There are 3 big cyber risks when it comes to social media for business, but do you know what they are?
Over the past five years, businesses large and small have come to see the value of social media for marketing their products and services. But with this large-scale adoption of social media marketing we have seen the growth of business cyber security risks, which many are still failing to plan for...
Having social media channels can open a company up to various internal and external security issues. And the problem is getting bigger.
According to an FBI Internet Crime Report in 2014, 12% of complaints submitted in 2014 contained a social media trait. That number had quadrupled over the previous five years.
From fake Facebook accounts pretending to be major brands to fraudulent LinkedIn profiles that lure unsuspecting employees into giving away confidential information, social media channels can be the ultimate playground for hackers. After all, unsecured profiles can be breached a lot faster and easier than a company database.
Why do hackers love to attack social media?
There are many reasons, specific to social media, why hackers find the platforms so tantalising. These include:
+ The opportunity to reach many people
For many businesses, just one post can reach thousands of people, both employees and customers. If a cyber criminal used email, in comparison, they would need to send 1000s to get to a similar sized audience.
+ There are a lack of controls
Very few businesses implement social media security controls, leaving themselves much more easy to attack. If a hacker wanted to attack via the web they would potentially have to breach firewalls, intrusion prevention systems, and database monitoring systems. Via email, they would need to get through state-of-the-art email security technologies.
+ Easy access to contextual information
On social media, business and employee information is readily available. This kind of data can be used to create socially engineered messages that lull people into believing they are real. It is much more likely that people will click on social links from a business brand or employee than on a random email.
What are the most common social media attack methods?
1. Fraudulent accounts
A hacker will create an account that mimics a brand or employee then use this account to sell fake goods, redirect customers to competitor products, obtain credentials, score ad revenue, distribute adware, or push scams.
2. Account hackers
This is when a cyber criminal completely takes over a social media account by gaining admin access. Once this happens they lock out other admins and post malicious content to the brand’s audience. This usually happens because of poor password management. However other potential reasons include disgruntled ex-employees, insecure social apps, and poor access management practice.
3. Malicious content
The simplest form of social media attack is when a criminal posts phishing links, spam, malware links, brand bashing and other damaging content as comments on legitimate company or employee accounts. Dropping attack bait like this requires no hacking and is quick and easy with a potential of scoring big. Unless kept under control by a brand it can result in security breaches for customer employees, as well as undermining a brand’s value.
The 3 biggest social media risks
1. Customer account breach
A business’s customer is a big target for a hacker. As such, they will use social media to gain access to customer accounts, which can potentially lead them to high-value data, like personal information, bank and credit card numbers, financial account access, and more. If this happens to your customers, just imagine the bad PR and loss of trust that could follow.
There are several ways a cyber criminal can trick customers into giving away their information, including:
• Fake customer service
• Fraudulent promotions or competitions
• Free loyalty program points on offer
• Low-interest credit cards
In each of these cases, customers are generally given a link and asked to log in to their account from there. A real-world example of this was when fake Twitter accounts were set up and used to steal the login details of World Cup Fans on EA Sports and Xbox Live.
2. Data or network breach
Many hackers use social media as the starting point to getting to your business’s data and/or network. Using social engineering crafted from the contextual information available from your digital channels, an attacker can much more successfully infiltrate your company and gain access to sensitive and confidential information.
Some key ways they do this include:
• Using malware bait – such as sending employees of your company an authentic looking link to interesting or engaging content which, once clicked, encourages individuals to download something
• Facebook service spoofing – the cyber criminal sets up a Facebook service account using the company’s logo and other elements, and then comments to corporate pages that they need to perform a task, such as reset a password. The admin of the page may click on a link to do this and give away their login information.
• Counterfeit LinkedIn profile – the hacker makes a fake account that looks like either an actual or fictional employee or manager and sends out connection requests to company employees. If accepted, they can then use the relationship to potentially share infected files, obtain credentials, or gather intelligence for example.
3. Brand damage
Your business’s reputation is a huge part of what makes you successful. For major brands, it can be a source of millions in revenue. Think Samsung, Microsoft, and Amazon. While most brands are now using social media to engage with their audiences, many still fail to control their channels adequately, creating the threat of brand damage.
Some of the ways brands can be damaged via social media include fraudulent and hacked accounts and malicious content. When fraudsters post spam, or malware, or profanity to corporate pages it drives followers away and lowers trust. Fake accounts can seriously harm customers, and if your channel is hacked you can lose time, resources, money, and put a serious dent in your overall brand image.
Businesses need to protect themselves and their customers from the threats. A breach will also put pressure on your cyber security team and disrupt operations on a potentially large scale.
How do you protect your business’s social media accounts?
• Assess your level of risk
If you haven’t already, create a list of known employee and corporate accounts and organise them centrally. Once assembled, assess what the risk of these accounts is to your business. Are any accounts already showing signs of spam or scam activity? Do any of them have inappropriate content? Which accounts engage with the public?
Once you have this information look at ways to limit your risk and decide what you’ll do if your business social media accounts are breached.
• Make sure employees know the risk
Consider providing security awareness training that covers best practice for social media use and how to avoid attack.
If you have a cyber security team or are considering using an outsourced provider, make sure they are in touch with your social media employees. Working together they can create a safer environment for social and protect your business.
• Use the best security controls available
Accounts and content security controls can really help to limit your social security risk and there are a few ways to do this.
- Use app controls to limit the number of applications that can access your account
- Employ account monitoring to identify unauthorised or anomalous activity.
- Limit account access to only users with a business need.
- Consider 2-factor authentication or single sign-on measure
- Create a content security policy that removes spam, malware etc from social pages. This can be human moderators or machines, depending on the size and range of accounts.