Whether your employees use the same device for work-related tasks and participating in social media sites or keep these activities separate, there are several risks to your company's network that can originate from these platforms. These risks include:
- Phishing/social engineering - The best way for a hacker's phishing email to succeed is to make it look like it comes from a trusted source, which can be accomplished with social engineering facilitated by profile and other information on social network pages. For example, a hacker can use an employee's posts about attending a presentation at a trade show to start a conversation about a topic within that presentation, the information for which can be found by looking at the online schedule for the trade show. The hacker can then send an attachment loaded with malware, saying that it's another presentation on the same topic.
- Shortened URLs on Twitter - The 140 character limit on Twitter makes shortened URLs appear logical but these links can direct employees to sites that are designed to mine the accessing device for information. If the malicious site is accessed by a device that also accesses company assets such as its network, data storage, infrastructure, etc., hackers can gain enough information to proceed with a damaging intrusion.
- Clickjacking – This practice is designed to trick people into clicking on links promising the “funniest video ever”, for example, which then takes them to malware-loaded web pages or to surveys where private information may be disclosed. This information can then be used to determine potential passwords as well as the answers to security questions such as a mother’s maiden name to gain access to company networks.
- Downloading malicious apps - Whether the draw is related to a social game such as "Farmville", music downloads, or a variety of other purposes, apps are constantly being downloaded to mobile devices. Unfortunately, many of them carry malware designed to infiltrate the device for pass codes, access keys, and other forms of information that may reside on the device. To make matters worse, these types of malware can send themselves out to the employee's contact list, multiplying the amount of information that can potentially be exported.
One of the first steps for businesses regarding the management of risks related to their employees’ participation on social media sites is to develop policies on what may and may not be communicated on these platforms. The second step should be the implementation of ongoing education on the risks that are involved in social media participation, as well as techniques to mitigate those risks.