An employee goes on Facebook and makes a snarky comment about his boss. Or posts a picture of a co-worker that includes a confidential document open on her laptop. Or simply mentions your company name when sharing something online. All of these are examples of potential trouble.
You see, attackers scrape social media sites to find ammo for phishing emails. It’s logical, when you consider that a phish depends on credibility to dupe its victims. What’s better at building cred than dropping in relevant personal details?
Look at your risk profile through a social media lens.
Knowing your organization’s risks is the first link in the phishing kill chain. It’s important that users understand how social media can be a threat to your information security, potentially resulting in revenue loss, data theft, and regulatory nightmares.
When social media posts contain proprietary information, or even just telling details, social engineers have what they need for phishing emails. Mentioning someone’s name, role, or something that happened at work is grist for attackers who disarm you so they can defraud.
Some of the most convincing phishes borrow language from company websites. If someone emailed you and parroted corporate policy, you just might click, right? Likewise, if someone dropped a name or title he or she saw on social media, you’d be more likely to fall for the scam. It happens all the time.
It’s true that social media sites like Facebook offer privacy controls. Users can, for instance, make posts visible to friends only, not the whole world. While you should encourage your employees to make smart use of these controls, they’re not enough. That’s why you need to…
Reexamine your company’s social media “acceptable use” policies.
Social media use is common in today’s workplace. That’s why your organization needs to re-evaluate its acceptable use policies—or create them if they don’t exist.
Remember to tailor your policies so they protect proprietary assets. Best practices include:
- Analyze current policies on social media security. Are there gaps in the basics you can easily fill right now? What allowances should you make given your industry, competitive stance, or business strategies?
- Do a threat analysis. Assess what proprietary information is at risk through social media. Is there data employees can share on social that they shouldn’t?
- Train employees to create situational awareness. In your business environment, what constitutes good or bad social media related behavior?
- Simulate phishing emails that use company information people sometimes share on social. You can customize phishing scenarios when you use Cofense PhishMeTM. Or let the experts behind Cofense PhishMe Managed Service work with you to defend against attackers who troll social media sites.
Let’s face it. Everyone’s on social media, at work as well as home, often in a professional capacity, promoting a product launch, for example. The question isn’t IF your users are on social media. It’s HOW they use it and how your company can install the right guardrails.
Learn more about how phishing attackers create effective emails in the Cofense™ Phishing Resiliency and Defense Report.
