Social media has long been a productivity concern for companies, but now more than ever, it’s also become a cybersecurity concern. Interactive content like quizzes are a great distraction from work, but they’re also a threat to your company’s data.
Threat actors create quizzes to steal valuable data, such as security question answers and personally identifiable information. And though some quizzes may not be a social engineering tactic, that data is still a breachable target for threat actors.
How Common Is Quiz-Taking at Work?
Zippia reports that about a third of employers currently block access to social media connections on their networks. While this does provide internal coverage, many companies will also have a “red” network, or a network that’s connected directly to the internet.
Those networks are usually used for guests, contractors, or consultants that require a VPN. So while red networks don’t provide access to the company’s resources, you’re still sitting there and going straight out to the Internet on company time.
Red networks are much harder to regulate, and social media is often still accessible through them. So even for companies trying to block social media, it’s an uphill battle.
Research done by marketing firm Outgrow has also shown that users are twice as likely to engage with interactive content, so quizzes are a particularly attractive method for capturing engagement.
Why Should Organizations Care About Social Media Quizzes?
Many of these quizzes are semi-legitimate and they’re just meant to be distractors that provide a mental break. But the real problem is that malicious actors have actually started using data from these quizzes.
There are documented instances where data from some of these fun quizzes has been compromised. In 2018, nametests.com, the company behind many of the Facebook quizzes, announced a security researcher had disclosed a bug that exposed users’ quiz answers and other identifiable data.
Even seemingly minute personal details scraped from quiz data can be effectively used by a clever threat actor to create more authentic impersonation of a key individual.
An employee may not have met their company executive, but they may know that he likes golf — and if somebody impersonating that executive is yelling at them about how they’re out golfing and need immediate access to something, it’s very possible that they give up information.
Some data can also be used directly to reset passwords. Quizzes will often ask you to share things like your favorite car, your pet’s name, or your mother’s maiden name — all things that are answers to common security questions used to reset passwords.
If you provide these answers in a quiz, your passwords are certainly at risk of being compromised.
How Dangerous Are Social Media Quizzes?
Giving up security information could result in an obvious, straightforward attack like credential stuffing, where the threat actor harvests your information and credentials from these sites and tries them in any entry point they can find.
It could also become much more insidious. Threat actors are not afraid to social engineer and find as many of your personal details as they can.
Infosecurity Magazine released a study finding that at least 65% of people reuse their passwords. It’s a bad practice, and every reused password multiplies the risk you face if information is given away in a social media quiz.
While some quizzes attempt to gain personal information, others may try to collect statistical data. For example, a quiz may ask you questions that test whether you would be a good target for a phishing attack.
When it comes down to it, end users gain nothing substantial from taking these quizzes. If you don’t know who’s asking the questions and collecting the data, be very hesitant about giving up personal details about yourself and your life. You don’t know how it’s going to be used against you, and you don’t want to find out.
Is There Risk with LinkedIn Polls and Industry Benchmarking Surveys?
It’s best to approach any information collection with caution, even if it’s on a professional platform. Things that you can take anonymously or semi-anonymously are lower risk than those that collect personal information.
In any of these scenarios, first determine who’s asking the question, what they claim to do with it, if they have a data sharing or a data privacy policy in place, and what the terms of their data privacy policy are.
Every once in a while, there may be some useful research data behind a quiz wall. Companies will do this sometimes because the quiz wall is how they collect the data they’re sharing. However, if you’re going to check out the data, make sure that it’s coming from a reputable thought leader or other known source.
If you choose to access it through the quiz, do it through an incognito browsing session. That way, no cookies are being shared and your data is less trackable. If it’s through a system you have to log into, create a blank profile that doesn’t use any personally identifiable information.
In those instances, they’ll get valuable data out of you, but it won’t be attributable to you.
What Can Companies Do About Social Media Quizzes?
First and foremost, do your best to keep up with what’s going on with data breaches and disclosures. Your company information might be disclosed through one of these quizzes or some other type of breach. Just because your company wasn’t breached directly doesn’t mean your data wasn’t compromised.
There are services out there that you can hire to monitor reputation, both for individuals and companies. Those services can look at information on breach sources, such as the updates provided by the federal government.
Reputable sources may actually get access to specific data that was compromised during the breach, so they have the ability to scan it and tell you that they saw references to your company in the data.
For those that have the money to burn, those services are worth investing in to keep you ahead of reputational issues.
As I mentioned earlier, it’s very difficult to completely block social media, but you should still limit workplace access to it in any way possible. I know there’s a lot of people who will argue with me on that front, but it’s very important that you send the message to your employees.
The struggle is that people could misconstrue blocking social media as a productivity concern when really, it’s a security concern. One thing that can help is explaining in the pop-up that blocks the site that access is denied to users for security reasons, not productivity.
For longer term actions, awareness campaigns with users tops the list. Train your business users about why social media quizzes are a security risk and why we don’t want people taking them on company devices, with company information, and during company time.
And also recommend to them not to take social media quizzes on personal devices or personal time either because it poses risk to them personally, and potentially to the company as well.
That being said, policy around this is a sticky wicket. Here in the U.S., we have freedom of speech, and depending on how the policies are written, it could feel like the policies are encroaching on employees’ rights and freedoms. Therefore, it’s incredibly important that these policies are developed in concert with the company’s legal counsel.
Be very careful that these policies don’t run afoul and set you up for lawsuits or long-term issues, when the intent was just to keep company data safe.
To that end, about half of companies don’t have a social media use policy in place today. Creating those policy statements, and then informing users about how they work, the rationale behind them, and the consequences for violating those policies are important immediate steps to take.
Like any other policy, you need to be consistent. If there are consequences for violating regulatory infosec or other compliance policies, then there should be similar consequences for violating this policy as well.
Final Thoughts
As threat actors become more savvy, social media becomes more and more of a battleground for social engineering. It’s the responsibility of any and every cybersecurity organization to prepare their users for the risks presented by social media — even those as unassuming as a quiz. As you develop a plan to protect your organization against the potential dangers of social media quizzes, remember that education should be the focus. Just like with any issue, there are very few users who will continue with risky behavior after they understand the risks and the concerns associated with taking quizzes online.