- Social media posts by employees are a rich source for attackers. Job titles, org charts, technology hints, travel plans, and workplace photos provide material for targeted spear phishing and social engineering.
- A social media policy defines what information may be shared, what must not, and how employees should conduct themselves on social networks. It protects both the organization and the employees themselves.
- The policy must distinguish between private and professional use, provide concrete examples, and define consequences for violations. Abstract prohibitions ('Do not share confidential information') are ineffective because employees cannot judge what exactly falls under that umbrella.
- Particular risk areas include: LinkedIn profiles with detailed org chart information, workplace photos (screen contents, access badges, whiteboards), status updates about business travel, and technical details about deployed systems.
- The policy should enable rather than prohibit: it provides clear guardrails within which employees can actively and positively use social media. A restrictive policy that forbids any mention of the company will be ignored.
Why social media is a security issue
Social media is a natural part of everyday life for most employees. They maintain their LinkedIn profiles, connect with business partners, share professional achievements, and discuss specialized topics in groups and forums. For organizations, social media is an important channel for employer branding, customer engagement, and networking. All of this is desired and sensible.
At the same time, social media is one of the richest sources for attackers. The systematic collection of publicly available information, known as Open Source Intelligence (OSINT), uses social media profiles as a primary data source for preparing targeted attacks through social engineering.
A single LinkedIn post can provide an attacker with the following information: who works at the organization (target identification), what position the person holds (determining authorization level), which technologies the organization uses (attack vectors), which projects are currently underway (context for spear phishing), who is connected to whom (trust relationships), and which external service providers the organization uses (supply chain attacks).
These pieces of information are harmless in isolation. Combined, they form a detailed picture of the organization that an attacker can use for a tailored attack. A spear phishing email that contains the name of an actual project manager, references a real project, and appears to come from an external partner that genuinely works with the organization has a significantly higher success rate than a generic phishing email.
Typical information leaks on social media
The following examples illustrate what information employees regularly share on social networks and how attackers can exploit it.
LinkedIn profiles and job titles
LinkedIn profiles are the most obvious source. Detailed job titles and descriptions make it possible to construct a complete org chart of the organization. "Head of IT Infrastructure" reveals that a dedicated IT infrastructure department exists and who leads it. "SAP Basis Administrator" reveals that the organization uses SAP. "Information Security Officer" reveals that there is a CISO and who it is.
Particularly valuable for attackers are "Skills & Endorsements" and experience descriptions. "Experience with Cisco ASA Firewalls" reveals the firewall vendor. "Migration from Exchange On-Premise to Microsoft 365" reveals the current email infrastructure and the timing of the migration. "Implementation of CrowdStrike Falcon" reveals the endpoint security solution.
Workplace photos
A seemingly harmless photo from the new office or a team meeting can reveal a surprising amount. Screen contents in the background may show applications, data, or internal URLs. Access badges or ID cards in the image can be copied or reproduced. Whiteboards in the background may contain project plans, architecture diagrams, or credentials. Desk contents may show sticky notes with passwords, internal documents, or customer lists.
In one documented case, a security researcher identified on an employee's Instagram photo a whiteboard in the background containing the organization's complete network architecture, including IP addresses and server names.
Status updates about business travel
"On my way to London for client meetings at [Company X]" reveals a business relationship, the timing, and the location. "Three more days at CeBIT" reveals that the employee is away from the office. "Finally on vacation! Two weeks in Thailand" reveals that the person will be absent for two weeks.
Attackers deliberately exploit absence information. When it is known that the CEO will be traveling for two weeks, the likelihood of a successful CEO fraud attempt increases because employees cannot directly ask the CEO and an email instruction seems plausible.
Technical details and certifications
Employees who are proud of their certifications and projects often share technical details that are valuable to attackers. "Just completed the migration to Azure AD / Entra ID!" reveals the current state of the infrastructure and suggests a phase where configuration errors are especially likely. "Glad we finally switched to Fortinet" reveals the firewall vendor. "Anyone have experience integrating ServiceNow and Jira?" reveals two platforms in use and suggests an integration phase.
Complaints and internal information
Employees who complain about their employer on social media or forums often reveal more than intended. "Our VPN keeps dropping, we urgently need a new solution" reveals a VPN problem that could be exploited. "IT rolled out an update without warning again" reveals the patching process. "We're still running Windows Server 2012 for our customer database" reveals a potentially unpatched system.
