Social media is more than just a phishing risk

Most organisations know about the phishing risks of social media - Ian Trump looks at why social media presents other risks to an employer, and what can be done about it.

Contributed by Ian Trump, security lead, LOGICnow
Contributed by Ian Trump, security lead, LOGICnow
If you work in an office, one of the first things you will do – once your computer has booted up and you've grabbed a much-needed coffee – is check your email. Your email will have been filtered for junk and spam and checked for viruses and malware, sometimes more than once. Email is a common vector for all kinds of nasty stuff, so investment of both time and money in preventative measures is a sane decision.
One in five phishing attempts is made through social media. These two types of communication tools – web browser and email client - exist side-by-side, but while one is monitored and protected thanks to software developed and refined since the introduction of email. Social media is by comparison new and potentially dangerous.
One in five phishing attempts is made through social media. Some of these will be unsophisticated attempts to snare anyone who might miss-click, but others will be more targeted and try to fool people with specific information, attempting to drive the user to a fake website where they will enter their username and password. A compromised social media account has the potential to wreak further havoc, especially given the habit for people to use the same password over and over again for both work and personal accounts.
When LOGICnow surveyed Managed Service Providers (MSPs) to find out what areas of security they were worried about, only six percent identified social media. However, Facebook, Twitter, Snapchat and the social media services we use everyday deserve more attention. There are potential problems that go beyond hijacked accounts and using social media as a vector of attack.
We are used to using email to communicate, and email addresses – assuming we don't accidentally copy in the wrong person – mean we have control over who sees our message. Sensitive information can remain within the business and won't be shared outside unless someone is really careless. However, we now have a generation of people joining the workplace for whom the primary way to communicate is through social media services. 
The biggest risks to businesses from social media usage may not be from direct attacks, but accidental disclosure. Social media can have the illusion of privacy while being nothing of the sort. Twitter, for example, is full of conversations that may be public and viewable by anyone but can ‘feel' private. This feeling of privacy could mean that users, collaborating in a space they feel most comfortable in, reveal more information than is wise. This could be anything from financial information through to private thoughts, which may say more about a business than the author might realise.
For example, an internal email complaining about efforts to cut costs may be harmless. Posting a tweet saying, “They're really cutting back here! No bonus either! #nightmare” from an account that discloses a place of employment reveals more about a company's financial situation to everyone else. This could have serious repercussions if widely shared – it could affect a bank's willingness to lend, make customers and suppliers more aggressive when negotiating and possibly lose business completely. Who wants to work with a company that may be going out of business?
There are certain sectors where this kind of scrutiny is real, and tech is one of these sectors. Some companies must carefully control what they say to the media as share price, merger and acquisition deals could be damaged. Companies that hold information close should be wary that their employees' communications could become a pipeline of potentially damaging information.
 
Care needs to be taken about the solution. The simplest answer might seem to be to ban social media in the workplace, but this is actually a dangerous approach. Especially for so-called ‘millennials', as social media is a primary way to communicate and attempts to eradicate it will either fail or cause resentment. You may be able to banish Facebook from your network, but the ubiquitous smartphone means that it's always within reach. Clamping down further risks damaging morale and moving away from the forward-looking, ‘BYOD' approach that companies often want to foster.
Employees need to be made aware there is more to social media safety than not clicking on dodgy links and blocking spam followers. They need to be educated on why small revelations about the company could have wider implications than they realise. 
Contributed by Ian Trump, security lead, LOGICnow