5 Examples of How Social Media Behavior Can Create Security Risks

There is increasing awareness among security experts about how social media behaviors can open the door for insider and outsider threats. However, other than an employee posting a direct threat online, it can sometimes be difficult to know what to look for.

When attackers want to penetrate an organization’s security, they look for vulnerabilities. These vulnerabilities may be technical in nature but oftentimes employees themselves can be the weakest links in a security system. The content that employees post on social media can give would-be attackers clues as to who in the organization might be susceptible. At Fama, we’ve worked with numerous organizations to help them interpret potential risk indicators on social media.


Here are five examples of social media posts that have left organizations vulnerable to an attack.


1.     Complaining about security protocols – We’ve even seen employees complain online about security measures and even state that they don’t plan on abiding by those measures. In one instance, a government contractor had a policy prohibiting employees from bringing company phones to work. One employee complained on Facebook about the “absurdity” of the rule and joked about not following it. By posting these comments publicly, the employee not only encouraged others to ignore the protocols, but also advertises to potential outside attackers that his phone is a potential path into the organization. 

2.     Bullying or harassing others online – We unfortunately see public bullying of co-workers on social media. This behavior is obviously unacceptable and hurtful in its own right but it also indicates to outside attackers someone who is potentially hurt, angry or resentful and would have a reason to lash out against the company.

3.     Financial desperation – Financial debt is the second leading cause of insiders turning rogue[1]. An employee talking about student loan debt but not be a problem but when an individual starts talking about financial problems with emotional desperation it is an indicator that they may be willing to do something extreme.

4.     Badmouthing the corporation – While most insider threats are motivated by financial gain, employees who are happy with their jobs and their companies are less likely to take such an extreme step. An employee who talks about hating their job, hating their boss, or calling their company “evil”, is more likely to rationalize self-serving behaviors.

5.     Revealing sensitive client information – Revealing privileged information is a problem that you need to know about. When someone seems to talk too freely about clients or corporate IP, even if it’s not a direct privacy breach, it is an indicator that this person is likely to share information that he probably shouldn’t.


Make sure that your organization has clear policies for what is acceptable for your employees to post online. Have process in place to ensure that those policies are being followed because a policy with no enforcement might as well not exist. Finally, make sure you have options for how to act in the event a policy was violated whether it be further training, restrictions, or more serious action steps. We'd love to tell you more about how Fama can work with you to identify these kinds of risks at your organization.

Contact us at [email protected] if you’d like to learn more.


[1] “Insider Threats and the Need for Fast and Directed Response,” SANS Institute, 2016.


AI and Hiring, How to Keep Things in Check

In 1997, IBM’s computer “Deep Blue” defeated Grandmaster and world champion Garry Kasparov in a best of six chess series. It was one of the most impressive early demonstrations of the power of machine intelligence and while the best computer in the world can still beat the best human in chess, the best “chess player” is actually a computer-human team.


The most successful computer-human teams have not necessarily been those with the best chess players, but rather those where the human player deeply understands the strengths and weaknesses of the computer counterpart. The need for this understanding in computer-human teams becomes even more important when the decision isn’t about moving a knight but about whether an individual poses risk to your organization.


Currently, no AI solution is a silver bullet, but these solutions can be very effective at identifying patterns and helping deliver insight that would have been very difficult to uncover otherwise. However, business decisions are always made in a specific context. An AI solution may help isolate you’re highest performing hiring channel but it won’t tell you how to change your resource allocation given your budget, hiring volume, open roles, etc.


"AI offers exciting possibilities” said Jim Hare, research vice president at Gartner, “but unfortunately, most vendors are focused on the goal of simply building and marketing an AI-based product rather than first identifying needs, potential uses and the business value to customers." AI companies must prioritize actionability by explaining to users how to incorporate insights into a fuller decision-making process. The best solutions provide the minimum amount of raw data to enable the most informed decisions and enough analysis to improve efficiency and pattern recognition. Striking this balance is not easy.


When considering an AI solution, you should focus on how just how specific you can get with the data. In other words, is it a generic solution or is it highly customizable to match your unique business context? Keep in mind that there will always be variables that the solution will not be able to account for.


