Employee Selfies: Cybersecurity Threat to Companies


Selfies are supposed to be fun — your employees think. They believe these are harmless photos that let their friends and family see what they are up to. Of course, these aren’t just capturing the selfie taker, but everything in the background as well.

This isn’t an issue when they are at the local pub after having clocked out for the day or in their house, but a growing number of employees now take selfies at work. Some business owners may get annoyed simply because time spent taking a photo should be time spent doing something productive. However, there’s a far bigger problem.

If your organisation has critical infrastructure, these photos can provide cybercriminals with an easy access point. Laboratories, power plants, recycling facilities, water treatment sites and even factories would be vulnerable to countless cybersecurity threats simply because an employee decided to post that #hardatwork selfie last month.

IT systems that are in one way or another connected to critical infrastructures are known as Supervision, Control and Acquisition of Data (SCADA). These systems control a number of functions, including the transmission of electricity, transportation of gas and oil in pipelines, stop lights, water distribution, and other operations that play a vital role in daily life in Australia.

Obviously, if the control of these functions were to fall into the wrong hands, chaos could ensue because citizens would be unable to have access to services they rely upon. This was apparent last year when more than 500,000 people in nearly 300 cities lost power in the Ukraine because of a cyberattack on the country’s power grid.

The cybercriminals did a fair bit of homework to get access to the SCADA systems at Prykarpattya Oblenergo, the electricity company in charge of distributing power. They sent spear phishing emails, dispersed malicious firmware, and scoured social media for any photos that may disclose critical information they could use towards their efforts.

What many mechanical engineers and supervisors at facilities that house critical infrastructure don’t understand is that cybercriminals who want to gain access to those systems are willing to do whatever it takes to find even the smallest piece of information that will help them.

This includes scouring your employee database and finding each and every staff member’s social media profiles. They will look at every photo and selfie that has ever been published and sometimes create fake profiles to gain full access to these accounts in hopes of finding sensitive, accidentally-captured information that can be used to infiltrate SCADA systems.

The majority of the population would have no idea whether a selfie contained information that could open up a backdoor to your system. After all, SCADA systems are incredibly complex. But cybercriminals looking for a way to infiltrate your systems need only small details — a peek at a portion of a computer screen or some other equipment, for instance — to find everything they need.

The Consequences

Since laboratories, power plants, recycling facilities and water treatment sites serve the public in one way or another, trust is very important. The public has to trust that you are taking care of these services because the last thing they need to worry about is a disruption caused by cybercrime.

Though the consequences of cybercrime on critical infrastructures can be wide-ranging and affect hundreds of thousands of people, you’re already in trouble if the public learns your SCADA systems are vulnerable because employees are taking selfies around sensitive areas. The threat of something like a massive water contamination or power outage because of a cyberattack will cause the public to lose faith in your abilities to serve them.

Protect Your Organisation

In order to avoid the damage to your reputation that comes with a publicised security vulnerability, it is important to establish policies that protect the critical infrastructures under your watch. The first step is to turn particular points in the workplace into photo-free zones. Be sure to post signs and inform all employees that taking photos, including selfies, are prohibited beyond a certain area, usually the lobby.

It’s also a good idea to bring in a security expert to speak with employees regarding workplace security. Employees may take selfies around critical infrastructure not necessarily to betray private information, but because they simply do not realise the dangers involved. They assume that only friends and family — not cybercriminals — will be looking at pictures.

And while security reviews are undertaken, it’s wise to have an entire IT audit done to look for other vulnerabilities in both critical and corporate infrastructures. Rogue selfies are just one piece of the puzzle, and there are numerous other ways cybercriminals can enter your organisation’s systems.

Director of Empower IT, Salim Sukari, says, “People tend to see selfies as harmless since it is assumed people will be looking at the person in the picture. However, cybercriminals are looking at what else the photo contains. Something as innocuous as a sliver of a computer screen or the make and model of a control console can be used in a cyberattack. While selfies may not be an issue for restaurants or retail outlets, organisations with critical infrastructures should be vigilant when it comes to protecting these.”

Security is important for companies of all shapes and sizes. Empower IT’s security experts can advise your organisation on what protections it needs to stay safe. In this day and age, even something as simple as a workplace selfie can have significant repercussions that may harm your company’s reputation and ultimately its revenue.