At a recent security briefing by the Defense Security Service, the first line spoken by the DSS representative was this: “Right now, the number one way industry is being targeted is on LinkedIn.”
DSS and the Office of the Director of National Intelligence (ODNI) have warned security clearance holders of the risks of social media for years now. There is an understanding that individuals are not going to stop using social media. The issue is how security clearance holders, specifically, are using those channels. In many cases, there seems to be a lack of discretion in both the amount of information shared, and the individuals one connects with.
Just this month a security firm announced the latest (successful) attempt by Iran to target security professionals via LinkedIn. Every time we run one of those stories, someone posts a comment questioning the validity of us ‘bashing’ a competitor. But we’re not advocating anyone get off of LinkedIn, or stop using any social media site completely. We are arguing you may want to reduce your profile, remove some information, and absolutely stop posting your resume or connecting with strangers.
I’m on LinkedIn (truth in lending, I read my ‘recommendations’ on a bad day, just to make myself feel professionally competent again). I consider it a part of my ‘online brand’ – it’s the first thing that comes up when you ‘Google’ my name. But I use it as just that – a platform for a profile photo, some recommendations, and an introductory paragraph. I don’t have anything resembling a resume on the site, don’t list my clearance information, and I don’t use it to connect with recruiters (unless I know them personally).
If you have a security clearance, you can engage in social media (including LinkedIn). But, you absolutely must do it wisely. Here are tips for safer networking on the Internet’s most dangerous career site:
1. Don’t post your resume.
I’ve said it already. LinkedIn is not a place for your resume. It’s like the front page of the New York Times. Don’t publish anything there you wouldn’t want repeated back to you by your security officer, or read aloud during the nightly news. Program names, and even specific agencies shouldn’t be on your resume.
2. List your employment history broadly.
LinkedIn wants you to include every workplace you’ve been at on the site. They gather more information, and can send you more crappy suggested connections or ads. If you’re a cleared professional, don’t do this. You don’t get any value in sharing every workplace on the site, other than having all of the annoying coworkers you thought you’d left behind try to connect with you. You simply make yourself a greater intelligence target by sharing more information.
3. Don’t connect with anyone you wouldn’t recommend.
This advice came directly from DSS: “I can’t tell you how to manage your social media, but I can tell you that on a site like LinkedIn, if you wouldn’t vouch for them in an interview, don’t connect with them.”
DSS takes it a step further than simply only connecting with individuals you know. You may know a lot of people. Unless you’d be willing to provide a character or professional reference for that person, don’t connect with them. That means that individual you met once at an industry conference, or the coworker you know from the office but have never personally worked with – don’t connect with them.
It goes without saying, having mutual connections doesn’t mean anything. The Iranian hackers built up mutual connections before reaching out to their primary target. It is a known strategy, and it means having a mutual connection with someone doesn’t mean you’ve actually met them – even if they indicate you have in their introduction.
4. Only access LinkedIn via the platform – not via email.
Security firm McAfee puts ‘Invitation to Connect on LinkedIn’ as the most used subject line in spear phishing attacks. DSS notes push notifications on your cell phone may also be spoofed. DSS recommends you only access LinkedIn by directly visiting the platform. Once you’re there, do your business, but never click on a notification you get in your inbox or phone – there’s too great of a chance it’s a spoof.
5. Sell your soft skills.
Cleared recruiters aren’t using LinkedIn as their primary source of cleared talent. You don’t need to bother with posting your resume – they don’t need it. Recruiters are using sites like LinkedIn to verify your soft skills after reviewing your resume on a secure, password protected site such as ClearanceJobs. Soft skills are important and hard to convey in your resume. Make your LinkedIn profile a place for employers to confirm how awesome you are – not discover it. Build those recommendations (but ask professional contacts to focus on those soft skills – not your amazing abilities at translating Farsi intelligence reports). Describe what you enjoy about a workplace, or what your work style is. Share relevant news articles. But don’t reveal anything sensitive or specific.
You can build and maintain an online brand across a variety of platforms. LinkedIn is probably one of those places. But like all social networking sites, it comes with risk. Be very aware of every piece of information you decide to share, or which may be shared about you. The resume detail you post online today could make you the source of a security investigation tomorrow – and that won’t do anything for your brand.