As the social media landscape evolves, platforms like Twitter, Facebook and LinkedIn continue to offer an important window into brands for customers and other stakeholders. However, as the threat landscape evolves, these same accessible platforms can also act as back doors for attacks targeted at businesses and those who engage with them.
Adding to the challenge, more and more employees are accessing their own social media feeds on their corporate devices, opening up fresh opportunities for cyber criminals to take advantage.
From phishing and social engineering to malware and ransomware, there are a multitude of attack vectors that cyber attackers exploit; whatever attack is in fashion, it can be weaponised in a link. Just like any other form of cybercrime, individuals will always be susceptible to clicking on the wrong links or opening the wrong attachments believing them to be legitimate.
With a named individual to target, social media platforms can also be used as vehicles for persuasive social engineering tactics which exploit day-to-day business activity and use employees as access points for attacks on organisations.
Take LinkedIn as an example; a recruiter receives an email from a potential candidate with a link to a portfolio or a CV as PDF. There is danger in both – malware could be embedded in the PDF or the link could take them to an equally legitimate – looking phishing website.
Aware and equipped
With the threat landscape continuing to evolve and attacks spanning social platforms and messaging sites, awareness is without doubt the best way to mitigate the risk of social media-enabled cybercrime.
As it is most likely to be employees that are interacting with pages, posts and clicking on links on behalf of the business, staff training on risk and best practice is the logical first step – offering the potential to turn what is historically the weakest link in the cyber security chain into one of the strongest.
Properly trained, staff are not just more aware and alert to threats but also better equipped to identify them, all of which goes a long way towards mitigating the risk of attack.
To be truly effective, user training needs to be more than just a one-off session and take the form of a structured, ongoing user awareness programme.
This should include a continuous stream of information about the latest threats, what to look out for, as well as a best practice approach to managing risk. It might also feature regular simulations to highlight the different types of attacks and demonstrate how convincing cyber criminals can be in a safe and educational setting.
In addition to staff training, other simple yet effective steps to protect against threats from social media platforms might include keeping browsers up to date, using reputable and well-made plug-ins and encouraging the use of complex password and password managers.
Taking into consideration the fact that almost any avenue in which users interact with brands via social media can be used by cyber criminals, in an increasingly digital world, working with an accredited cyber security consultant such as Bridewell Consulting to keep informed of emerging cyber security threats can also go a long way to mitigate the evolving threat posed by social media attacks, as well as other new or long-standing forms of cybercrime.
For more information, get in touch with the team today.
Written by James Smith – Principal Security Consultant & Head of Penetration Testing.