To average users, social media is a fun way to stay connected with friends, make business contacts, share pictures of their meals, and spread funny cat videos. There are at least two classes of users, however, who take social media more seriously. Commercial businesses, who rely on social media to establish and spread their brands, and criminal hackers.
That last group is particularly troubling. Most companies allow employee internet access at work, usually under an “acceptable use” policy. The tradeoff, of course, is that allowing employees to visit any site they want means that inevitably, someone will visit a phishing site and be fooled into providing access to company resources, or download malware of some kind. That risk has not diminished with the rise of social media.
Security Risks on Social Networks
Hackers have found numerous ways to leverage social networks to spread ransomware, gain access to sensitive data, or simply cause damage to computers and data. Though each social network has vulnerabilities, companies should especially be mindful of LinkedIn considering its frequent business application. Some of the methods used to exploit social media user include:
- Malicious apps spread by social networks: The infamous Locky app embedded malicious code in image files that were spread on LinkedIn, Facebook Messenger, and other platforms that encourage users to send images to their friends. In this scam, a message that appears to come from a friend contains an infected image. When the recipient clicks on the image, the hidden code runs and locks the recipient’s computer; this is followed by a ransom note demanding money to unlock the computer. This could bring a company’s IT infrastructure to its knees.
- Phishing: All social networks are candidates for phishing scams. An unwary employee receives an authentic-looking email from Facebook or Twitter, and clicks on a link or an attachment that downloads malware to steal credentials or locate security vulnerabilities on the local network, opening a “back door” for later exploitation.
- Exploitation of weak privacy settings: Hackers know that corporate social network accounts, which are typically shared by multiple employees, often have weak privacy settings or easy-to-guess passwords. A compromised corporate account can be used to embarrass a company and seriously damage its brand.
Actions to Take
How can a company protect itself? Because of its legitimate business uses, it’s not practical to completely prohibit employee internet access, but there are some actions a company can take:
- Publish and enforce a solid “acceptable use” policy: The policy should clearly state that employees’ internet access is provided primarily for business use, while allowing for some incidental personal use. Make it clear that internet use can and will be monitored, and that spending an unreasonable amount of time on websites that are not work related, such as social networks and personal email, will have consequences, up to and including termination.
- Implement web filtering: With a web filtering system you can “blacklist” specific websites, such as social media sites, and allow exceptions for certain users or groups who have an actual business need. This approach involves has pros and cons: On the “con” side, someone has to manage the blacklist, and a formal request mechanism for exceptions should be implemented. However, the benefits are substantial if you can keep people away from time-wasting and/or dangerous websites.
- Optimize your corporate social media accounts for security: For example, Facebook fan pages and business pages can have “admins” assigned who are authorized to log in and update the page; these users log in to the brand page as themselves, rather than using a shared generic account whose password is widely known and easily guessed or stolen. Regardless of the social media sites your company uses, ensure appropriate levels of security are set up on each account, and assign an “owner” who is accountable for ensuring those settings are maintained. This will keep your Facebook, Twitter, Pinterest, and other accounts from being targets for hackers seeking weak protections.
Social media is an important business tool, but it can be a source of trouble for companies who aren’t careful. Don’t be the next victim of a social media hack—protect yourself today.