If your staff reveal all on their LinkedIn and Facebook profiles, then your company is a sitting duck for fraudsters.
LinkedIn and Facebook are different, right? One is social and the other is business, one secure and the other not, one for fun and the other a useful tool? Think again. While most people believe that LinkedIn is the place where business contacts network, and Facebook where people share pictures of last night's party and funny stuff the dog did, they miss the fact that both are in essence huge sources of information to the social engineer.
When it comes to performing social engineering exercises, these resources are the first ports of call. They provide a goldmine of information about people and the companies they work for. While most of the public now realise that Facebook might not be the best place to share sensitive information, they will gladly use LinkedIn to join with anyone they have met, even if only briefly, in a business context. They will also put up information about their job role, and even their contracts or customers if they feel that their networking profile will benefit.
The bad guys have learned this too – they are using LinkedIn to perform spear-phishing attacks, or looking for weak members of the herd to separate, and then exploit the information they give away. They are trying to find a chink in companies' hardened outer shell.
Psychological profiling, along with the vast amount of information people disclose about their colleagues and the inner workings of their company, make the task so much easier. Add to the equation the ‘premium' version of LinkedIn and what you have is something like the Tesco of social engineering.
There are a few things your staff can do to make their LinkedIn profiles more secure. Yes, it involves some downsides – they might not get quite so many calls from speculative recruitment consultants (a good thing?) – and it will be harder for prospective ‘friends' to find them. However, it will also make the information on their profiles less likely to be filched by social engineers and those trying to use it for illicit purposes.
It's all pretty easy to fix. Go to your LinkedIn account and select the ‘settings' option; review the ‘privacy controls', being mindful of how the information you disclose to the world could be used against you and your business: do you really need to give away information to all and sundry about where you've been and what you've done? Decide for each item whether it should be viewable by ‘everyone', ‘your connections', ‘your network' or ‘only you'.
Then review your public profile – you probably want it to be visible, but do you really need to disclose anything other than the basics to the public internet? Schools, previous jobs, etc are great data for social engineers, as well as often being the answers to many commonly used security questions for other elements of your life.
While on the subject, how about showing your staff how to secure their Facebook profiles? There's loads of guidance on the internet, but here is one suggestion that might help businesses a little: search your business name on Facebook and see which employees pop up. Explain how that information can be useful to the fraudster and social engineer, and show the user how to suppress that.
It's easily done: edit the profile, select the specific audience that can see (for example) the company name, and change it to ‘friends' rather than ‘public'. Or even just remove the company name altogether from the profile.
Helping staff to protect themselves has multiple benefits. They gain from better online security in their private lives, and your company from being harder to profile.