The world trusts social media. Facebook is among the most valuable companies in the world, with its brand alone estimated at more than $50bn. Twitter ended its IPO with a market capitalization of over $25bn and Microsoft paid the same price for LinkedIn earlier this year.
Investors have clearly placed their faith in social media companies, and consumers are no different. Data suggests that people trust social media more than all other forms of advertising, and more importantly that “consumers implicitly trust people’s activity on social media more so than on any other communications channel”.
For the security-minded, this trust brings with it a great deal of risk.
High profile social media vulnerabilities
While managers concerned about productivity sometimes decide to filter social media use on corporate devices, the security factors aren’t always considered. In fact, social media data breaches are becoming more common.
Hammertoss was a notorious malware backdoor that made use of a Twitter exploit, and Techcrunch reported in June that login details for 32 million Twitter accounts were available for sale on the dark web.
Similarly, more than six million LinkedIn users had their information leaked in a huge data breach starting in 2012, the full extent of which only emerged a few months ago when the company revealed that well over 150 million accounts were at risk.
Even Facebook has suffered its fair share of data breaches, eventually admitting it inadvertently exposed six million users’ phone numbers and email addresses to unauthorized viewers.
An ongoing battle
These high profile stories are joined by smaller ones, ranging from the regular hacking of Twitter accounts like Jimmy Wales to the alleged seizing of dormant handles, such as @ak47, @hitler and @hell. These incidents suggest that there are still a number of vulnerabilities in Twitter’s platform, despite the Californian company’s insistence to the contrary.
LinkedIn, Pinterest, Instagram, Snapchat and Facebook are no different. The latter was the most common form of malware distribution last year, according to research from Cisco. Snapchat still suffers from a number of vulnerabilities and Instagram awarded a ten year old boy $10,000 for finding a vulnerability in March.
What to do about it
So social media apps present a security risk. Blocking social media apps wholesale via EMM solves part of the problem, but doesn’t prevent usage via web browsers, and can otherwise be a blunt tool for keeping employees secure. Moreover, lots of companies will consider social media either a part of work itself (eg. professional use of LinkedIn), or an otherwise necessary part of corporate mobility policy.
The truth is that the majority of isolated security incidents on social media are carried out using social engineering techniques, exploiting that inherent consumer trust in social media.
There are many ways to have your Twitter account hijacked: clicking on phishy links; using feeble passwords instead of unique, hefty brutes; or practicing poor password etiquette by, for example, using your pet’s name or simply handing over your password to strangers.
Lisa Vaas, technology and information security writer
Organizations should consider applying additional security measures, such as two-factor login where available. Internal education programs will help employees remain wise to hacking attempts, and establishing a reaction plan to potential breaches will limit the damage caused by any uncontrollable issues. Firms that could instantly restrict LinkedIn usage in the wake of breach events were able to reduce their corporate exposure to the risk to a much greater degree than companies with only desktop or EMM security in place.
To truly build an effective social media security plan, you need to understand your external risk environment and scour social channels for cyber threats outside of your direct control—be they doxing attempts, brand impersonations, or physical security threats to your employees or top executives. This should be done while also seeking feedback company-wide and coordinating with a range of stakeholders across legal, compliance, operations, and finance to ensure that all bases are covered.
Nick Hayes, analyst at Forrester.
When selecting mobile security technologies, it’s important to look beyond EMM tools. Social media, like many other types of sites, does pose serious security risks. However, with the right security platforms and policies in place, organizations should not feel as though they are unable to empower staff with the benefits of mobile social media.