top of page

Social media cybercrime: Seeing the bigger picture of the risks

As a Cyber Resilience Centre for Wales (WCRC) community ambassador member, Cardiff Metropolitan University’s Project Liaison Officer Matt Tomlinson has been asked to reflect on the risks that individuals and businesses alike face from the hidden information that can be extracted from an image and the work that university is currently undertaking within the field of cyber security.

The Importance of Being Social

Social media is now a vital tool for customer engagement, brand building, and networking in the fast-paced business world, with 75% of SMEs in the UK now using some form of social media to market their business (The UK Domain, 2020). The sensitive information hidden in the backdrop or foreground of business-related photos presents a potential threat that is frequently overlooked among the innumerable images that are shared in the corporate world.

This blog seeks to shed light on the dangers and preventative steps that businesses and individuals linked to businesses should take to safeguard their interests against the inadvertent release of sensitive information via picture backgrounds on social media.

Workplace Intelligence

Companies frequently post pictures from inside their buildings, either to show off the culture of the workplace or to highlight group accomplishments. Sensitive information like project boards, strategy documents, computer screens or proprietary technology may unintentionally be revealed by seemingly innocent content. This inadvertent disclosure may provide rivals an early look at how you do business or provide the cybercriminals with the knowledge they need to launch an attack.

Guidance: Make sure no private information is visible in office-related photos by running a thorough background check before posting them.

Strategic Sites

Events, conferences, and business meetings frequently end up on social media feeds. These pictures demonstrate networking prowess, but they can also provide information about future collaborations, deals, or growth strategies. Event banners and whiteboards with strategic notes are examples of background elements that may accidentally reveal private information.

Guidance: Be cautious when posting photos from business functions, making sure that the background doesn't reveal any sensitive information.

Employee Security

Pictures of staff members may unintentionally reveal more than just faces. Visual cues about everyday activities, workplace security protocols, or even the technology stack your team uses can all be found in backgrounds. Cybercriminals may use this information in targeted attacks, putting the cyber security of your company or employees at risk, and some of the content uploaded could be found to invade the privacy of the team members.

Guidance: Set explicit rules about what can and cannot be included in the background of business-related photos; teach staff members to be aware of the surrounding area details in pictures posted on social media and crop images where appropriate.

Security Awareness Training Alone is not Enough?

The need to educate employees on security awareness (SA) is nothing new and something that the National Cyber Security Centre has continually promoted since its inception and other agencies long before, yet Ipsos MORI (2019) found that only 37% of businesses actively engage in SA training for their employees. With such a gap between businesses on social media and those providing training, can we be confident that the information we want to protect is indeed protected?

Cardiff Met has been investigating the hidden security vulnerabilities within social media posts and identifying how each of these vulnerabilities can be used to form a profile on an individual or business to stage their attack. Using this information we have been working on a tool that will analyse an image for the potential threat and alert the user to its findings and offer mitigation techniques to best protect their information. No tool will ever be able to replace basic security awareness training, but when used together, businesses and individuals stand a better chance of remaining safe online.

In Summary

It's critical for businesses to understand the possible hazards related to sensitive content in images as they continue to navigate the ever-changing social media landscape. Businesses may reap the rewards of social media engagement without jeopardising their sensitive and private data by taking preventative action and promoting an awareness-raising culture. Keep in mind that, in the digital age, protecting your company's trade secrets involves more than just sharing information — it also entails watching out for background leaks.

Ipsos MORI. (2019). Proportion of United Kingdom (UK) businesses undertaking the Government's 10 Steps guidance in 2019. Statista. Statista Inc.. Accessed: November 21, 2023.

The UK Domain. (2020). Share of SMEs that used social marketing in the United Kingdom (UK) in 2020. Statista. Statista Inc.. Accessed: November 21, 2023.

Do you have a cyber question about your social media or any other area of your business? Please contact the WCRC team.

If security awareness training is of interest to you, the WCRC offers bespoke sessions for aimed at those with limited cyber knowledge. It’s a great opportunity for businesses to help employees grow in confidence when it comes to understanding and preventing cyber risks, how to spot any suspicious activity and to feel empowered to raise concerns.

For resources, toolkits, regular cyber news, threat updates and more, sign up for the centre’s FREE membership programme.


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for Wales is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for Wales provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for Wales does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for Wales is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page