Social Media Policy
Learn what not to post on corporate accounts.
What Is Social Media Policy?
Your company's social media policy exists because a single careless post can leak proprietary information, damage a brand, or give attackers the reconnaissance they need for a targeted attack. This exercise starts with a set of real-world scenarios pulled from actual incidents. In one, an employee's LinkedIn post about a 'big deal closing next week' tips off a competitor. In another, a photo taken inside the office captures a monitor displaying a client list. A third scenario involves an employee venting about workplace frustrations in a way that violates the company's public communications guidelines. You evaluate each post, determine the specific risk, and rewrite the content to remove the exposure without losing the message. The simulation then shifts to your own activity: you review a mock social media profile and identify details that an attacker could use to craft a targeted phishing campaign against you or your company. Job titles, reporting structures, technology stack mentions, travel plans. All of it is useful to the wrong people.
What You'll Learn in Social Media Policy
- Identify types of corporate information that should not appear on personal or professional social media profiles
- Evaluate social media posts for operational security risks including location data, org charts, and technology details
- Rewrite social media content to remove sensitive information while preserving the original message's purpose
- Recognize how attackers mine public social media profiles to build pretexting scenarios for targeted attacks
- Apply your organization's social media policy to ambiguous situations where personal expression and corporate risk overlap
Social Media Policy — Training Steps
-
Welcome to Catalyst Innovations
It's a regular Wednesday morning. You've settled into your home office and are about to check your messages.
-
A Message from Mark
Alice's phone buzzes with a Telegram notification from her colleague Mark Chen, a senior developer on the team.
-
Mark's LinkedOut Post
Curious about what Mark shared, Alice opens LinkedOut on her desktop to find his post.
-
What Mark Shared
Mark's post is enthusiastic, but take a closer look at what information he has publicly revealed.
-
An Email from TechForge
Five days have passed. Alice receives an email apparently from TechForge Solutions about the Project Helios collaboration.
-
Clicking the Link
The email looks legitimate - it references Project Helios, mentions Mark by name, and knows about the Q2 deadline. Alice clicks the link to access the partner portal.
-
Logging Into the Portal
The partner portal asks Alice to log in with her work credentials.
-
Authentication Error
The page shows an authentication error. That's strange - Alice is sure she typed her password correctly. A knot forms in her stomach. Why isn't it working? She decides to wait and try again later, but the uneasy feeling lingers.
-
Something Is Wrong
Two hours later, Alice receives an urgent email from the Catalyst Innovations Security Operations Center.
-
The Sender Domain
Alice realizes what happened. Let's go back to the original email and examine the red flags she missed. First - the sender's email address.