The use of social media has spread like wildfire. In the early years, it seemed to be a technology used by few people with much time to waste. Still, it is clear that social media can be a source of entertainment and a business opportunity for self-employed workers and companies of all sizes.
The flip side of this coin is the new risks that social media brings to ordinary people and businesses. Criminals specialized in this area have become experts at finding useful data to create tailor-made attack campaigns, significantly increasing the success rate.
Without proper risk awareness and proportionate security measures in place, social media can become a risk factor for any business. This article will explore the topic, trying to illustrate some useful countermeasures to reduce critical issues.
Social media: how do cyber criminals use them?
Criminals’ approach to the use of social media varies greatly. You must know all possible attack angles to prepare an effective strategy. The main risks are related to the following:
- Data “mining”: Social media, by its nature, are made for sharing photos, opinions, experiences, etc. All these fractions of information can be considered as pieces of a puzzle that, if reassembled, would allow a criminal organization or a single hacker to prepare a targeted attack campaign on a person or an organization. In fact, criminals collect data from several social platforms simultaneously to get a clear idea of the targeted employees’ interests, families, and social backgrounds. With this information, it is sometimes even possible to try to guess the password to access company accounts. Obviously, this doesn’t always happen, but what is certain is that data collection is the basis of any cybercriminal attack via social media.
- Social engineering: The access point to a corporate network (almost) always passes through the weaknesses of individual humans. And in this context, social engineering allows hackers to design messages to lower the attention span, impersonating colleagues or authorities within the company organization chart. In the end, one click on a wrong link can be enough to compromise an entire network. As we have already seen, social networks can provide useful elements for such campaigns to make them more “human,” personalized, and, therefore, more effective.
- Planned Phishing Attacks: Social data collected by criminal organizations can be used to camouflage attack vectors. Everyone reading this knows that you should never click on a link from an untrusted source. But if the link or attachment is contained in a message that refers precisely to data or people made public through social media, the response could be emotional. Most of us can recall the case of the attack launched in 2013 on the American large-scale retail chain Target and its credit card payment circuit, based on a message in which the criminal pretended to be a person known by the recipient of the email.
- Privacy at risk: The end of a cyber-attack usually has two directions. On the one hand, it can be aimed at hitting the company. On the other hand, it can only use the company to hit customers. Social media can be the perfect source of information to access company records and learn more about their users. Exactly as happened in 2018 at the Pentagon: Following a compromise of computer systems, the cyber criminals managed to obtain information from 30,000 US Department of Defense employees. And this violation was not discovered until several months after the crime. Social networks can facilitate the activity of hacking into the computer network to steal sensitive information about customers or employees.
- Reputation damage: The ramifications of a cyber attack don’t necessarily stop at the narrow IT perimeter. If a company’s server is hacked and the news becomes public, the brand also suffers reputational damage and possible economic damage deriving from the real-time change in the share price. Social media can become a source for creating the attack and a tool for publicizing the attack. Therefore, companies unable to protect their customers’ data are faced with the loss of revenue resulting from the disruption to normal business and the emerging damage to reputation and IT integrity.
How to defend yourself and your business
Awareness is the starting point for any defensive strategy. Technological tools, such as a simple VPN Canada connection while browsing social networks, can be useful allies to reduce the risk of spreading sensitive information with a high economic value. In other words, a VPN will work as an intermediary between you and the online world. This way, your sensitive data will be protected, and third parties won’t be able to reach your information.
More generally, companies should undertake to train their human resources with courses that include practical simulations capable of involving users from an emotional point of view to allow them to respond in the right way should the need arise. Additional tools are also great. However, they cannot protect your company in situations where employees accidentally transmit information directly to criminals.