Cyber attacks are on the rise and one of the main vehicles of attack are the social media platforms we depend on for marketing and sales everyday. Given that the security of social platforms is out of our control, it limits how we can respond to new threats.

As a business, we also don’t have a choice to do without social media. Social media helps reach new prospective business opportunities.

In 2018 reports about Twitter and LinkedIn, they have suffered from regular phishing attacks. In early 2018 Twitter allowed an ad to be purchased on it’s platform that lead to a phishing scam. Another security incident Twitter was responsible for involved storing passwords into a plaintext log.

In some cases, the full scale of a data breach does not come out for years. When LinkedIn suffered a data breach in 2012, the public was lead to believe only 6.5 million accounts. Four years later in 2016, it was revealed that 167 million accounts were compromised in that breach. In interviews with victims, most have not changed their passwords since.

Human Fallibility & Social Media

When it comes to social media the security incidents above were the fault of organizations. However, the most direct security threat that impacts organizations is human fallibility. Both customers and privileged internal users can make mistakes that place your organization at risk.

This is especially true on social media where people are often overwhelmed with information and make snap decisions. According to a recent Wandera report, social media account for 16% of all mobile phishing attacks.

While phishing is a common focus, there are others that can be devastating to a company and their customers. Let’s explore a few of them.

While phishing is a common focus, there are others that can be devastating to a company and their customers. Let’s explore a few of them. Click To Tweet

Phishing & Social Engineering

This first type of threat, phishing, is familiar to a lot of people. Most people can spot the poorly written email. However when it comes to social media, a phishing attempt can look very different.

Attackers have successfully been able to guide people into clicking malicious links or provide their credentials to them. When Twitter allowed a malicious website to purchase ads on their platform it sent the signal that the site was safe. If one of your employees clicked the link ,it could have been a disaster for your company to recover.

As phishing has evolved we need to be aware of how it looks. No longer are phishing attempts verifying your mysterious royal lineage or lottery winnings. Instead they look like startups, non-profits, and people you come across everyday on social media platforms. All it takes is one bad link for your server to be seized or for credentials to be stolen from your network.

Malicious Apps & Files

Malware can take many forms and can take some really unexpected forms, in this case image files. In 2016 a ransomware known as Locky emerged and was spreading as a SVG and JPEG image on LinkedIn and Facebook. At the time this was a serious threat, because most social networking applications were whitelisted in security software. Since then, Locky has evolved and cost companies billions.

If your employees must use social media in anyway it could potentially be unsafe to download any sort of media from there. If you don’t have a social media use policy in place it could be detrimental for your company later.

Fake Websites & Accounts

Producing fake websites is a very common attack method among cyber criminals. Essentially, attackers create duplicate websites that are intended to trick people into giving up their credentials and other information.

To get people to visit these fake websites attackers , they usually use shortlinks, javascript masks, or misspellings of websites to trick users. One high profile case where this happened was when Equifax suffered a data breach, the company itself was sharing a fake website setup to capture personal data about people. Since Equifax was promoting this fake site, lots of people trusted it without question.

Fake websites and accounts can be a threat in two ways: impersonation and phishing. When an attacker creates a fake website or social media account that looks exactly like you lots can go wrong.

Impersonation can cause many people to distrust your brand or anything you say online. Social media is of course intended to bring people to your company website or blog. When someone impersonates you, they divert traffic away from the actual company with the intention of stealing information from them.

The other was fake accounts as a threat on the customer side. If you use Twitter or LinkedIn to connect with other experts, then some of those people could be fake. If one of your employees clicks the wrong link, they could unintentionally visit a site that installs malware on their device.

Poor Security Management

It is no surprise that many companies do not really take the time to adjust security settings on their social media accounts. Especially joint marketing social media accounts. If even one employee account is compromised the whole companies social media account is at risk. This is common with startups and midsized companies. Almost full admin access is granted to employees by default which of course is a problem if an employee is hacked.

Password Reuse

This is an old but ongoing problem, password management. People often use the same password for everything. If one account is compromised on some other site or platform, then everything is compromised.Thankfully solutions are improving as time goes on to address these issues.

Reducing Your Security Risks

For all of these risks there are thankfully steps you can take to improve your security practices while using social media for your business.

Training and Continuous Testing

Employees need to be able to recognize phishing in its current form on social media. If they do not learn, then employees and contractors place your company at risk.

When I talk about training, it is not just a simple powerpoint presentation. People need active engagement when it comes to cyber security. You can test employees with services designed to fake phishing attempts on your employees to identify who are your internal risks.

PhishMe even offers a free tool to small and medium sized businesses. Train against phishing on email and social media for the best defenses against cyber threats today.

Content Guidelines & Policies

Consistency is critical here in respect to the content you produce and the policies you put forward. When your content and voice is consistent in tone and execution on social media people are able to better identify when something is off about a post or account.

Your marketing team should be aware of what the core brand messaging and strategy. Inconsistency could leaving an opening for an attacker to trick unsuspecting customers.

Partner Marketing with IT/Security Team

It is usually marketing that is in charge of social media accounts; however, IT should be working with marketing to mitigate the risk of unsafe behaviors and practices. For example of the things that should happen between IT and Marketing is the development and continuous improvement of an incident response plan.

One of the failures in the Equifax breach was the failure to follow the incident response plan which lead to miscommunications all around. If Equifax had followed an incident response plan, they would not have been promoting a fake website. To avoid this work with the IT team and make sure they are the most well equipped to help with cyber security across the organization.

Improve Password Practices

Passwords can be frustrating and security experts are trying to develop alternatives, but for now we have to learn to better manage them. Policies need to be established in your company to change passwords frequently. Services such as password managers have become mainstream now and happen to be very secure. You will have to do your own research as to which one you prefer.

Communication Monitoring

Lastly and most important is insider monitoring. When it comes to your employee be sure to monitor company email accounts and social media accounts.

Currently social media based attacks are on the rise and email is at the top. By monitoring communications, you will be able to better identify potential risks. If paired with data loss prevention tools you could potentially prevent an attack with automated policy enforcement.

Social media is an excellent way to reach new people and generate more business, but it comes at a risk. Remaining vigilant and security oriented while marketing your business will save you in the long run. If large companies are being impacted by these malicious efforts, you certainly can be too.