You’ve spent countless hours and thousands of dollars implementing the latest security measures in an effort to combat cyber threats from outside your organization. Thanks to the work of your security team, you are confident that you can block intrusions from hackers or viruses, and that your data is safe from prying eyes.
But should you be so confident? While the strongest, most advanced security solutions can protect your business against most attacks, there is one element that even the most robust system cannot protect against entirely: the human element. Employee mistakes, made either maliciously or by accident, are one of the leading causes of security breaches in U.S. companies today, and a large number of those mistakes are related to the use of social media, either directly or indirectly.
Innocent Comment…Or Sharing Secrets?
It’s begins innocently enough: An employee joins a social media site and note they are employed by your organization. They then receive a request to connect with someone or a notification that they’ve got a new follower on their feed. The connection or follower seems legitimate; this person has a profile complete with photo, posts and a job listing in a related industry. Within a few weeks, your employee receives an email or instant message from the new connection containing what seems to be work-related news or information — and a link to click for more information.
If your employee follows the link, there’s a good chance that it’s all downhill from there. Chances are the link will contain malware that will attempt to infiltrate your system, steal your data and create a potentially costly security breach. And unless you have the most up-to-date protection, you may not even know what hit you.
The scenario described above is what’s known as spearphishing. Cyber criminals, no longer content with reaping whatever data they can from random machines infected with their widespread malware, have begun targeting specific companies and individuals with the intent of infiltrating corporate networks. By targeting individuals, criminals gain the target’s trust and increase the chances that they will click on a harmful link or open an infected message, thereby opening the front door to the thieves. And one way criminals are opening those connections is via social media. Criminals are finding the right people in the right place, and gaining information they need to launch attacks.
Beyond Spearphishing
Researching information for spearphishing attacks is not the only way that criminals are using social media for their nefarious deeds. Malware is being spread via the sites themselves — criminals employ social engineering to attract users and infect computers. Understanding the human need for information, criminals create sensationalized posts about celebrities or news items, enticing users to share them. But as soon as someone clicks on the link, it launches malware, endangering your networks and data.
Protecting Your Networks
Protecting against the human element is one of the challenges of cyber security, but it’s not impossible to overcome. Even in the face of the potential risks of social media, it is still possible to both protect your networks and allow access to the social networks that play such an important role in employees’ personal and professional lives.
This begins with robust protection. Your IT security must be up-to-date and regularly maintained for maximum effectiveness. The threat landscape changes daily, so threat protection from last month or last year is not effective.
Second, you need a clear social media security policy. Some companies have banned social media entirely, prohibiting employees from accessing the sites during working hours or on corporate machines. However, in a BYOD environment, such strict prohibitions are all but impossible to enforce. If social media access is allowed, it’s important to provide training to employees on proper use, and most importantly, offer guidelines on what does not constitute acceptable use and behaviors to avoid. For example, employees using social media at work may be directed to set their privacy settings to the highest levels. Employers should also require that employees limit the amount of personal or corporate information shared, and employees should be instructed on how to spot potential scams and threats.
As social media continues to grow and solidify its status as an important business tool, it’s going to become increasingly important for IT security teams to put protections in place to prevent unauthorized access to networks and costly security breaches. The first step is to understand the threat and provide the education necessary to protect against it.
Photograph by Stuart Pilbrow