That is why when you consider your companies approach to hiring it is important to recognize that it’s impossible to look at all of your candidates in the same way. Every position carries a separate set of responsibilities and therefore requires a varying level of scrutiny. That is why, at Fama, we are taking a big step in the right direction by now allowing users to customize adjudication and interpretation criteria by department, seniority, or even on a role by role basis. Users will only see information that matters for that particular candidate as it applies to a specific role. This not only promotes more informed decision-making but also helps to train recruiters and hiring managers to become better at identifying the relevant indicators of job performance.

To learn more about Fama's automated approach to social media screening please feel free to reach out to Fama's Head of Business at [email protected] 


Defining Corporate Culture: Google Takes A Stand

The recent events in Charlottesville have forced companies from small startups to Fortune 500s to ask themselves difficult questions about what they stand for as an organization. This blog is the first in a series spotlighting companies that have had to make tough decisions about what their core values actually mean in practice. Today we take a look at the recent controversy around the released memo written by a Google employee.

This past week, the tech giant fired an engineer who wrote a controversial memo criticizing, among other things, the company's diversity efforts and the role of women in the workplace. The memo spread like wildfire internally and then went viral, causing a massive PR headache for the company. The news story is a setback for Google which has been already under fire for gender discrimination. According to Tech Crunch, "The timing of the saga is not good for Google, which was hit by a lawsuit in January to obtain compensation data, ending up with a snafu over gender pay discrimination."

If Google is serious about addressing the real issues of gender discrimination in their organization, then they have some difficult work cut out for them. To do it, an organization must be committed to consistent communication to their employees of the values of the organization and be willing to take controversial stands when those values aren’t upheld.

However, these efforts will likely be futile absent a systematic approach to bringing on board individuals who are aligned to the company’s values and mission. Building a strong corporate culture is hard enough when team members do generally agree on values; it’s almost impossible when most don’t.

If your organization cares about your mission statement being more than just a tab on your marketing page, it will have to make decisions like the one Google recently made. The blowback from Google’s actions were magnified because it had failed to convince the public and its own organization of its authentic commitment to those values. Looking at strength of character in addition to job experience of your candidates is one way to do just that. You may even prevent hiring someone who discriminates against your employees or causes a media scandal for your organization.

How To Screen: On-Demand Employees

This is the fourth in a four-part series of articles—"How To Screen"—that explores the challenges that HR faces when screening different levels of employees and helps informs employers what they should be looking for. 


So far we've looked at how age and experience levels often determine the nature and intensity of your search. Today, we're considering how the type of job someone is applying for also factors into what you are analyzing online. Specifically, we're looking and the on-demand economy; fast-rising and successful companies like Lyft, Seamless, and Postmates in this platform-based "gig sector" employ 14% of all Americans in some capacity. 

What do we know about these employees demographically? According to a Burson Marsteller survey, the majority of them are young (18-34), male (61%), and tend to live in big cities. They also, according to the survey, report making more and more money from these on-demand jobs every year.


So, if you're a platform-based on-demand company, offering a quick service or good to someone with the press of a button, how are you to best screen candidates for these gig jobs? The first thing to remember is that extreme scrutiny is very important. These people are potentially being sent into homes, driving cars, and babysitting kids. Attention to detail is important; just because your HR department may be vast, distant, and never meet these employees, doesn't mean they shouldn't screen their social media carefully; do they exhibit behavioral red flags, like violence, drug abuse, or hate filled beliefs through their social content? You can find this out easily and mitigate a lot of risk. Furthermore, these are people representing your company and brand in the field; for better or worse, they are your ambassadors. If they have public social media content that illustrates poor judgement, or values that do not align with your company or culture, that can be extremely problematic and telling of greater issues down the road.


Another thing to remember is that because of these people's age, you can assume they are active in at least some form of social media and as a result there will probably be a lot of noise to sift through; they'll simply have more content across the platforms than any other group. Folks under 30 are probably going to have some alcohol or perhaps even drug-related content. It's up to you to determine if the quantity and nature of these posts is a disqualifying factor. Furthermore, what you might deem as "bad language" may have a different context for people in their teens or early twenties, and may not be indicative of a true red flag. This is not to say you should be overly forgiving of younger candidates; if you come across anything related to bigotry or violence, that's a total no-go.


