make a good business better

Resource Center better insights

Print Divider Print Divider Branding
 

Cyber threats to business lurk in social media

05/21/2015  |  By: Thomas Lewis, CISSP, CISA, QSA, Shareholder, Information Security

Share

Social Logo Social Logo Social Logo Social Logo

As featured in The Tennessean.

One of the biggest threats to the cybersecurity of a business is not necessarily what you might think, such as a sophisticated attack on its IT infrastructure. Rather, it is an easy-to-use channel that many employees access every day — social media.

LinkedIn, Twitter and Facebook all are huge global brands, which might lull some into thinking that they are relatively safe to use, at least from a cybersecurity standpoint. But the fact is that they are one of the most common places for “phishing” — a technique that lures users into clicking on bad links, which in turn install malware on computers. That malware can capture keystrokes or take control of a computer, leading to data theft or worse on individual computers and even on entire networks.

Phishing is usually associated with email spam, which many people are on guard against. But in a social media environment, where time-pressed employees may not be paying full attention to what they are viewing, users may accept an invitation to connect from someone who at a quick glance appears to be worth following or friending. And when an interesting link is posted by that “trusted” follower or friend, a click follows. Then the problems begin.

While phishing usually comes in the form of messages broadcast to a large number of users, companies also need to be on guard against “spear-phishing,” a more targeted technique in which scamsters do in-depth research on key employees and craft messages oriented specifically to their backgrounds and interests. The goal is to build trust, leading those users to click on bad links.

So what can companies do? The most important step to take is educating employees at all levels about the risks involved with social media use and how they can protect themselves and their employers:

•Never click directly on a link to accept an invitation. Only consider requests that come directly to your LinkedIn inbox.

•If you do not know the person issuing the invitation, check out their profile. Although you should also be aware that it is not hard to create a phony social media account using a bogus biography.

•Take a close look at links before you click on them. Changing one character in an otherwise familiar URL can take you to a bad site. For example, it would be easy to miss that a link that appears to be linkedin.com is actually to linkedin.con.

•Hover your mouse over the link. Scamsters can disguise bad addresses with URLs that appear to be legitimate. The true address will appear with hovering.

•Be aware that bad links can be posted in LinkedIn groups as well as in feeds.

•Don’t post information about yourself or other employees that could aid a bad guy in stealing credentials and gaining access to a user’s account. An example might be a message with birthday congratulations.

•Be careful about what information you post — confidential company information can slip out.

In addition, management may want to take steps to limit what kinds of actions employees can take when accessing social media through the company network. For example, companies may wish to prevent employees from uploading attachments, photos or video to social media sites. Or management may wish to deploy tools that analyze web traffic on the fly and uncover threats that may be hidden there.

As with any cybersecurity threat, there is no plan that is 100 percent foolproof. But with an aggressive education program and some carefully considered controls, businesses can minimize risk.

Thomas Lewis is partner in charge of the Security and Risk Services practice at LBMC, one of the largest professional services firms based in Tennessee. LBMC is a FedRAMP Third Party Assessment Organization (3PAO). Contact Lewis at tlewis@lbmc.com or 615-309-2296.