LinkedIn, the social media platform, is proving to be a very useful networking tool for business professionals, with a growing database of approximately 380 million users worldwide. The site encourages members to freely share their CV, not just with their network but publically online.
It is also becoming an attractive platform for organised crime gangs. Recently, there have been several cases where hackers have used information gathered from LinkedIn to plan targeted attacks on companies.
Hackers have been found posing as large corporations on the site to entice unsuspecting executives to divulge useful information. Sometimes the hackers don't even need to lure victims by posing as large corporations, they can gather enough personal information from public profiles to scam money or access sensitive corporate data.
These forms of attacks are proving to be a headache for security professionals. Despite having the best tools and processes in place, it is particularly hard to protect information that sits outside of the company network. It can also take months or even years to find the leak.
Most employees are now well aware of the security risks associated with revealing too much personal information on social media sites such as Facebook. However, they often don't realise that revealing corporate information on LinkedIn can be equally risky to businesses.
LinkedIn pages can provide a considerable level of detail to potential cyber attackers: names, job titles, email addresses, partnering organisations, upcoming projects, and even hobbies and interests. At first glance, this information might seem relatively trivial but it can form part of the ‘cyber kill chain' and lead to malicious attacks.
LinkedIn informs the ‘plan of attack'. Employee and company profile pages can help hackers identify a target; source the names of executives and department heads; learn the email structure; as well as the names of affiliated companies. This leaves organisations vulnerable to a range of cyber-attacks including spear phishing.
Most worryingly perhaps, this issue isn't one that can be simply remedied with protective software. No technical solution can prevent an attacker from conducting an Internet search.
LinkedIn and other social media profiles are often among the first to appear in a list of search engine hits. Once the attacker has deployed the malicious software, cajoled an employee and gained remote access, the key goal is theft, whether the gain is more information, financial or data theft.
Education is the answer
As our virtual presence continues to grow, organisations need to make all employees aware of the potential risks of company details falling into the wrong hands. In order to mitigate the risks of social media sites, without blocking them, which will only frustrate employees, organisations must establish a clear security policy.
To safeguard company information and data, enterprises should educate employees about attending more closely to what they wish to make visible to whom.
If employees are informed then they are far more likely to be consciously aware of the risks as they go about their daily duties and knowing the rational, they are less likely to breach the policy.
The world of IT and security is certainly not static and training should not be a one off activity for new employees. Organisations should consider a continuing programme of education, updating the employees on new threats and breaches on a regular basis.