When the CEO of a prominent company tweets, it garners a lot of attention. If the Twitter account of the CEO is hacked, it becomes a platform to spread messages that could harm the company’s image. Even Twitter CEO Jack Dorsey had his Twitter account hacked and used to spread offensive messages. Other CEOs who have suffered such social media embarrassment include Google’s Sundar Pichai, Yahoo’s Marissa Mayer, and Facebook’s Mark Zuckerberg.
Such attacks can have very serious consequences – a single tweet from a hacked Associated Press account caused a $136 billion stock market loss.
The Nature of the Beast
There was a time when enterprise cybersecurity regarded social media as a productivity stealing nuisance. Not anymore. Social media has emerged as a powerful marketing tool that every modern business is keen to leverage, but it does have its drawbacks. There are several ways in which social media can threaten the modern enterprise:
- Fake profiles – Why hack into anyone’s account when a fake yet seemingly authentic profile can be created using the information available on social media? The fake profile can then be used to spread damaging messages
- Spear Phishing – Information available on social media can be used to convince a senior executive that the attacker is a known and trustworthy person or to time an attack, followed by an attempt to gain the victim’s credentials, use them to install malware, or ask them to transfer money
- Malware – Links posted on social media can lead to malware-laced files. URL shorteners are frequently used on social media for legitimate reasons, but can be used to disguise the malicious URL. Alternatively, a personal connection can be established on social media and then an infected attachment can be sent directly to the victim’s corporate email
- Information leak – The Online Disinhibition Effect is well known. This can cause employees to post information online that can be used to launch an attack on a company. Complaining about difficulties they are facing in configuring enterprise software may be all that it takes for an attacker to identify the type or even version of server software that is in use and look for known vulnerabilities before attempting an intrusion
- Password Cracking – The password reset question asking you to name the school you went to stops being secure when that information is available on your social media profile. Social media companies themselves get hacked and users’ credentials are leaked, which can have a domino effect if the user reuses the same password (and many do)
Putting a Leash on the Beast
Clearly, social media can be a wild beast that rampages through enterprise security. Many of these exploits are external to the organisation and do not typically fall under the purview of IT. Should the cybersecurity team tell the CEO to be discreet about posting vacation updates on social media? Answer: Yes.
And follow these steps too:
- Social Media Policy – Create a social media policy that serves as a security manual for both brand and personal accounts, and as a guide for wise and prudent posting on social media. This policy outline will help you get started
- Employee Education – Talk to your team about staying safe on social media. Warn colleagues about how they might be phished. Guide them on what to post and not to post. Remind them that even a status update on WhatsApp is effectively a social media update and they should be aware of who can see the message
- Password Hygiene – Create strong passwords and change them often. Do not reuse old passwords. Use different passwords for different accounts. These are the basics of cybersecurity, but they are often violated in personal accounts. Everyone in the organisation should be aware of the risks posed by poor password practices in their personal lives
- 2 Factor Authentication – Even if a password is stolen, 2 Factor Authentication (2FA) will alert the user to a login attempt when they receive the authentication code. Employees should be encouraged to enable 2FA on their social media channels to avoid account takeovers
- Cybersecurity – Use good cybersecurity, such as K7 Security products, on both enterprise and personal devices, including mobile phones, to protect users from phishing attempts and malicious links including those that hide behind shortened URLs
Social media brings new challenges to enterprise IT security and the solution involves both technology and thoughtfulness as employees use of personal social media on personal devices also needs to be managed, which can be seen as interference in their personal lives if not handled with tact.
Drop us a line if you need comprehensive and effective enterprise cybersecurity. We’ll be glad to help.