Security professionals have experienced a sharp uptick in the complexity and quantity of challenges in the modern threat landscape. From IoT to BYOD, there are numerous technologies and threats today that did not exist prior to the early 2000s.
Social media is one area where security teams have faced a steep learning curve. Beyond being used by employees connected to corporate networks, platforms such as LinkedIn, Facebook and Twitter have been harnessed by enterprises as toolkits to conduct brand awareness, customer service, advertising and recruitment processes. However, each user on every platform presents a social media risk for security pros to contend with -- and the risks are plenty.
From social engineering and malicious applications to noncompliance and fraud, organizations must understand the scope and consequences social media.
Here are the top five risks enterprises may contend with. Learn about the tactics used by bad actors online and how policy and technology can mitigate risk.
1. Social engineering
Social engineering attacks often involve a phishing scam on an individual or target audience. While employees may be vigilant about such attacks via spoofed emails, social media is rife with unsuspecting phishing victims.
In some cases, bad actors send direct messages on a social networking site with malicious links, images or other attachments. Once recipients click on the spam file, malicious code is delivered to their device. Called steganography, these attacks may be orchestrated with malicious intent or may originate from compromised social media accounts whose owners may be unaware of the distributed malware attempts.
Steganography is a common attack vector on popular social networking platforms with messaging functions, including Facebook and WhatsApp. Jeff Bezos, billionaire and founder of Amazon, became a high-profile victim of a social media phishing attack when he received a video message from Saudi Arabia's crown prince, Mohammed bin Salman, in 2018. The video hid code that implanted malware onto Bezos' iPhone X, enabling access to his entire device, including messages and photos.
2. Third-party applications
Quizzes, games and third-party widgets or applications often include remote code. This presents a significant social media risk because it is challenging to predict what will load. Most social networking sites filter out scripts and browser exploits posted within user content. However, these filters have been proven to be imperfect. Sometimes, a unique encoding scheme or obscure scripting trick makes it through, resulting in worms or other attacks.
Additionally, some nonmalicious applications may create opportunities for malicious programs. For example, a user who plays a word game on Facebook may search online for cheat codes to improve game scores or avoid paying money for in-app purchases. These cheat codes are often Trojans that give a bad actor backdoor access to the device, install ransomware, activate the camera or microphone, or record keystrokes to steal passwords, browser history and more. For something as seemingly inane as a social media game or quiz app, the potential consequences are significant.
Bad actors can effectively infiltrate corporate or employee social media accounts to glean sensitive data on the company and its customers and users. Employees may unknowingly accept friend or connection requests from bad actors disguised as peers. This is an intelligence-gathering tactic.
In 2012, a group of cybercriminals posing as Facebook security authorities contacted various Facebook users, claiming their accounts were compromised and offering a link to verify their identity. Users who clicked the link were directed to a malicious site that collected their login information. Armed with a legitimate user's credentials, attackers can easily pose as peers and co-workers and intercept information about their organization's customers or policies. A seemingly innocuous message from a co-worker on social media may not seem suspicious, but this type of fraud is potentially damaging if the victim is connected to an enterprise network or has access to its accounts and financial documents.
Communication applications and channels enable employees within a company to exchange information that may be subject to -- and in violation of -- privacy regulations. Noncompliance is often caused by sharing or leaking customer, client, contractor or company data. For example, under HIPAA, employees working at healthcare facilities cannot post photos or videos to social media that could identify patients. Consequences of privacy regulation noncompliance can result in disciplinary action, termination, criminal charges or fines on the employee and their employer.
Compromised data is not the only way an organization could find itself in regulatory noncompliance. Financial disclosure regulations must also be considered when posting on social media. In 2018, the U.S. Securities and Exchange Commission charged two celebrities -- professional boxer Floyd Mayweather and entertainer DJ Khaled -- for violating federal securities laws after each party promoted investing in initial coin offerings on Twitter and Instagram.
5. Copyright violation
Infringing on copyright or trademarked material is another example of a social media risk in the enterprise. In the event of an infringement by an employee via social media, the employer may be subject to substantial damages. To avoid copyright violations, employees must be trained to vet content before posting online. They must be given information on how to identify whether a social media post contains someone else's original work and whether distributing the content is legal under the law. One option to mitigate copyright infringement is to designate an in-house or available legal counsel with whom employees can consult about copyright questions.
How to mitigate social media risks
Organizations should establish a social media policy that sets online behavioral guidelines for employees, so as not to expose the company to potential compliance, reputation or financial damages. Behavioral guidelines enable organizations to standardize how employees present themselves online. For example, companies may dictate how employees identify themselves if connected to the company while on social media platforms, such as LinkedIn or Facebook.
Social media training is also important. Be upfront with employees about corporate social media measures, and be sure to give them a chance to voice questions about social media policy, security and best practices.
Some security leaders disable scripts in browsers when users access social networking sites on network-connected devices. This can be done by adding social sites to a different security zone in your browser -- for example, restricted sites -- where browser scripts can be disallowed.
While limiting access to platforms can mitigate social media risks, it may not be possible at every workplace. Many employees use social media platforms at work to connect and network with peers and access new information or industry trends. It may be unreasonable or impossible to prohibit social media tools in certain workplaces. But, by equipping users with training and awareness, they can be empowered to practice security and discretion in their work and everyday online lives.
Incorporating secure technology controls is another constructive way to mitigate social media risks. Organizations can defend their assets by running up-to-date browsers and antispam and antimalware products that detect suspicious communication and defend against malicious attachments in social media interactions. Many enterprise security programs also include VPNs, single sign-on and password managers.
Dig Deeper on Application and platform security
Related Q&A from Katie Donegan
Learn how to create account lockout policies that detail how many unsuccessful login attempts are allowed before a password lockout in order to ... Continue Reading
Ensuring authenticity of online communications is critical to conduct business. Learn how to use a public key and private key in digital signatures ... Continue Reading
Infosec pros may have -- incorrectly -- heard the terms standard and policy used interchangeably. Examine the differences among a policy, standard, ... Continue Reading