Monday, 12 February 2018

Could Social Media Be Your Security Weak Spot?

Our easy acceptance of social media and willingness to upload information about our lives creates potential for hackers and phishing attacks.

Social Media is so much a part of our lives these days, both personally and in business.

But our easy acceptance of it and willingness to upload information about our lives creates potential for hackers and phishing attackers to exploit the information we share. How should businesses protect themselves?

Hawaii Emergency Management Agency probably thought it couldn’t get much worse after the wrong link was clicked on a control screen – sending thousands of Hawaii residents and tourists into full scale panic over an imminent incoming missile alert.

Luckily, there was no incoming missile; it was a false alarm. And the mistake was blamed on procedural error during a shift change, rather than a hack.

However, the erroneous alert unsurprisingly sparked much interest in Hawaii’s Emergency Management control centre operations – and eagle-eyed journalists spotted serious security vulnerabilities on social media. Attention focused on a photo of Jeffrey Wong, the Agency's operations officer, posing in front of computer screens in the Honolulu control centre which accompanied an online news article on July 21, 2017.

The screens are in place to enable control centre staff to monitor hazards – but this wasn’t what concerned the journalists. It was the password taped to the front of a monitor that really drew criticism.

When journalists highlighted the security error, social media alighted with comments highlighting other problems with the photo – including a list of employee names and contact details displayed on one monitor.

Of course, when Jeffrey Wong posed for the photo back in July, he could never have expected to fall under such media scrutiny. But the errors do highlight the ease with which social media can create new possibilities for security vulnerabilities.

Hawaii Emergency Management Agency is far from alone in making this mistake; Labour MP Owen Smith and the head of security at the 2014 World Cup, Luiz Dorea, have drawn similar criticism in the past.

Most small and medium business will never fall under this degree of scrutiny, of course. Nor have as much at stake from a hack as the Hawaii Emergency Management Agency. However, that doesn’t mean that oversharing on social media use doesn’t present a risk to any business. Oversharing personal data or financial information online can present opportunities for hackers or phishing scams.

Good security management comes first, of course.

In the Hawaii control centre operations, the problem arose because of poor password management – passwords should never be written down unless you can keep them secure. Taping them to the front of the monitor on which they are used does not constitute keeping them secure.

However, the failure to follow good password management procedures was exacerbated by the photo of the control room being published on social media.

Businesses therefore need to consider social media posting not just as a marketing or communications function but also within the context of information security. This means setting clear guidelines and training staff to make sure everyone understands the risks.

In particular, the staff member responsible for your commercial social media postings must check to ensure compliance with your security guidelines.

Turn off geo-location data, so it isn’t obvious where staff are posting from. Also beware of those seemingly innocent quizzes and questions on social media that lure you into revealing the name of your first school, your mother's maiden name or your first pet. Understand that these are more likely to be a method to collect some common answers to your password reset security questions.

Although you can’t control what employees post on their private social media accounts, you may wish to consider educating staff about the benefits of setting their personal social media accounts to private status – so they can’t found by people who aren’t within their contact groups. Regular briefings or ongoing Security Awareness Training will ensure that staff remain focused on basic security advice.

In this way, you can reduce the risk of your business being vulnerable to hackers or phishing scams.

If you would like more information about the organisational measures you should be taking to protect sensitive data then perhaps one of our consultants can help. Please call 0808 164 4142.

We can also help with cyber-security training.