Gone are the days when a business would have to spend hundreds of thousands of dollars on radio and television ads to showcase their new products and services. In most cases, trying to compute the Return On Investment (ROI) would be a nearly impossible task. Fast forward to today. Now, all that a marketing team needs to do is create a fancy video, put the right slogans and keywords in the script, and upload it to YouTube.
Within just a couple of minutes, this video has the potential to go viral and reach millions of people worldwide. The only cost associated with this approach is the development of the video, which is typically a mere fraction of what it would take with traditional media such as TV and radio advertising.
But keep in mind that YouTube is not the only social media outlet available for this purpose. There are the likes of Facebook, Twitter, LinkedIn, Instagram, Pinterest, etc. On these platforms as well, a business can post thought-provoking articles and micro-blogs not only about their products and services but also the key happenings that are taking place in their industry. No need to send out snail mail blasts; a marketer can simply use social media tools, and best of all they are free.
In fact, the use of social media tools is fast becoming one of the vehicles Corporate America is using to reach out not only to their customers and prospects, but to their employees as well. Although these avenues offer great advantages, they also possess many vulnerabilities, especially when it comes to Cybersecurity.
Therefore, just like having a security policy or a disaster recovery plan in place, it is very important to establish a social media policy to keep your company safe. That will be the topic of this article series.
The Cybersecurity risks of social media
When one thinks of a Cyberattack, very often, the image of a hacker going after servers and databases to gain Personal Identifiable Information (PII) and other types of confidential data comes to mind. But this is only one way of getting these proverbial “crown jewels.” The other way is to also keep tabs on the social media activity of a particular company to determine their weakest and most vulnerable spots.
For example, whether they have a malicious intent or not, employees are often negligent about the content they post on their company’s social media sites. Although an employee may not post the Social Security and credit card numbers of their customers, they often post content that, over time, can constitute a company’s profile, and how the employees and management interact with another, and other external entities.
The Cyberattacker can then put together all these pieces of content, and from there get a complete picture of the organization in question. From there, he or she can then use the principles of Social Engineering to gain a foothold in the business and launch their threat vectors. If there is a known vulnerability in a particular Social media site (Facebook has been especially notorious in this regard), the Cyberattacker can penetrate it easily to access the company’s IT Assets.
Regardless of how a Cyberattacker uses social media tools to gain access to an unknown back door, all social media tools are prone to several key threat vectors, which in turn, can make a business suffer from a security breach. These threat vectors include:
- Unused social media accounts: Because Social media accounts are free to set up, there is a strong temptation amongst all the departments within an organization to set up their own individual accounts, to reach both prospects and existing customers. Or, as mentioned previously, these various Social media sites can also be used for internal communications with employees. But very often, many of these accounts can go unused for very long periods of time, and even become inactive. Just like for examining for open ports that are not in use on a Network Infrastructure, a Cyberattacker can also probe for these unused Social media accounts to gain a point of entry into the organization.
- Employee error: When employees post content about a new product or service, there is often an excitement in the rush to post up as many links as possible that are related to it. But in this heat of the moment, there is a high statistical probability that they could put up a proprietary link that they did not mean to. But the fact remains that this link has been made open to the public, and the Cyberattacker will always have their eyes and ears open to this. In this case, once this has been discovered, it will be too late, as the damage has been done. In fact, one study has even discovered that 77% of employees have put up a wrong link, by sheer mistake. (Source 1)
- Third-party applications: Even if you are authorized to download mobile apps onto your company issued wireless device (such as a Smartphone), the Cyberattacker will always find a way in which to penetrate them to gain access to not only the company’s Social media accounts, but even your personal ones as well, to hijack your password and other relevant login data.
- Phishing and malware: When we think about phishing and malware, the first thing that often comes to mind is either clicking on a malicious link or downloading an attachment in an Email message that contains Malware (such as those. DOC and .XLS file extensions). But keep in mind that the Cyberattacker of today can even hijack a legitimate Social media account and even put up a posting with a link attached to that will take you to a spoofed website. In this regard, once again, Facebook has been the prime target here, with accounts being hijacked on an almost daily basis, and illegitimate postings being put up. In fact, nearly 2/3 adults in the United States know that their Social media accounts have been hacked into, but still do nothing about it. (Source 2).
- Establishing fake or impostor accounts: A Cyberattacker does not necessarily have to hack into an existing social media account to hijack passwords or even put Phishing related posts. All he or she can also do is simply create a fake or phony account, and make it look like the real thing. For example, these kinds of accounts can be used to target both customers and employees simultaneously, to con them into giving up their Personal Identifiable Information (PII) or company secrets, respectively. In fact, the setting up of fake Social media accounts has increased by two-fold just within the last year, because they are so hard to detect. (Source 1).
- Shared user access and interconnected mobile apps: In Corporate America today, many departments (such as of IT, Marketing, Accounting, Finance, Human Resources, etc.) typically share passwords across those applications and systems that are interconnected with another. A perfect example of this is when the organization hires an exclusive Social media Manager from an external third party to manage their content. Rather than having to create different passwords for each Social media Platform, usually only one password is created merely for the sake of ease and convenience. Not only is this a grave security risk, but the fact that this administrative password is being shared with an external third party poses even a far greater concern. As mentioned, if there are other apps that are connected to these Social media sites (such as dashboards, analytical tools, etc.) this external third party can very easily gain access to even more sensitive information and data in the company.
- Social media botnets: To some degree or another, we have all heard of “Bots”. A popular example of this is the “Chatbot”, which is a virtualized customer agent which can answer customer service-related questions and requests without the need for any sort of human intervention. Although this can be quite advantageous and brings many benefits with it, it can also pose a very serious security threat as well. For instance, as it relates to a Social media account, a bot can be used to make it look like that it is a real, live person (when it is not) that is interacting with an employee in an organization. These are known as “Socialbots”. But apart from the aspect of the security threat, there are other, non-quantifiable risks that it brings as well, such as skewing tracking data, such as fake ad impressions, and even creating fake hashtags that can be used in a Phishing Attack. They can even be used to alter your customers’ perceptions of your company brand.
- Insider attacks: As a company grows and expands, or even offers new products and services, there is a strong tendency for both employees and management (and even the C-Suite) to share more than what is truly necessary, as mentioned previously. For example, if an organization is opening a new office, there will be a temptation to post up pictures of the insides of it and the new employees to further “show off” the brand on Social media sites. It is important to keep in mind that while prospects and existing customers may be “wooed” by this, the Cyberattacker is also keeping very close tabs on it as well. But their purposes are far more nefarious in nature. For example, by getting a clear picture of what is inside the new office as well as its new employees, the Cyberattacker can use Social Engineering to lure a naïve employee into perhaps launching a covert Insider Attack in those areas that have been posted on the various Social media Sites. In fact, in this instance, the Cyberattacker can be so stealthy as to manipulate the mindset of this particular employee that he or she may not even be aware that are participating in an Insider Attack against the very company that they work for.
Next up: You now have a good idea of the Cybersecurity risks inherent in corporate social media accounts. The next article in this series will build your knowledge further by defining and describing a company’s best defense against such threats: the social media policy.
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He also possesses the Certified in Cybersecurity (CC) cert from the ISC2.