Creating the social media policy
An effective social media policy balances security with practicality. It must be clear enough to provide guidance and flexible enough not to stifle the legitimate use of social media.
Basic structure
The policy should include the following sections:
Scope: Who does the policy apply to? Typically all employees, executives, and external staff who are active on social media on behalf of the organization or in a recognizable connection to it. The scope covers both usage on corporate devices and private usage insofar as it relates to the organization.
Definition of platforms: Which platforms are covered? LinkedIn, Xing, Facebook, Instagram, X/Twitter, TikTok, YouTube, Reddit, industry forums, review portals (Kununu, Glassdoor), and any other platform where information is shared publicly or semi-publicly.
Permitted and encouraged usage: What may and should employees do? Professional networking on LinkedIn/Xing, sharing general industry information, employer branding posts within defined guidelines, participation in professional discussions.
Prohibited content: What must never be shared? Here the policy must be specific.
Behavioral guidelines: How should employees conduct themselves? Labeling personal opinions, handling criticism and controversial topics, responding to negative comments or journalist inquiries.
Responsibilities: Who is the point of contact for questions? Who approves official company posts? Who is responsible when a post becomes problematic?
Consequences: What happens in case of violations? Consequences should be graduated: a note and conversation for a first-time, minor violation; a formal warning for repeated or serious violations.
Prohibited content: concrete examples
Abstract phrases such as "Do not share confidential information" are ineffective because employees assess differently what "confidential" means. The policy must provide concrete examples.
Internal organizational details: No org charts, no detailed departmental structures, no information about internal processes or workflows that are not already publicly known.
Technical information: No mention of specific IT systems, software, vendors, or versions. No sharing of configuration details, network architectures, or security measures. The phrase "I am a certified [product] administrator" in a LinkedIn description is acceptable; a post stating "Just installed [product] version X on our servers" is not.
Workplace and office photos: No photos showing screen contents, whiteboards, access badges, internal documents, or other sensitive information. Photos of office spaces and team events are allowed if checked beforehand to ensure no sensitive information is visible.
Business relationships and clients: No mention of client names or business partners unless the relationship is already publicly known (e.g., through a joint press release). "Exciting client project in the financial sector" is acceptable; "Great project with [client name]" is not (unless the client has agreed).
Financial information: No revenue figures, profit forecasts, investment plans, or other financial details that have not already been published.
Personnel information: No information about hirings, terminations, salaries, or internal personnel decisions.
Security incidents: No information about current or past security incidents, data breaches, or audit results.
Absences and travel plans: No detailed absence information ("Won't be reachable for the next two weeks, I'm in [country]"). A post after returning ("Great conference in [city], lots of insights") is significantly less risky than the advance announcement.
LinkedIn profiles: a special case
LinkedIn profiles deserve particular attention because they are the primary source for OSINT reconnaissance and at the same time important for employer branding and personal career development.
The policy should provide clear recommendations for LinkedIn profiles. Job descriptions should be kept general: "IT Administrator" rather than "Senior Administrator for Cisco ASA Firewalls, Palo Alto Networks, and CrowdStrike Falcon." The skills section should emphasize general competencies, not specific products and versions. Experience descriptions should emphasize outcomes and competencies, not specific technologies and projects. Privacy settings should be configured so the contact list is not publicly visible (this prevents attackers from analyzing the employee's social network).
Handling inquiries and social engineering
Employees must know how to respond to suspicious inquiries on social media. Attackers use LinkedIn to establish contact with employees, build trust, and gather information. This may be a "recruiter" asking for technical details about the current role, a "journalist" probing for internal information, a "business partner" asking for contacts and responsibilities, or a "research institute" conducting a "survey on IT security."
The rule should be: all unexpected inquiries requesting internal information are forwarded to the communications department or the security team. Employees do not answer questions about internal structures, technologies, or processes to unknown contacts, not even on LinkedIn.
Communication and training
A policy that nobody knows about is ineffective. Communicating the social media policy is at least as important as its content.
Rolling out the policy
The rollout should not be a one-sided announcement ("Effective immediately, the following policy applies...") but a dialogue. Organize a brief information session (30 minutes) explaining the background: Why is social media a security issue? What specific risks exist? What changes for employees?
Use real examples to make the risks tangible. Show a LinkedIn post and analyze what information an attacker could extract from it. Show a workplace photo and identify the visible security risks. This makes the abstract rules concrete and understandable.
