One of my resolutions this year was to increase my use of social media for business. I’ve been on both Twitter and LinkedIn for a long time, but my posting has been somewhat spasmodic. A combination of encouragement and nagging from our marketing manager has reminded me of my responsibilities. Although we make regular posts on our company Twitter feed and LinkedIn page, my personal profile reaches a different audience, ranging from industry contacts I’ve made over 25+ years in the business to journalists and friends.
As well as sharing my own articles including these columns and those my colleagues in Fordway write, I aim to highlight interesting developments in the IT sector and comment about their significance. As I’ve mentioned in previous diary entries, I read a lot of industry newsletters and management books, which give me plenty of material. One recent article I shared was the news that the government is increasing its IT spending with SMEs, one of which is Fordway.
However, social media for business is a double-edged sword. It can damage your reputation much more quickly than it can raise your profile, and it’s also increasingly being exploited by hackers and those with malicious intent. Potential problems range from malware embedded within links and images to social engineering using the data you’ve provided online through your social media profile to attack your business.
Most people are well aware that links and attachments within emails can be a source of viruses and phishing attacks, so use tools such as spam filters and treat emails from unknown sources with extreme care. However, social media can be something of a cyber ?blind spot?. Many people aren’t aware that it can be used as a delivery mechanism for ransomware in a similar way to email. Researchers have claimed that a new automated spear-phishing framework which targeted Twitter users had a success rate of between 30 percent and 66 per cent, perhaps because people don’t treat links within tweets with the same level of caution as email attachments.
Images can also be a security risk. Those with malicious intent have found a way to embed ransomware code into images which they then post on social media. So when using Facebook, LinkedIn and other social media sites it’s important to avoid clicking on and downloading image files that appear without pictures, as they could launch ransomware attacks on your devices.
When you’re busy it’s easy to be caught out. You see an article that looks plausible and of interest to your customers and quickly share it. However, retweeting content that contains malware or links to questionable content can soon undermine your authority. We all have a duty of care to our contacts and need to make sure that we’re sharing trusted content.
Social engineering is another issue that’s caught many people out including those who are otherwise technically savvy. Many people don’t realise how much information they give out through their LinkedIn profiles, Twitter conversations and Facebook pages, which can then be used against them. A busy user might easily respond to a carefully crafted phishing email that seems to originate from senior management without realising it is not what it seems.
The ultimate example of this is a sanctioned penetration test where security experts used fake Facebook and LinkedIn profiles pretending to represent a smart, attractive young woman to penetrate the defences of a US government agency with a high level of cybersecurity awareness. It demonstrates that social engineering attacks can be effective against even the most technically sophisticated organisations.
This doesn’t mean organisations should be frightened of social media. Each organisation is different and has a different appetite for risk. Thankfully, most now understand that cyber risk is a business issue for the board, not an IT issue, and is approached and funded as an organisational priority. It is important that all risks, including social media, are considered. A comprehensive risk analysis will identify vulnerabilities, how likely they are to happen and the impact if they do. Each organisation can then put in place the appropriate policies and technology to protect its most essential assets.
With social media in particular, the key to protecting your organisation is user education training everyone about the threats, so that they know what to beware of and what to do should the worst happen. One very effective policy which we’ve implemented is to have security champions in all departments. This ensures security is embedded in day-to day activities and reminds everyone of their security responsibilities, while sharing knowledge and best practice and providing a channel for feedback.