While social media can be a boost to marketing campaigns and corporate culture, it can also present some serious security risks and put your business’ network and reputation in harm’s way.
“The main security and privacy issue around social media,” says Ben Ronthke in an RSAConference article, “is that users will share huge amounts of highly confidential personal and business information with people they perceive to be legitimate.”
Some of the risk factors that most commonly prove this to be true include:
- Malicious links & code – Social networking users can be too trusting of content and contacts, and, as a result, often end up transmitting and receiving bits of malicious code. Sometimes hackers inject malicious code into sites (this is referred to as cross-site scripting) via advertisements, third-party applications and other paths. In addition, as many people have experienced on Twitter and Facebook, hackers can gain access to a legitimate personal or corporate social media account, sending messages that contain links to malicious sites. Twitter is especially vulnerable to malicious links because so many tweets contain shortened URLs, which can be utilized to trick users into visiting sites they would otherwise stay away from.
- Sharing too much information or falling victim to social engineering – Sharing too much information is one way to get in trouble with social media. Regardless of how it happens, whether through intent, a simple lapse in judgment or social engineering (which uses tactics to manipulate others into performing actions or divulging confidential information), the result is often the same: once posted, your company’s private information is out there for wrongdoers and the competition to take advantage of. This could be anything from prematurely announcing your excitement for a new product, allowing the competition to get a jump on its response to your product, to being tricked into disclosing customer information to someone who is not that customer.
- Phishing – With this type of social engineering, online attackers attempt to acquire information, such as usernames, passwords, and credit card details, by masquerading as a trustworthy entity in an electronic communication. One of the most common examples of phishing is an email from a bank or credit card company asking you to click on a link to confirm your log in information. The sender is attempting to trick the recipient of the email into revealing confidential information by “confirming” it at the phisher’s website.
Assuming that you want your company to be represented on social networking sites, how do you implement a security strategy that combats these types of risks from all angles?
The answer: There is no simple solution. But, to start, approach it from both an employee perspective and a technology perspective:
- Institute social media policy and procedures – You shouldn’t just enable employees to get on social media and represent your business without providing some guidelines. That’s asking for trouble. If you’re going to allow employees to use social networking sites, institute a policy that dictates, at the very least, who can and can’t use social media on behalf of the company, and what information can and can’t be shared online.
- Educate the employees who are representing your company on social media – If you do allow particular people to represent your business on social networking sites, educate them on the risks, the difference between personal and professional information, and the topics you would like them to discuss.
- Network security– Even with social media policy and procedures in place, organizations must also implement security solutions that scan for malware, data leakage and other suspicious activity. Make sure you…
- Utilize strong passwords
- Use unified threat management
- Keep all software, particularly your Web browsers, up to date
- Know your options. With technology, you can –
- Completely block social networking site access for all employees
- Block social networking sites for some, but not for others
- Restrict access to specific components of social networking sites (games, file sharing, video uploading, etc.)
It’s important to note that it’s not just social networking sites that present security risks. All websites do. If you may recall from just last year, Google and MSN were both tricked by cybercriminals who registered a domain that was one letter off from the legitimate ADShuffle.com project management web application. As a result, Google and MSN were, without knowing it, handing out cheery holiday advertisements laced with malware. The scary thing is that the advertisements on Google and MSN had the ability to infect your computer without you even clicking on them. This is called “drive-by” malware.
That’s why it’s important to have network security in place no matter what.
The reason social networking sites intensify this already-existing need for network security is that they present much more interaction with people who may or may not be legitimate in their intentions, no way to verify that someone is who claim to be, and an abundance of personal and business information sent to and from accounts. That’s why, when you add social networking sites into the mix, it’s even more important to ensure that your network’s security is impenetrable.