Loose talk on social media big security risk for firms, says Kaspersky

As true now as it was in world war two (Wikimedia/Seymour R. Goff, also known as Ess-ar-gee)
As true now as it was in world war two (Wikimedia/Seymour R. Goff, also known as Ess-ar-gee)

Employees are risking their organisations' IT security and their own personal data by sharing too much information on social media.

According to a quiz from Kaspersky Lab, almost a third (30 percent) of social network users share their posts, check-ins and other personal info with everybody who is online – not just their friends. This is leaving the door wide open for cyber-criminals to attack, as users remain unaware of just how public their private information can be on these channels.

The quiz also found that one in ten (nine percent) respondents didn't think people outside of their friends list could be seeing their pages and posts, making it easy for their personal information to fall into the wrong hands, or even be used by criminals for identity theft and financial fraud.

The survey found that while over three-quarters (78 percent) of Internet users having a social media account, the quiz showed a distinct lack of security awareness amongst social media users.

Around 12 percent admitted adding anyone to their list – regardless of whether they know them or not. Nearly a third (31 percent) will accept connections from people they don't know, if they have mutual friends in common, although this could expose them to more unknown people – even advertisement agents or cyber-criminals.

When it comes to trusting their “friends”, a quarter (26 percent) of those surveyed would have no hesitation to click on a link sent by a friend without asking what it is, or considering that the sender's account could have been hacked.  

“Social network users are playing a dangerous game by not being cyber-savvy and essentially giving strangers easy access to their personal details and private information. With social media profiles containing a raft of insight – from birthdays through to addresses and holiday plans – it wouldn't take much digging for a cyber-criminal to find and exploit valuable information, or steal your identity for their own gain. This is even easier if you have unwittingly made them your friend,” said David Emm, principal security researcher at Kaspersky Lab.

Ken Munro, senior partner at Pen Test Partners, told SCMagazineUK.com that by manually seeding social networks with regularly updated profiles, it's possible to create real identities for bogus staff to form a social media honeynet to more readily identify attackers.

“The type of ‘staff' dummies used should be based upon what type of attack you wish to monitor,” he said.

Munro added that new starters are “perfect cannon fodder” for spear-phishing campaigns as they “aren't familiar with internal processes, probably haven't had security inductions yet and feel nervous about speaking up or getting fired in the event of doing something silly on their desktop”.

“Using this ‘honeynet', it then becomes possible to check for any similar patterns on mail logs. It is even possible to reverse engineer the malware, and find out where the connection goes back to. Obtain a sample and destination IP address and upload it on to a site such as VirusTotal or similar and you might just save someone else from being compromised too,” added Munro.

Fraser Kyne, principal systems engineer at Bromium, told SC that all social media represents both benefit and risk.

“Social engineering is so simple these days – I can find out all I need to know about you online. In light of this, all businesses will need to modify their employee corporate responsibility guidelines and procedures to include social media,” he said.

“They cannot rely on users to do the right thing automatically. This is particularly important given the flippant disregard that most people have for securing their personal information online. If they don't protect their personal data you can't rely on them to protect your corporate data.

“People have to realise a simple truth: if the product is free, then you are the product. This is not only a risk to individual privacy, but a huge risk to any business.”