Media

Download ACSC Protect: Security and Safety Tips for Social Media (PDF), January 2018
First published 2012; updated January 2018

Introduction

  1. Social media can pose a number of risks to both organisations and individuals when used in an inappropriate or unsafe manner.
  2. Due to its popularity, social media is a common way for an adversary to gather information on organisations and its employees, projects and systems. When sensitive or inappropriate information is posted on social media, it has the potential to harm Australia’s national interests, security or economic wellbeing. Information that appears to be benign in isolation could, if collated with other information, have a considerable impact.
  3. Personal information posted on social media can also be used by an adversary. In particular, it can be used to develop a detailed profile of an individual’s lifestyle and hobbies. This information could be used in social engineering campaigns aimed at eliciting sensitive information from individuals or influencing individuals to compromise an organisation’s systems.
  4. The compromise of social media accounts could also contribute to identify theft, fraud and/or reputation damage or embarrassment to individuals.

Social media for business purposes

  1. The use of social media for business purposes should be governed by organisations’ social media usage policies.
  2. The following measures should be implemented for corporate social media accounts:
    1. Ensure only authorised users have access to corporate social media accounts.
    2. Ensure users are informed of, and agree to, social media usage policies.
    3. Ensure users are trained on the use of corporate social media accounts.
    4. Ensure users are aware of what can, and cannot, be posted using corporate social media accounts.
    5. Ensure users are aware of processes for responding to posting of sensitive or inappropriate information.
    6. Ensure users are aware of processes for regaining control of hijacked corporate social media accounts.
    7. Ensure users’ access to corporate social media accounts (either direct or delegated) is revoked immediately as soon as there is no longer a requirement for access.

Using social media for personal purposes

  1. The use of social media for personal purposes should be governed by common sense and a healthy level of scepticism.
  2. The following measures should be adopted by individuals for the use of their personal social media accounts:
    1. When creating social media accounts, use an alias rather than disclosing your full name.
    2. Use a personal email address rather than a business email address. If possible, use a separate email address for social media.
    3. Apply any available privacy options and use a private profile where available.
    4. Restrict the amount of personal information placed on social media such as your home or work address, phone numbers, place of employment, and any other personal information that can be used to target you.
    5. If your location or movements are sensitive, be aware of social media apps that automatically post your location. Also, remove GPS coordinates from any pictures posted.
    6. Do not post information that is not for public release from your current or previous jobs.
    7. Carefully consider the type and amount of information you post. Remember the Internet is permanent and you can never fully remove what has been posted.
    8. Monitor the information friends and colleagues post about you to prevent the unauthorised disclosure of your personal information.
    9. Be wary of accessing shared links or attachments, including via direct messaging services.
    10. Be wary of unsolicited contacts. Do not accept requests from people that you do not know.

Securing social media accounts

  1. The following measures should be implemented for the use of both corporate and personal social media accounts:
    1. Use a strong password/passphrase that is unique for each social media account and is not re-used on any other system. Use multi-factor authentication where possible.
    2. Do not share passwords/passphrases for social media accounts.
    3. Do not store passwords/passphrases for social media accounts in emails or in documents.
    4. Do not elect to remember passwords/passphrases for social media accounts when offered by web browsers. Avoid configuring social media apps to automatically sign in.
    5. If asked to set up security questions to recover social media accounts, do not provide answers that could easily be obtained from public sources of information.
    6. Do not access social media accounts from untrusted devices in internet cafes or hotels.
    7. Always remember to sign out of social media accounts after use.
    8. Use lock screens and a password/passphrase on devices that have access to social media accounts.
    9. Where possible, access social media accounts using devices that are using the latest versions of software and have had all recent patches applied.
    10. Remember to close old social media accounts when they are no longer required.

Further information

  1. The Australian Government Information Security Manual (ISM) assists in the protection of information that is processed, stored or communicated by organisations' systems.
  2. The Strategies to Mitigate Cyber Security Incidents complement the advice in the ISM.
  3. For more information on selecting appropriate passwords/passphrases for social media accounts, see Passphrase Requirements.
  4. For more information on detecting socially-engineered messages sent via social media, see Detecting Socially-Engineered Messages.

Contact details

  1. Organisations or individuals with questions regarding this advice can contact the ACSC by emailing asd.assist@defence.gov.au or calling 1300 CYBER1 (1300 292 371).

In August 2018 ACSC launched a new website, cyber.gov.au, to reflect its new organisation.

Cyber security programs and advice are being migrated to cyber.gov.au. Information and advice on this site remains current.

Reports help the ACSC to develop a better understanding of the threat environment and will assist other organisations who are also at risk.

Cyber security incident reports are also used in aggregate for developing new defensive policies, procedures, techniques and training measures to help prevent future incidents.

Information for Australian businesses
Information for individual Australian citizens
Information for Federal, State and Local government agencies