Employee Social Media Use Requires Extra Security Layer
By Robert Freeman, Senior Vice President, Sales & Customer Success at SafeGuard Cyber
Intelligence this past month from MI5 in the United Kingdom revealed that some 10,000 nationals have been targeted on LinkedIn by fake profiles tied to hostile nation-state threat actors. This should not come as a surprise. LinkedIn is used as a lure by foreign intelligence operations emanating from Russia, China and North Korea. Given the vast number of people using social media today without any security applications, attacks against vulnerable users will not abate any time soon.
When social media users receive a connection request, link, or attachment from somebody who looks like a trusted source, they often don’t hesitate to click to open or accept. When the connection request or message is sent by a bad actor, unsuspecting people can instantaneously put their organizations at risk, oftentimes unbeknownst to themselves.
Threats abound on social media. From fake accounts seeking to gain your trust, to nefarious message content that can detonate phishing attacks or malware, users of LinkedIn and other social media networks are often at risk and can be baited into leaking out personal information or sensitive company data.
In the current work-from-anywhere climate of modern business, corporate executives and their employees alike have turned to social media, mobile chat, and collaboration apps to communicate with their teams and interact with customers. Some of these applications are owned by their enterprises, others are not.
For years, organizations have protected their corporate email with enterprise-grade security to safeguard employees against phishing attacks and other threats targeting employees. We all understand that IT owns email and manages it. Typically, collaboration applications set up in Slack, Zoom, and MS Teams are overseen by network administrators, but social media channels and mobile chat applications used by individual employees such as LinkedIn, Facebook, and WhatsApp, are not owned by enterprises. Organizations possess no security or compliance governance over them.
As a result, many social applications that are being used for business purposes are not protected against threats. Essentially, humans using these third-party tools are the new endpoints and traditional network security boundaries have been rendered meaningless.
So, where does this leave security and compliance teams looking to protect their employees who are using cloud-based communication tools for business purposes that are unsanctioned by the enterprise?
For starters, educating employees on how to safely use social media is a good start. Never accepting any social media connection requests or clicking on links that they feel uncomfortable about is most advisable. For example, the “Think Before You Link” program advocated by the United Kingdom’s Centre for the National Protection of Infrastructure (CPNI) is commendable for encouraging individuals to report suspicious profiles and remove them from their network.
Unfortunately, such steps could be a case of too little, too late, especially if somebody’s social media account has already been compromised and bad actors have already infiltrated their personal or professional networks. Protecting your employees who use social media cannot solely rely on best intuitions or guesswork for determining which accounts are safe for them to engage with.
Today’s innovative security and compliance teams are partnering with their employees and directing them to a layer of security that can help them avoid falling prey to unsafe connections, social engineering attacks, malware, and other social media threats. The best way to protect employees in their use of social media is to adopt a technology that can do the following:
- Identify bad actors the moment they attempt to connect or follow an account;
- Detect and remediate malicious links and files in posts and DMs;
- Secure employees from account impersonations and takeovers;
- Respond to risks without exposing private message contents.
The volume and velocity of communications taking place on LinkedIn and other social media, mobile chat, and collaboration applications happening today often far eclipse the daily communication going through company email. Brands now owe it to themselves to ensure that they are protecting their employees on cloud-based applications just as they do inside their networks. This requires providing them with an additional layer of security for all communication channels that fall outside of the network security perimeter.
The problem today is that employee social media accounts being used heavily for business purposes are not monitored nor managed. It makes sense to apply the same level of visibility and security that enterprises have today on email to all communication channels. These unprotected vectors are being leveraged to gain access inside your organization.