Another element to consider is: what specific traits are not permissible for the particular gig job someone is applying for? If they're a babysitter applicant, you'll want to be overly thorough in your examination of their social media; if they're a driver, you may not necessarily care about their bad language or controversial political opinions (as long as they are not inflammatory or out of control). As long as you are applying consistent values with your analysis of candidates, you should be just fine.


That is why Fama has made consistency a key part of its automated process with the upcoming release of customizable "Flag Kits" that allow businesses to carve out role specific screening that matches what your company has deemed relevant to that position and seniority. 


Intelligent and sensible scrutiny is key to finding the best people for on-demand jobs. The task of analysis may seem less important because you aren't seeing these people in an office every day (perhaps you'll never meet them at all), but considering they are the ones directly interacting with your customers, it is necessary to do a thorough social screening.


To learn more about Fama's automated approach to social media screening please feel free to reach out to Fama's Head of Business at [email protected] 



How To Screen: Executives

This is the third in a four-part series of articles—"How To Screen"—that explores the challenges that HR faces when screening different levels of employees and helps informs employers what they should be looking for. 


Each age group and level of work experience requires a specialized level of scrutiny that is beneficial for both employers and their prospective candidates. People use social media differently depending on their age and the nuances of that use can be hugely important in the hiring process. This week we are taking a look at what to expect when you are screening candidates for senior level positions; this is typically for people ages 50 to 65. According to a Pew research poll, 64 percent of these folks use social media. There's certainly a stereotype that because people are above 50, they either don't use social media or aren't well versed in it. Don't make that mistake; screening these people can be just as relevant, as we found these people are just as technologically versed as their middle aged counterparts. There are a couple of points to remember: the first is that red flags on social media for these people are low probability. It's likely that they are old enough to have good judgment and a lifestyle (especially if they are applying for a senior position) lacking an online life full of alcohol, inappropriate posts, or inflammatory thoughts. But that actually makes it trickier and brings us to our second point: this group is extremely high risk. Their flags carry more weight due to their age andm\ a large aquantity of posts alarming, and points to a lack of judgment and a projection of a poor performance as a senior leader in your office.


Let's first look at the probability. You should screen these people like you would your younger, mid-level candidates. If they have photos of alcohol or drugs, or a bunch of bad language or inflammatory political posts, it probably tells you more about their personality than it might for a millennial. Somebody having a glass of wine in a profile picture is probably nothing, but if they have a bunch of instagram posts where they are taking shots at a club, at age 58, you might want to ask a few questions. According to Pew Research, people over 50 use Facebook (61 percent of them in America) over 3 times more than they do any other site or app. Thus, that is where you'll find the majority of information. However, simply because of their age, it's unlikely you will find more red flags than you might for younger people, but that doesn't mean it isn't worth it to try.


Social media imprints seem to get smaller as we look across the age spectrum, but that means they carry more weight. We expect a lot of senior level workers, as leaders and mature, thoughtful people who contribute to our companies both in and out of the office. So that would make a red flag like cyberbullying or discrimination more alarming, and a potential liability down the road. You might be able to forgive this behavior case-by-case in younger candidates, but if you see someone in their sixties who is posting some horrible thing on Facebook, that's nothing short of a threat to avoid.


The dynamic of screening senior level people comes down to the low probability/ high risk quandary. It may seem like screening is less necessary, but the weightiness and potential ramifications for your company, on a cultural and legal level, are too much to avoid. Careful, nuanced scrutiny where you're thinking about someone's age and experience is the most efficient way to manage your screening and hiring processes. 

Whatever you might deem relevant, it is important to remain consistent across each position and seniority to ensure you are looking at candidates the same way. Which is why Fama has made consistency a key part of its automated process with the upcoming release of customizable "Flag Kits" that allow businesses to carve out role specific screening that matches what your company has deemed relevant.


To learn more about Fama's automated approach to social media screening please feel free to reach out to Fama's Head of Business at [email protected]