Integration into onboarding
New employees receive the social media policy as part of the onboarding process. The policy is briefly explained, and the new employee acknowledges receipt. Especially for employees who are active on social media (recognizable from their LinkedIn profile), a brief personal conversation about the dos and don'ts is worthwhile.
Regular reminders
Integrate social media security into your awareness program. A brief item in the monthly security newsletter, an occasional micro-challenge ("Review your LinkedIn profile for technical details and remove them"), or an example in the security champion's team briefing keeps the topic top of mind.
OSINT self-assessment
An effective format for awareness training is the OSINT self-assessment: employees check for themselves what information about them and the organization is publicly available.
The exercise works as follows: each employee googles their own name combined with the company name. They review their LinkedIn profile for the risks described above. They search Google Images and social media for photos related to the organization. They note which information they found that should not be public according to the social media policy.
This exercise is often an eye-opener. Employees are surprised by how much about them is publicly accessible, making them more aware of the issue. The exercise can be conducted as part of a team training session or as an individual assignment.
Monitoring and enforcement
The policy must not only exist but also be enforced. This does not mean monitoring the social media profiles of all employees. It means responding to violations when they become known and conducting regular spot checks to verify that the policy is being followed.
A pragmatic approach is a quarterly OSINT spot check: the security team or an external service provider conducts a brief OSINT investigation and checks whether employees are sharing information on social media that violates the policy. Identified violations are communicated to the respective employee with a request to modify or remove the post. The tone is supportive, not punitive.
For official corporate communications on social media, stricter rules apply. All posts published through official company channels go through a defined approval process. Responsibility for the official channels lies with the communications department, coordinated with the security team.
Special situations
Employees as brand ambassadors
Many organizations actively encourage employees to act as brand ambassadors on social media. This makes sense from a marketing perspective but must be aligned with the security policy.
The solution is a brand ambassador guide that supplements the policy. This guide defines what content may explicitly be shared (e.g., pre-approved posts, links to blog articles, general industry commentary), what hashtags and phrasing should be used, and what content remains off-limits even as a brand ambassador.
Review portals (Kununu, Glassdoor)
Employees rate their employer on portals like Kununu or Glassdoor. These reviews can contain internal information: salary levels, working conditions, internal conflicts, management decisions. The policy should note that even anonymous reviews must not contain confidential information. Anonymity is not guaranteed (legal disclosure requests can lead to identification), and the published information can be used for OSINT.
Crisis and security incident
When the organization is affected by a security incident, the temptation is strong to report about it on social media: "Our company was hacked, we are working on a solution." The policy must clearly establish that in a crisis, only the executive management or the designated press office communicates. Employees do not comment on the incident on social media, neither publicly nor in private messages.
Legal aspects
The social media policy operates at the intersection of freedom of expression, data protection, and the legitimate interests of the organization.
Freedom of expression: Employees are entitled to express their opinions, including on social media. The policy must not go so far as to restrict freedom of expression. However, it may stipulate that employees clarify they are not speaking on behalf of the organization when expressing personal opinions.
Data protection: The policy must not require employees to disclose their private social media profiles. However, it may establish that work-related posts (that name the organization or create a recognizable connection) are subject to the policy's rules.
Works council: If a works council exists, introducing a social media policy is subject to co-determination (workplace rules and employee conduct under Section 87(1) No. 1 of the German Works Constitution Act). Involve the works council early on.
Review and updates
Social media evolves rapidly. New platforms emerge, existing platforms change their features, and the threat landscape shifts. The social media policy must be regularly reviewed and updated.
An annual review is the minimum. Event-driven updates are required for significant changes: new platforms that become relevant in the organization, new threat scenarios, changes in the regulatory landscape, or security incidents traceable to social media information leaks.
Document the review process in your ISMS -- a structured policy lifecycle management ensures nothing is overlooked. In ISMS Lite, the entire policy lifecycle from creation through review to communication to employees can be mapped. The policy receives a version date, the review is planned as a task, and changes are communicated to employees.
Social media is an indispensable part of modern working life. A good social media policy does not prohibit usage but enables it within safe boundaries. It gives employees the clarity they need to use social media responsibly, while protecting the organization from information leaks that attackers could exploit. The goal is not less social media, but smarter social media.
Related articles
- Social Engineering in the Enterprise: Attack Methods and Countermeasures
- Creating an Information Security Policy: Structure, Content, and Example
- Building a Security Culture: Why Technology Alone Is Not Enough
- Building a Security Awareness Program: What Employees Really Need to Know
- Policy Lifecycle Management: From Creation to Archival
