For many companies, social media is an amazing marketing tool. You can get your name out in front of established customers and potential customers without spending a lot of dollars. A lot of organizations turn to interns to create Facebook posts or to send out regular tweets on Twitter, or they will hire a freelance social media expert who can keep the company’s name in the public eye for a fraction of the cost of a full-time employee.
At the same time, social media can be an organization’s worst security nightmare, especially when using outside vendors or short-term interns to do social-media-related outreach.
“The risk with this medium of communication is that there is minimal control, and a bad post, a hack, or an incorrect statement can make the organization look inexperienced and offensive at worst,” said Carlos Pelaez, Director and National Practice Leader with Coalfire. “Furthermore, social media provide more information about the employees and their functions, which can be useful information for someone who is trying to socially engineer a hack.”
Most people understand that negative comments about their employers can create a backlash, but even innocent commentary can be risky. Attackers take note of what is being said about a company, both good and bad, as well as who is providing the commentary, and they begin to develop a profile that results in targeted spear phishing campaigns. Thanks to what is posted on social media, the hackers are often able to identify very specific details about the company’s decision makers and other key personnel, and the end result is a very sophisticated socially engineered attack.
Through social media, the hackers will know things such as people's preferences that can make the illegal request seem more plausible, Pelaez pointed out. “For example, if someone posts or tweets that William Smith is the VP of IT Technical Support, I could call on one of their employees and say that ‘Bill asked me to confirm your password was reset, so please give me your current password so that I can validate it.’ You would know William went by ‘Bill’ because of his social media account and how references were given to him on LinkedIn, as well as how friends tweeted to him. This kind of personalized communication is lethal when combined with social engineering. Hackers know this and will exploit this.”
And you better believe that hackers are also taking advantage of the public perception of a company as presented on social media, said Devin Redmond, Vice President and General Manager of Social Media Security and Compliance with Proofpoint. After all, cybercriminals want to get as much information as they can to find a way to spoof your customers.
“Social media has an immediacy that can affect the public at large and shift markets in an instant, and it carries a legitimacy that encourages people to click on links,” Redmond stated. “You might have time to think about a website, or an email from an anonymous source. But if a news source or brand you trust (or what appears to be a brand you trust) posts a notice of an emergency or of a limited-time offer in your social feed, your instinct is to act or click without thinking – and that tendency is even worse when another news source or colleague reposts that link.”
When it comes to security for enterprise social media sites, there needs to be a dual focus. Companies need to take a closer look at what they are posting in order to prevent socially engineered attacks on employees, while at the same time making sure that all information posted about the company is legitimate and not the source of malicious activity. This means ensuring that the person or persons responsible for handling the social media accounts is well trained in the company’s security policies.
“Companies that have a security policy in place and talk about it are better off because they acknowledge the risk,” said Pelaez. “Employees are aware of the risk and that awareness translates into better security. Smart users will use technology more securely and better understand the ramifications if they do not apply best practice in social media outlets.”
However, it takes more than just good security policies, Redmond added. Social media security also requires good security tools. “The volume and complexity of regulations, policies, and posts is such that the only way to approach social media security and compliance is through the use of technology augmentation: computerized systems that can scan and process information faster and more consistently than any department or outsourced service full of people. Only people and process combined with technology guardrails can safely and effectively scale to address this security challenge.”
In the end, the best security practice is awareness – awareness of what the risks are based on what is being posted, and how anything you put on social media can be manipulated. Social media is a great marketing tool, but at the same time, companies need to remember that it is also an area of great risk. If you don’t want social media to become your worst nightmare tomorrow, be sure to put security policies and education in place today.
This article was previously posted on Forbes.