Even innocent information can be easily leveraged by a good social engineer to gain physical entry into buildings or hacking into a company's networks, said Nathan Wenzler, chief security strategist at AsTech Consulting, a San Francisco-based security consulting company.
"There are so many avenues in which you can twist information to your advantage, so that the lines between business info and personal info can get blurred very easily," he said.
While few people heed the suggestion of not posting on social media when they are on vacation or working out of town, the recommendation should be take seriously, Wenzler said.
A burglar who is attacking someone directly could steal pertinent business information such as work badges and computers that can be leveraged to conduct attacks against the business.
"For a motivated attacker who may be targeting a specific company, even personal information can be very valuable to be used to break into company's physical or virtual environments," he said.
Employees should be wary of posting information that includes days and times when they will be out of the office or on vacation, descriptions of how user names are created internally such as my company uses first initial followed by last name for my login or names and contact information of co-workers, Wenzler said.
"The information can be used by a social engineer as an alternate way to try to get information about the company such as Joe posting on Twitter that Jane in the accounting department shared a funny meme," he said. "The hacker finds Jane's contact information and calls her saying, 'Joe just asked me to contact you to see if you could help me.'"