Social media may not be everyone’s cup of tea, but it is getting harder and harder to ignore for organisations – especially from a cyber security perspective.
A range of recent research has highlighted the increasing dangers that organisations face from employees’ social media usage.
One thing that stands out in the research is how little “due diligence”, in the words of Raj Samani, CTO EMEA at Intel Security, is done when connecting with other accounts.
Intel Security’s research found that 24 percent of the 2000 UK-based respondents had connected with someone they did not know on LinkedIn.
69 percent of respondents had never wondered if someone was not whom they said they were on LinkedIn.
Research conducted by OnePulse for RiskIQ found that only 53 percent of people check for the verified badge when engaging with a retail brand.
Only 42 percent of people checked the brand’s other social media posts, 40 percent checked the brand’s replied to other people’s Tweets or posts. 31 percent checked the Twitter handle or Facebook URL while 24 percent checked the brand’s number of followers or likes.
These are concerning figures as it is easier than ever to set up a fake social media account.
A ProofPoint report revealed a huge number of fraudulent social media accounts and apps associated with the Olympics. 15 percent of Olympics-related social media accounts were fraudulent and 6 percent used the popularity of the Olympics to steal follower credentials through phishing attacks. 82 percent were impostor accounts, with misleading use of Olympic or sponsor brand elements to attract followers and interaction.
But these figures came alongside evidence of a lack of corporate leadership. 87 percent of respondents in the Intel Security survey said that their employer had never made them aware of any specific corporate policies around LinkedIn use.
Samani at Intel Security says that the main danger from social media historically would be a phishing approach.
“It doesn’t take a lot to do a targeted attack from the information that is available online through Twitter and LinkedIn.”
He says that “promiscuous” activity on social media has made it much easier to carry out these attacks.
Phishing essentially aims to trick a user into giving up personal information.
Information harvested from social media could be used in a spear phishing email is more targeted still, appearing to be from an individual or business that seems to be known to the victim.
A common email scam, for example, sends an email to all of a victim’s contacts, claiming to have been stranded at a foreign airport and asking for the money to fly home.
The social media-driven attack could take key information from the profile, such as their job and their interests. This is then fed into the phishing email to convince the victim that this comes from someone who knows them.
There are other risks. Fraudulent social media accounts can send malicious links or adware.
A LogMeIn spokeswoman said that credentials are another risk. “From a company social media standpoint, password security best practices are no different from those of an individual. You security is as strong as your weakest link, and often times for businesses that can be a single employee.”
There have been major cases in the news recently of account details such as usernames and passwords appearing on the Dark Web, with big companies involved such as O2 and Yahoo. Details stolen from social media accounts could also be valid credentials for accessing more sensitive corporate accounts, for example, or for consumer email accounts that have been used for work purposes.
A good starting point in preventing these threats is creating a social media policy for employees.
A HootSuite blog on the subject emphasises the need to make sure to consult all relevant parties, including executives, IT, legal, security and compliance and PR.
“Clearly define the dos and don’ts on every social channel for engagement and employee advocacy. Include best practices, guidelines, and procedures on how your organisation plans to implement training and enforce proper use.”
Samani says that organisations need to “determine the levels of exposure that executives have” and work out whether employees are exposed to risk.
Organisations should ask their employees to consider how much of their information is already online and bear in mind that this can be used against them.
As for the credential risk, the LogMeIn spokesperson suggests securely sharing social media passwords using a password manager with a sharing centre such as LastPass.”
Standard data hygiene concepts apply: putting safeguards in place to ensure that data is shared securely, such as encryption, is also important.
Regardless of the specific approach or approaches, the important first step is that social media security makes it onto the agenda at all.