By itself, social media might not constitute a cyberthreat but once again, employees who ignore best practices around security are making it easy for scammers. It’s even been described as the perfect hunting ground for illegal activity.
Social media has also turned into a dandy reconnaissance tool that cybercriminals use to socially engineer their victims. When someone neglects their privacy settings or publicly posts personal notes and photos, they can leave cybercriminals free to use their information to launch targeted phishing emails containing malware links.
In the past, cybercriminals have used phony Facebook updates posted by third parties, which contained malware offering free merchandise to anyone participating in — and then forwarding — a survey. Attackers have also used Facebook Chat to spread malware, promote phishing applications, and steal information by using social engineering techniques. Twitter has been subject to scams featuring links to free vouchers, while LinkedIn has suffered redirects to a webpage that installs a variant of the ZBot malware (known as Zeus).
What can your organization do to protect itself?
First, recognize that there’s no turning back the clock. We live in an era where the sharing of information is the new normal. About 91 percent of Generation Y students and employees say that the age of privacy is over, and a full third say they are unconcerned at the possibility that an interloper might capture their data.
If you can’t beat `em…
While social media sites exist outside the organization’s network perimeter, treating social like any other external security challenge misses the point. In this instance, the reality is that no single piece of hardware or software is going to do the trick.
When it comes to social, big investments in tools or countermeasures are a waste of money if organizations fail to take steps to get employees to modify their online behavior. And forget about enforcing company-wide bans on social media. Like it or not, employees are going to continue to connect to the Facebooks, LinkedIns and Twitters of the social media world as long as they have a breath left.
Organizations should instead try to foster a security-aware culture, one in which employees understand the potential risks involved using social media. There are basic steps they can suggest employees take, such as limiting what outsiders are able to find out about them. They might also try to make it a point of practice to refuse friend requests from people they don’t know and, above all, resist the urge to click on suspicious links.
The bottom line is that anything that anyone posts on social these days is fair game for the bad guys. If only that message gets through to enough employees, the company’s security leadership can walk away claiming a well-earned victory in a battle that’s fated to last a long time.
Charles Cooper has covered technology and business for the past three decades. All opinions expressed are his own. AT&T has sponsored this blog post.