The best place to start for this entry is the opening months of the pandemic. We begin here because there was an inflection point in social media use mid-March 2020. As society-at-large was in lockdown trying to figure out what was happening, there was a nearly 25% increase in people using social media apps, according to Axios [Source: Axios]. People were looking for a way to stay connected while staying safe. With this increase in usage comes opportunity for bad actors.
Let’s focus on controls, first.
We’ve been party to account takeovers. This is when a bad actor, either through phishing or stolen login credentials, access your account. Once they have access, they delete your phone number and email address and then replace it with theirs. Not only does this lock you out of your account, it starts a chain reaction. The bad actor then starts looking for other accounts you have to compromise. One goal is to gain access to financial accounts you hold. Also, technically speaking, if you manage your social media business page, or have allowed others to act on it’s behalf, the bad actor has access to the business account if the account takeover is successful. To reduce the risk of an account takeover, ensure your organization has password policies in place and that two-factor authentication is enabled. This is far from exhaustive recommendations, but enough to get you started.
Back in April of 2021, Facebook and LinkedIn had hundreds of millions of account holder data leaked online. While passwords weren’t claimed as part of the exposed data, phone numbers were. Phone numbers are very valuable these days as they are often part of the authentication process when signing into an account. The risk to users are SMiShing attacks (phishing over text) and SIM swap attacks. A SIM swap attack is where someone ports your phone number over to their phone. By doing so, they now “own” your phone and have the ability to intercept your texts or phone calls. Of value to them are texts containing password reset links and two-factor authentication codes. If either of these types of attacks are successful, it may lead a bad actor gaining access to business resources.
October 4th of 2021 was an interesting day for all Facebook, Instagram, and WhatsApp users. Facebook experienced a self-inflicted outage that lasted around six hours. This meant that organizations and app developers who rely on Facebook had their operations halted. This day was detrimental to businesses who solely relied on Facebook for revenue generating activities. This incident was not malicious and it serves a lesson that business continuity is needed. This means, if we’re sticking to social media as a theme, you need multiple platforms to conduct your business in order to remain operational.
Your social media posts and post of others
When we conduct our external risk and threat assessments, more often than not we find something a bad actor can use on social media to cause harm to your organization. Whether it’s a picture/video published to your social media business account that shows documents on a desk, or an open computer monitor, that can reveal sensitive information. Our favorite is the username/password on a whiteboard or sticky note on a computer monitor. Be aware of your surroundings before you post. We’ve also come across people publishing unknowingly, and intentionally, internal information to various social media platforms.
Then there are the posts by your customers, clients, and patients. They can inadvertently disclose internal information on their social media posts that can lead a bad actor to compromising your organization.
Bad actors might create fake social media accounts to masquerade as your organization or it’s officers, to either A) muddy communications with disinformation, B) drive traffic away from your business, or C) use it as an opportunity to phish and scam people. We can also get into intellectual property issues like stolen logos and other marketing material showing up in places you didn’t authorize.
There are a myriad of things that put your organization at risk when it comes to social media. In the FBI’s 2021 Internet Crime Report, social media as a vehicle to commit a crime contributed to $235,279,057 in victim losses [Source: FBI].
Including social media in your external risk/threat assessment cannot be overlooked. Some cybersecurity frameworks like NIST 800-171 call out the need to assess risk to “organizational operations” which includes “organizational assets” like social media and to see if there’s anything damaging to the organization’s reputation.
Whether your organization needs an assessment like this for compliance [Click here to see Connecticut’s Cybersecurity Law] or if you’re looking to take a proactive approach to protect your stakeholders, schedule some time for a strategy meeting with us in the contact form below.
Also sign up for our free cybersecurity and intelligence newsletter to stay informed. Here is the link https://bsquaredintel.com/newsletter-signup/