When Social Tools Attack: Employees, Internet, and Cybersecurity

To the average user, social media is a fun way to stay connected with friends, make business contacts, share exciting life updates, and spread funny cat videos. Not everyone takes social media so lightheartedly though. In fact, two groups are especially serious about it: commercial businesses, who rely on social media to establish and spread their brands, and criminal hackers.

The latter group is particularly troubling. Usually under an “acceptable use” policy, most companies allow their employees to access the internet at work. However, there are unfortunate consequences to work-time internet use. Permitting employees to visit different websites means that the inevitable will happen: someone will visit a phishing site and provide access to company resources, get tricked into a scam, or download malware. With social media steadily on the rise, these risks have not been diminished.

Security Risks on Social Networks

Hackers have developed numerous methods to leverage social networks to spread ransomware, gain access to sensitive data, or cause damage to computers and data. Though each social network has its vulnerabilities, companies should be especially mindful of LinkedIn, considering its frequent business application. Some of the methods used to exploit social media users include:

• Malicious apps spread by social networks: The infamous Locky app embedded malicious code in image files that were spread on LinkedIn, Facebook Messenger, and other platforms that encourage users to send images to their friends. In this type of scam, a message that appears to come from a friend contains an infected image. When the recipient clicks on the image, the hidden code activates and locks the recipient’s computer; this is followed by a ransom note demanding money to unlock the computer. An attack like this could bring a company’s IT infrastructure to its knees.
• Phishing: Phishing scams are on the rise, meaning that all social networks are potential candidates for a business’ next security breach. A well-done phishing scam can go unnoticed, making these scams popular amongst criminal hackers. An incautious employee can receive an authentic-looking email from Facebook or Twitter and click on a link or an attachment that downloads malware to steal credentials or locate security vulnerabilities on the local network, opening a “back door” for later exploitation.
• Exploitation of weak privacy settings: Hackers know that corporate social network accounts, which are typically shared by multiple employees, often have weak privacy settings or easy-to-guess passwords. A compromised corporate account can be used to humiliate a company and seriously damage its brand.

Actions to Take

How can a company protect itself? Because of its legitimate business uses, it’s impractical to completely prohibit employee internet access, but there are some actions a company can take:

• Publish and enforce a solid “acceptable use” policy: The policy should clearly state that employees’ internet access is provided primarily for business use, while allowing for some incidental personal use. Make it clear that internet use can and will be monitored, and that spending an unreasonable amount of time on websites that are not work-related, such as social networks and personal email, will have consequences, up to and including termination.
• Implement web filtering: With a web filtering system, you can blacklist specific websites, such as social media sites, and allow exceptions for users who require access to certain websites for business purposes. One consequence to this approach is that someone has to manage the blacklist, and a formal request mechanism for exceptions should be implemented. However, the extra step is worthwhile if you can keep employees away from wasted time and/or dangerous websites.
• Optimize corporate social media accounts for security: For example, Facebook business pages can have assigned “admins” who have authorized access and the ability to update the page. Rather than using a shared account with a weak password, admins log in to the brand page through their own personal accounts. Regardless of the social media that a company uses, appropriate levels of security should be set up on each account, and there should be an assigned “owner” who is accountable for ensuring those settings are maintained. This will prevent your Facebook, Twitter, Pinterest, and other accounts from becoming easy targets for hackers.

Social media is an important business tool, but for companies who do not use precautionary measures, social media can be troublesome. Don’t be the next victim of a social media hack! Download this free eBook now and arm yourself with the knowledge you need to keep your business safe.