So your company is on social media, are you practicing safe tweeting?
Social media has evolved from a mere millennial fad into a preferred marketing tool used by businesses across Asia Pacific. With Asia Pacific accounting for 54% of global social media users, and Asia Pacific social media users spending an average of two to four hours on social media daily, it makes sense for businesses to use social media to reach their audiences in this digital age.
Companies are posting product reviews, photos, client testimonials and videos on their social media pages, in hopes of driving engagement through likes and positive comments and eventually whipping up a viral storm. Brands are even creating social media contests to engage consumers playfully while growing their brand identity, or engaging key influencers to get more people talking. Aside from driving engagement, social media serves as an avenue for companies to solicit customer feedback: Customers’ comments can provide insights on common customer complaints and companies’ points for improvement.
But while integrating social media into the marketing mix can bring many benefits, it also has a dark side. Opening the company to more cyber risks. After all, social media is fast becoming an attractive channel for cybercrime perpetrators.
Today, cybercriminals target viral posts to reach a diverse range of people. Through basic spamming techniques such as creating short posts with links to freebies and job posts, cybercriminals lure unsuspecting social media users into clicking malicious links, which transmit malware after they are clicked on. Based on CyberInt’s research, 1.92% of all posts, comments and tweets found on a company’s social media feed are malicious or attempted attacks. Last year, 13% of large organizations experienced a security or data breach associated with social media networking sites.
There is no denying that social media sites are now a hotbed for cybercrimes: In 2015, cybercriminals leveraged LinkedIn in health insurance provider Anthem’s hack, exposing sensitive data such as names, Social Security numbers, birth dates, addresses, email addresses, employment information and the salary of as many as 80 million current and former customers.
Social phishing, which attempts to obtain an individual’s personal information through a corrupted link or other form of electronic communication, has become a common social media security threat. In the past, phishing attacks typically came in the form of emails; now, they are also perpetrated through social media private messages and wall posts.
Links to malware can be disguised as ‘click-bait’ articles or videos posted on a company’s Facebook wall, Twitter or Instagram handles. Malicious links can cause devices to be infected with malware, which grants easy access to personal information and allows hackers to use the infected device as a platform to jump into other networks such as the home or office.
Today, cybercriminals are using a wide range of social engineering techniques to spread malware and obtain sensitive data through social messaging channels such as Facebook chat. Cybercriminals are also leveraging social media Distributed Denial of Service (DDoS) attacks, which render social media sites inaccessible for long periods of time, to draw attention away from nefarious schemes usually involving stealthy data siphons. Some social media DDoS attacks also involve comment flooding, which causes a company’s Facebook page or Twitter to be flooded with millions of automated comments in a minute, paralyzing the company’s page feed. Automated programs or social bots are now being increasingly used for such schemes.
Cybercriminals today even use illegitimate social media profiles or hijack existing social media profiles to disseminate malicious links and malware to a company’s employees, usually with the goal of extracting an organization’s sensitive data. Some resort to “false flag” scams, which involve impersonating social media platforms to trick users into revealing personal data that will allow them to access a company’s systems. Others go as far as putting up scam e-shops and coming up with fake advertisements on social media to impersonate brands. Aside from weakening a company’s immunity to future cyberattacks, these scams also translate to the loss of consumer trust in compromised brands.
Social Media Teams Need to be in the Know
Companies utilizing social media have the duty to protect their consumers and employees from cybersecurity risks. They need to take a closer look at what they are posting to prevent socially engineered attacks on employees while simultaneously ensuring that social media comments from the public do not contain links to malicious links that other community members might click on.
As social media threats occur outside their network perimeter, organizations cannot easily detect these risks from the onset. They need to focus on prevention and the elimination of potential threats instead through the constant vigilance of cyber-activities. Organizations also need to identify the crown jewels and dedicate more resources to protect them and be aware how cyber criminals might leverage social media to gain access to their crown jewels.
One way is to invest in targeted threat intelligence, which allows companies to gain insight on potential or current attacks that can harm their employees, brand reputation and customers. Cyber security organizations, like CyberInt, have cyber tools available that scan social media accounts and purge malicious comments in real time, to provide companies with better peace of mind.
Leveraging social media as a marketing tool entails dealing with a sheer number of cybersecurity threats. Awareness is still the best safeguard to these threats: Social media teams should be aware of the risks associated with what they are posting and how cybercriminals are manipulating information in social media sites to advance their own selfish interests. But awareness should be coupled with concrete action: Companies using social media in their marketing mix should also implement solid security policies to mitigate risks and vulnerabilities.
One security measure companies can adopt is ensuring a close coordination between the social media team and the IT team— this arrangement will allow the social media team to stay updated on the latest cybersecurity threats and better monitor risks on their social media feeds. Employees should also undergo training to improve their cyber hygiene and cyber posture so they can be fully aware of the threats and have a better appreciation of the security policies in place.
Good security policies, however, would amount to nothing without the proper security tools. After all, it takes the right combination of people, processes and technology guardrails to address security challenges in today’s rapidly evolving digital workplace.