Enterprise IT Security in the Age of Instagram
Scroll through your LinkedIn feed and you’re bound to see a plethora of posts about first days at new jobs. The many #firstday pics include welcome swag, selfies with co-workers, and always the employee’s ID badge. In a trend called ‘badge bragging,’ new employees are posting their badges for all the world to see, including hackers.
Criminals are taking these badge images from social media and getting creative to produce their own fake badges complete with bar codes and other identifying information. They then use the cloned badge to access an organization’s locations and gain entry to a multitude of secure information.
Oversharing on social media has been around since the days of MySpace. People love to post not only about new jobs but also about all that is happening in their lives. And lately, the personal and the professional have been overlapping with the prevalence of working from home. The boundaries of social media have become blurred as colleagues are tagged as LinkedIn connections and Instagram pics feature the weekly office happy hour.
The Social Media Threats for Enterprises
Around seven-in-ten Americans use social media. And it’s not just the young and unaware intern who is on social media since usage by older adults has increased in recent years. YouTube and Facebook are the most-widely used platforms with less traction of sites such as Twitter, Pinterest, Instagram, and LinkedIn.
All those social media users are sharing lots of details about their personal and professional lives. 32% of employees post business travel photos and updates and 36% share information about their jobs. Hackers are then taking this information and using it as the basis for social engineering, phishing attacks, or accessing passwords. It is common for employee passwords to contain something they are familiar with and 21% of people use information like their favorite football team, their pet’s name, or birthdays when creating passwords which is the exact same information they tend to share on social media. This readily available information is also usually used in those security check questions such as ‘what’s your mother’s maiden name?’.
It’s not just the popular social media sites that pose threats. Hackers are using information from company review sites such as Glassdoor for phishing activities. One hacker, who is hired by companies to find gaps in their security, saw complaints online about a business’s parking situation. The hacker took advantage of the parking frustration and sent employees an email about the new parking policy with a malicious attachment.
Securing Enterprise Systems Against Social Media Threats
Social media threats have moved far beyond preventing posting pics of the drunken CEO at the office holiday party. Much of the social media security by enterprises centers on preventing human error through the education of employees. These are three areas that cybercriminals are using to infiltrate organizations via social media that IT should share information about:
- Password policies: Educate employees on how to create strong passwords that will not be vulnerable to attack. Don’t allow email systems to accept minor changes to passwords for updates since 49% of employees only add a digit or change a character in their password when required to update it.
- Phishing attacks: LinkedIn is used by many professionals for networking and job opportunities. Recently hackers have been using spear phishing techniques on LinkedIn to lure in victims with fake job offers. Keep employees informed about how to avoid phishing attempts like this by teaching them to look closely at email links and attachments.
- Social media monitoring: There is a fine line between playing big brother and allowing employees to post what they wish. Teach employees to think before they post such as taking a close look at the backgrounds of photos to make sure there are no passwords on the office whiteboard.
The Importance of Having an Enterprise Social Media Policy
Most companies have some sort of social media policy but typically these types of documents are shown to new employees as part of a welcome packet and then never seen again. In a survey of SMB owners, only 30% said their company had issued new guidelines on the use of social media applications on devices used for work. Social media policies should be ever evolving and updated every few months to keep up with new threats and the latest developments in social media.
The legalities of social media policies fall under the National Labor Relations Board (NLRB). Under the National Labor Relations Act, employees are free to discuss working conditions and their employment-related terms with those inside and outside their organization. In January 2021, the NLRB approved a California ambulance company’s implementation of a social media policy that prohibited employees from “inappropriate communications” about the company.
A company’s IT, human resources, and social media marketing teams should all be involved in crafting a social media policy. Make sure to include what is considered acceptable conduct and the consequences if the policy is violated. Have clear guidance about what employees can post about the company that is not considered proprietary. And of course, no badge bragging.
Cyberlocke is a comprehensive, full-service IT services provider that architects and implements efficient and secure solutions for enterprise customers and their data centers. We specialize in security, cloud, managed services, and infrastructure consulting. Contact Us today to learn more.
