Social media has become the new cyber battleground. Not only is this landscape growing rapidly, but it also represents one of the most dynamic, unstructured and unregulated datasets anywhere in the digital world. In the wake of the social media revolution, cybercriminals exploit businesses and their customers at a massive scale.
A staggering 40% of organizations have fallen victim to spear-phishing on social media, which have ultimately penetrated their defenses. Network compromise via social media outpaces all other web-based attacks, beating email by a factor of 10. Customer and brand fraud on social are being launched 75% faster than can be remediated, and CXO accounts are among the most targeted.
ZeroFOX has provided the following best practices that enterprises should implement to better (or in many cases begin to) secure social media.
Enterprises often place a heavy emphasis on SaaS solutions and high-tech tools to help secure the organization, but forget the simple practice of raising awareness and educating employees about cybersecurity. Social media has evolved to become a fabric that connects society and a pervasive business communication tool in the digital age. There is a level of trust between users and the platform that fosters a presumption that all information shared via social platforms is safe. With employees on the front lines of the latest cyber threats, it’s important to spotlight the risks lurking at their fingertips with every tweet, snap, post and click.
Informing employees of best practices can help move the needle not only for the overall security of the business, but overall security knowledge at the business level. Awareness through seminars, workshops, and other programs help educate how attackers use social media to target a brand via individual employees.
Encourage employees to change passwords regularly
While using the same password across multiple social media accounts is easy, it is a huge threat to employees and the company’s security. Once a hacker decodes a “favorite” password, they can easily use it to gain access to other platforms and accounts. Encouraging employees to diversify passwords across their social platforms makes it infinitely more difficult for a hacker to breach accounts. This is also true for company branded accounts.
Utilize two-factor authentication
Make sure employees and all corporate accounts utilize two-factor authentication, which requires a password, username and something unique that only the user will recognize or know. Many of the larger social networks provide two-factor authentication, commonly in the form of a code sent to their smartphone or email each time a new device or browser attempts to login to the account.
This ensures that an employee’s identity is legitimate to permit access to the desired account. Having this as a second layer of protection makes attackers’ lives harder and reduces the vulnerability of attack.
Avoid engaging with suspicious content
Stress the practices of carefully reviewing URL links before clicking to make sure the company and site name are spelled correctly. Cybercriminals will often blast out links that are very similar to a real address adding, subtracting or rewording parts to differentiate them. This is further obfuscated by social networks URL shortening platforms. While these appear safe when quickly scrolling, if you stop and really look, it’s difficult to determine if the link is safe.
Another common hacking tactic is prompting a user to download an application via social media links outside of curated stores, such as the Apple App Store or Google Play, in order to view information. This is never a good idea and employees need to be aware of the dangers of downloading third-party applications on work devices, especially from unfamiliar sources, which can render the company vulnerable.
The general rule of thumb in today’s threatening digital landscape is that if a link or website looks suspicious, don’t click.
Install antivirus and security software
This is one of the most important, but often overlooked, practices among organizations. Preventing malware from breaching a corporate system is extremely important and the solution can be as simple as installing an antivirus software.
With the numerous phishing scams and malware-embedded links floating around social media, having an extra layer of protection is crucial. No matter how careful a user is, there’s always the risk of accidentally engaging with a malicious link – and just one unfortunate click can lead to months of recovery time.
Once antivirus software has been installed, it’s important to remind employees to update it frequently to protect against new, evolving threats.
Beware of fradulent friend requests
Many hackers gain access to company information by creating fraudulent accounts and connecting with “colleagues.” Employees may accept this request without vetting legitimacy and can ultimately fall victim.
Companies should encourage employees to thoroughly vet a friend request before hitting “accept”. They should check to see if other colleagues are also connected to the account. If the account seems suspicious or you don’t know the individual, ignore or report the user, and refrain from clicking on any links they may have sent.
Validate and verify
A common hacking technique is to cast a net that encompasses followers, connections, and mentions. For example, a hacker might post a non-descript image with many people tagged or mentioned. Before clicking, employees must remember to validate the authenticity of the individual who tagged or mentioned them, ensuring that it is a trusted friend or colleague.
Similarly, hackers tend to create accounts impersonating celebrities, politicians, athletes or large companies. The larger social networks have added “verified accounts” indicated with a checkmark to note their legitimacy. However, many companies have yet to pursue this validation.
If an employee receives a request, it’s important that they do their homework and search for the individual’s name or company online. If they find a verified account that doesn’t match the request, it’s most likely an impersonator. If this occurs, the employee should flag the account to their internal IT department so that other colleagues can become aware of the situation and avoid any interaction.