Social Media

Executive Summary

From local corner shops to global organizations, social media has had a transformative effect on marketing, customer service, knowledge-sharing, and even recruitment and hiring. Companies need to leverage social media to maintain their visibility and build closer relationships with their customers. However, the ability to engage instantly with millions of people around the world also comes with risks. So how can companies mitigate the risk of using social media in business?

While marketing leaders tend to be nervous about employees saying the wrong thing on branded social channels, most enterprise security teams still haven’t come to terms with the reality of social media cyber security threats. Social networks are among the easiest platforms to exploit. Cybercriminals routinely use them for carrying out spear-phishing attacks or conducting research into potential victims for use in targeted social engineering attacks.
 
Bad actors go where they know critical mass exists: volumes of data records, personally identifiable information (PII), and users. Social media checks every box.
 
Despite the risks, avoiding social media altogether is neither realistic nor desirable from a business perspective. At the same time, it is also unrealistic to completely eliminate the risks. What companies can do, however, is ensure that their marketing, security, compliance, legal, and support teams have a thorough understanding of the risks of using social media.

To manage these new digital risks on social media, organizations need enhanced visibility into official and unofficial channels. You can learn more about this in our webinar with the CMO of Capital One, Peter Horst. Companies also need the ability to act against threats in real-time, at the scale of social. They need a full picture of threats to official brand channels to remediate compromised accounts and prevent data loss.

Secondly, organizations need visibility across other channels like outside social channels, the deep web, and the dark web. While social media is a primary threat vector, today's cyber attacks are complex and multi-channel. Defense structures cannot be siloed.
 
To secure social media, enterprises will need an overarching security strategy, powered by the right technology, to maintain complete visibility and mitigate risk.

Social Media Risk Assessment: What Does Your Attack Surface Look Like?

Social media benefits and risks for companies are simultaneous. The capability to reach millions instantaneously also means the attack surface is ever-present and effectively without limit. Naturally, risk increases along with the number of employees who have access to your branded social media profiles, the number of followers you have, and the variety of platforms you use. Many US businesses use social media not only for brand-building and marketing, but also for offering customer support, or recruiting and hiring talent.
 
“The more ingrained social media becomes with core business processes, the further the attack surface expands.”
 
While most business leaders recognize the importance of properly training their employees in effective social media reputation risk management, this is merely the first step in effective risk-management. The challenge lies in the fact that social media channels exist beyond conventional network and endpoint perimeters or even CASB defense structures. You can protect your own digital assets with relative ease, since you have more control over them. It’s different with social channels, in which major data breaches and instances of general misuse are making headlines all the time. In-platform privacy and security settings are getting more meaningless by the day, which is why businesses need a formalized social media security policy enforced by technological and administrative controls. Organizations need to have full control over their social media accounts to ensure this enormous attack surface remains comfortably far away from confidential data, intellectual property, and brand reputation. Defining the risks of your social media attack surface is the first step. Next, we examine the common risks:
 
Account Impersonation
The major social networks are fighting a constant battle to protect their platforms from hackers and spammers. Given the size of networks like Facebook and Twitter, it’s a monumental job that will never be done. Moreover, no matter what any single platform does, brands must secure a cross-channel social presence.
 
Fraudulent accounts are rife on all mainstream social networks. Facebook even admitted in 2017 that there were 270 million fake or clone accounts on its network.12 It has since taken steps to curb the tide of these malicious accounts by introducing policies to compel personal and business users alike to get verified. Indeed, these initiatives have enjoyed some success, with the network taking down 1.3 billion accounts in just half a year.
For legitimate brands, fake and fraudulent accounts aren’t just a nuisance – they’re a menace with potentially disastrous consequences. For a start, accounts that impersonate legitimate brands are routinely used by criminals to carry out social engineering scams against customers. For example, Bank of America (BoA) was impersonated on Twitter by a criminal using the handle @BankofAmericaH1. By masquerading as a branded BoA account page, the scammer attempted to dupe people into running a ‘security check’ for their accounts and, in doing so, unwittingly surrender online banking login credentials.
 
Even in cases where direct financial gain by way of outright theft isn’t the core motivator, account impersonations are often used in other ways that damage legitimate brands. For example, you may have noticed social media pages with thousands of followers yet almost nothing in the way of comments or even likes. That’s because the followers aren’t really people at all – they’re fake social media accounts. Sometimes attackers working for unscrupulous competitors send large numbers of these fake followers to brand pages belonging to legitimate companies as a way to sabotage their reputations.
 
