With the rise of social media engineering, whereby hackers collect information people share through their social networks to later use against them, businesses of all sizes should have policies in place for how their employees use their social media accounts.
Mark Edwards, Director of Cyber Security, Capital Network Solutions, explains why social media could potentially be putting your organisation at risk from online criminals if there are no limits as to what your employees can share.
Social media gives people the platform to openly share their thoughts, news and stories with anyone anywhere and for businesses, it’s a key part of networking and building connections.
But social media comes with one caveat. What employees share can be seen by everyone in their social networks and this presents a big opportunity for hackers, who can use the information shared to expose potential opportunities.
These opportunities could be the announcement of new business software, key employees being away, or even the announcement of new suppliers and contractors. All of this information could be valuable to a hacker who is looking to exploit security weaknesses.
More often than not, the information hackers gather from your social media accounts is used to support targeted phishing scams, where victims are conned into revealing sensitive personal or business data because they believe the person they are speaking to is an associate or co-worker.
Clicking on a malware link could even lead to your machine becoming accessible for use by the cyber-criminal and be used to further compromise other devices nearby.
We have seen incredibly intricate phishing scams carried out which rely on information from social media.
A familiar scenario we are aware of is whereby high-level employees will announce on social media that they are going away on holiday and a hacker will use this opportunity to commit fraud or steal company information.
Using software to mask their email as coming from the individual on holiday, the hacker can contact the company’s finance department to make an urgent payment to a specific account or reveal sensitive information, demanding not to ask questions as they are about to board their flight.
Under pressure, the victim will carry through the request, completely unaware of any issues.
This example highlights perfectly why the innocuous information we share on social media can play into hacker’s hands.
Of course, this is just one scenario to show how hackers can use the information you share on social media against you. Using your social networks, people with access can profile you with surprising accuracy if you don’t take care with what sort of information you share.
It’s not all doom and gloom though, social media is still a fantastic way for people to stay connected and you don’t need to delete your social media platforms to enjoy security.
As an organisation, the first step you should take is to create a social media policy for all employees working for you. Though you can’t control the personal information employees share through their own accounts, you can control the information they share about your organisation. Set in stone the rules for what employees can share and post about their work and make sure you know exactly who is in charge of running the organisations social media channels.
Update passwords whenever there is suspicion of a compromise, use account lockouts to prevent “unlimited guesses” of your password and where possible, use a “second factor” such as a randomly generated number to use alongside your password.
If you use any social media scheduling tools, like Hootsuite or Buffer, make sure the passwords are updated often too. This avoids the issue of ex-employees compromising your online security through social media.
If you expect employees to maintain LinkedIn accounts, it might be suitable to specify the information they can put in their job description. It’s surprising how many specifics employees can reveal about their employers though their role biographies.
From a personal point of view, there a few simple steps you can take. First, ensure your privacy settings are set to a maximum level. This will play a big part in helping to keep your personal life away from prying eyes. Don’t let any information you share, whether it’s updates, pictures or videos, be open to the wider public. Keep it closed off to connected friends.
Secondly, avoid accepting connection invites or friend requests from people you don’t know. Once you accept a friend request or connect with someone on LinkedIn, everything you’ve ever shared is visible to them. Hackers commonly use this approach, using pseudonyms, to easily gain access to more private accounts.
A third step you can take is to add two-factor authentication to your social media accounts. This adds an extra layer of protection against having your own account being compromised and then used as part of a potential phishing scam to co-workers, family or friends.
Because of the sheer availability of easily identifiable information, social media engineering isn’t just a threat for large companies and government bodies; it’s a genuine threat for organisations of all sizes, and that’s why it’s imperative that your business creates a social media policy to keep employees, supply chain partners and customers safe.