Cyber Security Risks of Using Social Media Tools

Cyber Security Risks of Using Social Media Tools Blog

Social Media is now starting to gain a lot of momentum not only from a digital marketing standpoint but also from a communications perspective as well. While these are great tools to use, they also pose a great security risk as well to your employees and business, because the Cyber attacker is now targeting specific profiles in which to further examine the weak points and vulnerabilities of their intended targets. 

We examine some of these major threats in this article.

What Are The Cyber Threats?

Here are some of the top ones:

  1. Unused Social Media Accounts:

    Because Social Media accounts are free to set up, there is a strong temptation amongst all the departments within an organization to set up their own individual accounts, in order to reach both prospects and existing customers. Or, as mentioned previously, these various Social Media sites can also be used for internal communications with employees. But very often, many of these accounts can go unused for very long periods of time, and even become inactive. Just like for examining for open ports that are not in use on a Network Infrastructure, a Cyberattacker can also probe for these unused Social Media accounts in order to gain a point of entry into the organization.
  2. Employee Error:

    When employees post content about a new product or service, there is often an excitement in the rush to post up as many links as possible that are related to it. But in this heat of the moment, there is a high statistical probability that they could put up a proprietary link that they did not mean to. But the fact remains that this link has been made open to the public, and the attacker will always have their eyes and ears open to this. In this case, once this has been discovered, it will be too late, as the damage has been done.
  3. Third-Party Applications:

    Even if you are authorized to download mobile apps onto your company-issued wireless device (such as a Smartphone), the attacker will always find a way in which to penetrate them in order to gain access to not only the company’s Social Media accounts but even your personal ones as well, in order to hijack your password and other relevant login data.

  4. Phishing and Malware:

    When one thinks of these two, very often the first thing that comes to mind is either clicking on a malicious link or downloading an attachment in an Email message that contains some kind of Malware (such as .DOC and .XLS file extensions). But keep in mind that the attacker of today can even hijack a legitimate Social Media account and even put up a posting with a link attached to it that will take you to a spoofed website. In this regard, once again, Facebook has been the prime target here, with accounts being hijacked on an almost daily basis, and illegitimate postings being put up. 

  5. Establishing Fake or Impostor Accounts:

    A Cyberattacker does not necessarily have to hack into an existing social media account in order to hijack passwords or even put Phishing-related posts. All he or she can also do is simply create a fake or phony account, and make it look like the real thing. For example, these kinds of accounts can be used to target both customers and employees simultaneously, in order to con them into giving up their Personal Identifiable Information (PII) or company secrets, respectively. 

  6. Shared User Access and Interconnected Mobile Apps:

    In Corporate America today, many departments (such as IT, Marketing, Accounting, Finance, Human Resources, etc.) typically share passwords across those applications and systems that are interconnected with another. A perfect example of this is when the organization hires an exclusive Social Media Manager from an external third party to manage their content. Rather than having to create different passwords for each Social Media Platform, usually, only one password is created merely for the sake of ease and convenience. Not only is this a grave security risk, but the fact that this administrative password is being shared with an external third party poses a far greater concern. As mentioned, if there are other apps that are connected to these Social Media sites (such as dashboards, analytical tools, etc.) this external third party can very easily gain access to even further sensitive information and data in the company.
  7. Social Media Botnets:

    To some degree or another, we have all heard of “Bots”. A popular example of this is the “Chatbot”, which is a virtualized customer agent which can answer customer service-related questions and requests without the need for any sort of human intervention. Although this can be quite advantageous and brings many benefits with it, it can also pose a very serious security threat as well. For instance, as it relates to a Social Media account, a bot can be used to make it look like it is a real, live person (when it is really not) that is interacting with an employee in an organization. These are known as “Socialbots”. But apart from the aspect of the security threat, there are other, non-quantifiable risks that it brings as well, such as skewing tracking data, such as fake ad impressions, and even creating fake hashtags that can be used in a Phishing Attack.  They can even be used to alter your customer’s perceptions of your company brand.

  8. Insider Attacks:

    As a company grows and expands, or even offers new products and services, there is a strong tendency for both employees and management (and even the C-Suite) to share more than what is really necessary, as mentioned previously. For example, if an organization is opening up a new office, there will be a temptation to post up pictures of the insides of it and the new employees in order to further “show off” the brand on Social Media sites. It is important to keep in mind that while prospects and existing customers may be “wooed” by this, the Cyberattacker is also keeping very close tabs on it as well. But their purposes are far more nefarious in nature. For example, by getting a clear picture of what is inside the new office as well as its new employees, the Cyberattacker can use Social Engineering to lure a naïve employee into perhaps launching a covert Insider Attack in those areas that have been posted on the various Social Media Sites. In fact, in this instance, the attacker can be so stealthy into manipulating the mindset of this particular employee that he or she may not even be aware that are participating in an Insider Attack against the very company that they work for.

You may be wondering at this point what can be done to mitigate these risks just detailed. The best line of defense you can use is to create a Social Media Security Policy, and strictly enforce it. A future article will examine closely what is needed to create this kind of document.