Account Takeovers

Account Takover (ATO) attacks present unique choices for hackers: they can either attack externally, such as launching phishing scams against customers. The other choice is more insidious, a silent takeover. This poses a huge risk for businesses using social media. With access to social accounts, attackers can often gain back-end access into an organization or other cloud-hosted services such as Dropbox, where marketing teams may keep shared assets. Moreover, from an account takeover, attackers can spread malware to company employees and other contacts "under the radar," as it were, through direct messages. This is precisely how the Turkish hacker group, Ayyildiz Tim, launched and quickly spread a coordinated ATO attack against high-profile media accounts on Twitter.

While a company with just one or two accounts might not have much to worry about in this respect, larger organizations often have a much wider social attack surface due to the sheer number of accounts they operate. For example, a company might have multiple accounts on various platforms for different departments, lines of business, or even for individual high-profile employees. That’s when it becomes critical to ensure that none of these accounts end up compromised. As more front and back office operations are moved into social, the risk of using social media for marketing and of compromising sensitive data grows.

Brand and Reputation Risks
In many organizations the greatest threat to a brand’s reputation comes from within, even in cases where the intention isn’t malicious. Companies have a responsibility to their customers and their brands to control what’s posted on social outlets, but there have been numerous cases when they’ve failed spectacularly to do so.
 
Given the reach of today’s social networks and the fact that anything can be shared among millions in the briefest of moments, a single blunder is often enough to cause lasting damage to brand reputation. Since brands are culpable for the content that ultimately appears on their social media pages, it doesn’t make much difference in terms of brand damage whether the account was hacked, or the content was posted by an employee. With built-in audiences in the millions, the effects are much the same. Social media risk management plans are imperative to protect against these threats.
 
This was the case with luxury retailer Dolce & Gabbana's claims of account takeover when racist and insensitive Instagram DMs were made public in November 2018. The brand's apology fell on deaf ears, and the company was forced to cancel a multimillion dollar show meant to launch the brand into the coveted Chinese market. The resulting consumer anger also forced Chinese e-commerce retailers to pull D&G goods on the eve of Black Friday. Calls for boycotts followed.
 
Dolce & Gabbana's claims of a hack, whether true or not, ultimately did not matter. For lack of protecting the brand and founder's accounts, the company suffered reputational consequences that battered the bottom line and pose future problems for how the brand will pursue its strategy for expansion into the Chinese market.
 
Spear Phishing & Data Loss

Most people know not to post confidential information on social media, but even non-private information can pose a danger. On one hand, social platforms want to collect as much data about their users as possible for advertising purposes. On the other, the public availability of such data also makes things easier for attackers.

General phishing scams carried out en-masse are actually dropping simply because they’re not very effective. Instead, more enterprising criminals are going for specific targets based on what they know about their prospective victims. In some ways, this mirrors the processes legitimate businesses use for targeted advertising. However, criminals will use what they’ve learned about a target to impersonate someone they already know. By demonstrating knowledge about the individual, they’ll be better placed to build trust and dupe the unsuspecting victim into taking a desired action, such as giving away confidential information or downloading a malicious file.
 
Through a long courtship on Instagram, Facebook, and then finally moving to LinkedIn, "Mia Ash," a fake profile created by Iranian proxy hacker group OilRig, convinced target employees at a global consultancy to download a resume file infected with a malicious macro that installed PupyRAT malware. Similarly, attackers presumed to be associated with the North Korean-sponsored Lazarus Group were able to target employees in defense and financial services industries via LinkedIn. Victims were asked to download an application program that installed a secondary memory implant to exfiltrate data.
 
Compliance & Legal Risks
Companies in certain industries are legally required to maintain an archive of social media communications as part of overarching record-keeping obligations.
 
 
Businesses are often quick to blame social platforms or hackers when something goes wrong, but the fact remains that most threats to digital security and compliance come from within. It’s no good trying to pass the blame either, since compliance with industry regulations falls to the responsibility of the company and not to any third parties. As such, creating a strong culture of accountability through regular awareness training is essential, as well a legal requirement in many industries.
 
Some organizations are also required to retain archives of all communications, including those on social media. Relying on the platform itself to do that for you isn’t an option either, since you have no control over whether or not it meets the data-integrity and archiving standards demanded of your industry.
 
