Why social networking carries more risk than you realise
Stuart Poole-Robb, September 16, 2015
As millions of users of dating website Ashley Madison lay awake sweating about who will be reading the now freely available data on their indiscretions, those who use more innocent-seeming social networking sites should not breathe a sigh of relief just yet.
Social networking sites such as Facebook and its professional cousin LinkedIn also represent a potential treasure trove for cyber criminals and terrorists. Those who imagine that the most they have to fear is their boss seeing pictures of them partying should think again.
Typically, hackers use social networking sites such as LinkedIn, Facebook and Twitter to follow the movements of key executives, and learn about their personal habits and style of messaging, in a process known as 'social engineering'. This kind of information can, for example, be particularly useful for cyber criminals when it reveals a key member of staff may be travelling or working remotely.
Thus armed, the organised criminal gangs (OCGs) then go 'spear phishing' and send employees what appear to be bonafide internal emails from their boss or a trusted colleague. These can involve money transfers to the cyber criminals' bank accounts and/or requests for confidential information.
For example, someone might receive a message appearing to come straight from their CEO, asking to be reminded of the company log-in details. Only one member of staff has to fall for this on a single occasion to enable a massive cyber breach, frequently with devastating long-term consequences for the organisation concerned.
KCS' case files reveal that law firms and companies within the investment sector are increasingly being targeted by OCGs. In May Zurich Insurance Group also warned that law firms were being targeted by fraudsters impersonating banks, often late on Friday afternoons.
Staff, particularly those in key posts, should be actively discouraged from discussing company business on social networking sites such as Facebook or LinkedIn. Failure to do this makes it simple for the hacker to engineer an attack as a request for information relating to the dates of an overseas trip, for example. It is also important that staff immediately report lost phones and other communications devices as a call or message seemingly from a trusted colleague (but really a hacker who has the device) can carry a validity a communication from an unknown source would not.
Too many small- to medium-sized organisations still labour under the dangerous delusion that they have little worth stealing and are below the range of OCGs. This is not true. Not only do they hold cash but they also often have clients or contractors whose databases are being targeted by OCGs.
Stuart Poole-Robb is the chief executive of business intelligence and a cyber security adviser at corporate security and risk intelligence firm KCS Group