Hackers finding victims in social networking sites is nothing new. We’ve been warned about increased risk to corporate data from malware attacks via social media sites such as Twitter, Facebook, and LinkedIn for years now.
And yet, most companies are still more worried about what their employees might post about them on these sites than they are about the backdoors, Trojan horses, and other entries into their databases that start with signing on to social networking.
With the growth in use of mobile phones and tablets, which travel from office to home, and switch seamlessly from work-related to personal use, the “attack worth” of these devices is growing at an incredible rate. Whether employees are bringing their own devices to work, or taking home a company provided laptop, the risks are the same.
Consider this scenario: You use a tablet at work through which you access your company database, or find documents sent to you for review in a Dropbox folder. There is plenty of sensitive information in both locations, but you need to log in to access it. You’ve selected to “remember this password” or “stay logged in” on your device because, after all, it is a private one and no one else uses it.
Except, when you get home, your elementary school age child borrows your laptop to do some homework and visit a few social networking sites. You aren’t worried because you have checked them out as age appropriate and you have taught your kid not to post personal information. But, unbeknownst to you, he plays a few games, clicks some links to answer a few fun quizzes, accepts some friend requests from people who are “friends of friends” and — unbeknownst to him too — downloads malware onto your computer.
Overtime, that malware finds its way through your saved passwords, or open log in, into the sensitive information stored in your company’s internal databases. HR data, financials, legal records, site security equipment software, and more; and they are all being viewed, copied, manipulated or worse.
Don’t have kids who use your devices? Your own social networking activity, even on business related sites like LinkedIn, can have the same outcome. Anyone can open a LinkedIn account and claim to be anyone else. I got an invitation to connect last month from someone claiming to be the Prime Minister of a country (the name and photo were real, but the LinkedIn account was not). I wonder what the purpose of that phishing expedition was.
Social media use policies are important but they simply aren’t enough. Just like so many other risks, the analysis of social media risk needs to be much more creative and go far, far, outside the box. Compliance, HR, and IT need to work together now to look hard and often at the risks presented as social media sites evolve and cyber-crime tactics evolve with them. You can start by using the OCEG GRC Capability Model (Red Book) as guidance for establishing a strong approach to controlling risks (not just social media risk) — it’s free and open source.