Even if your business isn’t required to retain such records, there are several compelling reasons to do so. Given the large number of posts and conversations between brands and their customers taking place on social media, the only real way to minimize your attack surface in the longer term is to have an effective way to keep track of everything you’ve ever posted. Such information can come in useful in cases where the company faces legal challenge or dispute. Sometimes, disputes can arise long after the content in question has been posted and deleted.
 
Occasionally, compliance failings can take an unexpected turn, as one corporate banker found out in 2017 when he used a branded LinkedIn account belonging to SunTrust to send an explicit photo to a prospective hire. The case resulted in a sexual harassment lawsuit, along with charges for negligent retention and intentional infliction of emotional distress.
 

4 Steps Toward Mitigating Social Media Risks

Armed with a thorough understanding of your social media attack surface, you must develop a documented protocol to mitigate the risks. Ensure employees are fully aware of the policies and procedures. Administrators must also implement a comprehensive solution for enforcing these measures.

Step 1: Gain Visibility into known & unknown Social Media Assets

You can’t protect your house if you don’t know how many rooms you have. One of the most important components of any digital social media security strategy is an all encompassing approach that provides complete visibility into digital assets.
 
Start by identifying every social media account belonging to your brand across all departments. This should be the shared responsibility between both the CIO/CISO and the CMO, since the latter is usually responsible for the teams managing social media channels. Your policy should also make it explicit that access is to be revoked immediately for employees who leave the business and inactive accounts are closed. A clear inventory of social pages and accounts will clarify your company’s potential social media risk.

Step 2: Establish Control Over Brand Assets

A robust cybersecurity strategy typically starts with the principle of least privilege, by which users only have access to the systems and data that are necessary for their jobs. In the case of social media, there’s no reason to give everyone in the marketing department access to all the accounts you use.
 
Limit and identify the number of social media users and access rights in your company. Many businesses have a social media manager who takes charge of all posts, even if they’re written by someone else. Similarly, businesses usually only need one person to answer customer complaints on social media. The degree of freedom you should give your employees will vary depending on factors like training and the size of the business.

Step 3: Respond to Threats in Real-Time


Conflict can escalate in seconds on social media, as the examples we’ve explored here have demonstrated. Whether an attacker attempts to take over your Twitter account, or a botnet is summoned to downvote your videos on YouTube, you need an established social media security protocol in place to deal with the matter before it gets out of control.
 
Real-time detection of malicious content or account takeover attacks is the first step. Minor threats can typically be dealt with using pre-approved responses, while more serious conflicts may need intervention from specific members of your team. Ensure you have the ability to lock down accounts, quarantine malicious content, or revert account profiles in the event of compromise.

Step 4: Protect Assets with a Proactive Defense

 
Your enterprise should also look to proactively monitor cyber threats or risks to brand reputation from imposter social media accounts. This can include scanning the deep and dark web, or searching in overlooked areas like app stores or e-commerce sites. Security is just as much about adapting to new and emerging risks before they become active threats.
 
Use your company protocol to outline the expectations regarding how your employees should behave, and be sure to add an additional section dealing with the use of personal accounts. For example, some companies require employees to disclose their affiliations when discussing work-related matters on their personal social media pages. Finally, when commenting on matters of business, even those authorized to speak for your brand must clearly state that their own views are not necessarily those of the company they represent.

Key Takeaway

A company present on Facebook, Twitter, and LinkedIn may have 100,000 posts to review each week and tens of thousands of accounts. If it takes a human only one minute to review a post and take appropriate action, more than 40 people working 40 hours per week would be required.

 

Final Words
Easily the biggest challenge is coping with the scale of risks. Social media is vast. It’s impossible for administrators to monitor every post, share, like, and response manually. Yet, given the in-the-moment nature of the medium, it’s imperative you know immediately when something’s amiss and are able to take action just as quickly. A minute too late is often all it takes to become the latest headline in the long list of reputational debacles or, worse still, find your company facing a costly breach.

Businesses need to extend their perimeter to include social media, which remains invisible to most security teams. To make it happen, you’ll need a way to monitor every bit of information that leaves your business through both private and public channels. Your goal is to reduce risk and mitigate attacks before they start.

SafeGuard Cyber was developed to eliminate the need to manually monitor social channels, as well as others like mobile chat, and collaboration platforms. Instead, it provides the tools administrators need to enforce their policies while automation helps teams cope with scale and prioritize the risks that matter most.
 
Sources
 
Secure Human Connections

Ready to see how SafeGuard Cyber secures modern communication apps wherever they exist?