This article originally appeared in the April 2011 issue of InfoTECH SPOTLIGHT
Only a few years ago, our main communication channels in the Internet where our website-as some kind of shop window- and the e-mail as a way to talk and to exchange information.
In order to protect our company, we knew what we had to do, and which where the main attack vectors. In fact, most of the malware was coming through e-mail at that time, so having that protected as well as some network defenses (firewall, web filtering, etc.) was enough. Nowadays, even though the same tools are used, we face new challenges, being the main one that known as social networks.
From a security perspective, companies are affected by the same problems as individual users connecting to social media sites, but with potentially more devastating results. The main security concerns include:
- Identity theft. Administrators could become infected and have their profile login data and passwords compromised. This could result in anybody being able to take control of the corporate account to perform any actions, including scheduling events (on Facebook (News - Alert), for example) with malware links. Similarly, any malicious user that took control of an account could post information from a company's official profile with disastrous effects.
- Infection risks. Attackers could take advantage of instant messaging applications or the timeline feature in microblogging platforms to send users information with hidden links to malware sites. In the case of large corporations, this could result in targeted attacks specially designed to infect users’ computers in order to penetrate networks and access all kinds of information. Similarly, followers could also post malicious links on profile walls contributing to the spread of computer threats. In any event, any of these actions could clearly compromise brand integrity.
- Platform vulnerabilities. The year 2010 saw the appearance of a number of security exploits in popular social networks like Facebook or Twitter, putting millions of users at risk. As more users join these sites, there will be more researchers looking for security flaws, and many of them will unfortunately be cybercriminals.
Following good password management practices like changing them regularly and strengthening them can help protect corporate integrity. Security awareness and education as well as keeping oneself up to date on the latest security threats will help corporate profile administrators to stay alert and detect any irregular activities.
But not everything is about security. Authenticityis another concern we have to take into account. Protecting brand or digital identity should be a priority for all businesses, however, in reality neither the top social media platforms nor companies themselves seem to pay much attention to it. The fact that anybody can create a fake online profile in the name of a real business means that people could be speaking on behalf of a company without actually having anything to do with it. This could lead to the creation of communities of users 'tricked' into believing that a corporate account is authentic or even publication of information that could actually damage the brand and result in public relations disasters.
Only a few social media sites like Twitter allow users to show their account is authentic through a Verified Badge, but most of them do not include that option. It is therefore recommended to proactively register all your company trade names on the main social media sites, clearly identifying a business official communication channel if there is no other verification mechanism available.
But even managing the authenticity we will have to face the privacy issues. At the end of the day, corporate profiles are managed by administrators who can sometimes make too much information available to followers or visitors.
This information could then be used by malicious users against the company itself either online or offline. For example, they might post information about corporate finances, practices, work processes, etc. Too much risk. Also, it must be taken into account that, most of the employees use social networking during working hours and could share confidential information on there.
Having adequate training programs and social media policies will greatly help minimize the risk of confidential information leaks.