Social media can be a key element of an organization´s marketing operations – it can also be the gateway for multiple online threats. Internet users who fail to use unique passwords for their online activities, share their passwords, or willingly provide confidential information without due consideration for the security implications can be risking the online security of an entire organization.
Rather than have an employee threaten the integrity of your organization´s online defenses, it is in your best interests to implement an Internet filtering solution from TitanHQ. An Internet filtering solution – and adequate training about the risks of communicating confidential information online – can mitigate the risk of your organization´s online defenses being compromised by an employee´s carelessness or naivety.
The Federal Bureau of Investigation (FBI) has issued a new security alert warning of a new wave of extortion email schemes. The alert was issued after its Internet Crime Complaint Center (IC3) started receiving multiple reports from individuals who had been threatened with the exposure of their sensitive data.
Cybercriminals are quick to respond to large-scale data breaches and use the fear surrounding the attacks to scam individuals into paying ransoms, clicking on links to malicious websites, or opening infected email attachments. In recent weeks, the Internet has been awash with news reports of major data breaches that have hit networking sites and a number of popular Internet platforms.
Major data breaches affected LinkedIn, MySpace, and Tumblr, and while the stolen data are old, hundreds of millions of individuals have been affected.
These cyberattacks occurred in 2012 and 2013, although the data stolen in the attacks have just been listed for sale online. These major data breaches had gone undiscovered until recently.
Extortion Email Schemes Threaten Exposure of Sensitive Data
Due to the volume of logins that were exposed in these attacks and the popularity of the sites, many individuals may be concerned that their login credentials may have been obtained by hackers. Cybercriminals are taking advantage of this fear and are sending out huge volumes of spam emails advising individuals that their sensitive data have been obtained.
In the emails, individuals are told that their name, address, telephone number, credit card details, and other highly sensitive data are being held and that they will be distributed to friends and family if a ransom is not paid. The attackers warn their victims that access to social media accounts has been gained and that the attackers have details of all of the victim’s social media contacts.
The scammers are also threatening to email and mail out details of credit card transactions and internet activity to friends, family, and employers, suggesting that the payment to prevent this from happening will be much lower than the cost of a divorce, and low in comparison to the affect it will have on relationships with friends and on social standing.
To stop the distribution of these data, victims are required to pay the attackers anywhere from 2 to 5 Bitcoin – Between $250 and $1,200. A Bitcoin address is sent in the email which the victims must use. This ensures the transaction remains anonymous.
After analyzing the extortion email schemes, the FBI has concluded that the attacks are the work of multiple individuals. The FBI has advised against paying the ransoms as this will only ensure that this criminal activity continues. Paying a ransom is no guarantee that further demands will not be received.
Any person receiving an email that they believe to be an extortion email scheme should contact their local FBI office and send a copy of the email with the subject “extortion E-mail scheme,” along with details of the Bitcoin address where payment has been asked to be sent.
Extortion email schemes are often sent out randomly in spam email; however, responding to an email will alert the attacker that the email account is active and is being checked. The best course of action is to ignore the email, to log into social media accounts and change all passwords, and to carefully monitor bank accounts and credit card statements. The FBI also advises individuals to ensure social media accounts are configured with the highest level of privacy settings and to be extremely careful about sharing any sensitive data online.
On May 12, the microblogging website Tumblr notified users of a data breach that occurred in 2013. The company had kept quiet about the number of site users that were affected, although it has since emerged that 65 million account credentials were stolen in the Tumblr data breach. Stolen email addresses and passwords were recently offered for sale on a Darknet marketplace called TheRealDeal.
Tumblr Data Breach Ranks as One of the 5 Biggest Data Breaches of All Time
The massive Tumblr data breach may not be the largest ever discovered, but it certainly ranks as one of the biggest, behind the breach of 360 million MySpace account details, the theft of 164-million LinkedIn account credentials, and the 152 million-record Adobe breach. All of these huge data breaches occurred in 2013 with the exception of the LinkedIn breach, which happened a year earlier.
These breaches have something else in common. They were all discovered recently and the stolen data from all four data breaches have been listed for sale on illegal Darknet marketplaces by the same individual: A Russian hacker with the account “peace_of_mind” – more commonly known as “Peace”. It is not clear whether this individual is responsible for all four of these data breaches, but he/she appears to have now obtained all of the data.
The person responsible for the theft appears to have been sitting on the data for some time as according to Tumblr, as the login credentials do not appear to have been used.
Fortunately, the passwords were salted and hashed. Unfortunately, it would appear that the SHA1 hashing algorithm was used, which is not as secure as the latest algorithms. This means that hackers could potentially crack the passwords. The passwords were also salted so this offers more protection for individuals affected by the Tumblr data breach. However, as a precaution, site users who joined the website in 2013 or earlier should login and change their passwords.
Do You Reuse Passwords on Multiple Sites?
Even if victims of the Tumblr data breach have changed their password on the site before 2013, they may still be at risk of having their online accounts compromised if their password has been used for multiple online accounts.
If you have been affected by the Adobe, LinkedIn, MySpace, or Tumblr data breach, and there is a possibility that you have reused passwords on any on other platforms it is strongly advisable to change all of your passwords.
Peace may not be the only individual currently in possession of the data, and it is highly unlikely that the data will only be sold to one individual.
If you are unsure if your login credentials have been compromised, you can check by entering your email address or username on haveibeenpwned.com
There are a number of ways for managed service providers to increase cash flow and boost profits. Efficiency can be improved, staff productivity can be increased, better margins achieved, and new in-house products could be developed. Unfortunately, all of these are easier said than done.
The main ways to increase profits by a significant amount is to attract new customers and increase the amount each existing client is spending.
If only there was a secret ingredient that MSPs are missing that could help them help to win more business and get each client to spend more! The good news is that for many MSPs, there is such a product.
Any MSP that has yet to include a web filtering service into their product portfolio could be missing out on substantial profits.
Web Filtering – An Easy Way for MSPs to Increase Profits
Filtering the Internet is now essential for many enterprises. In certain Industries it is mandatory for companies to filter the Internet. They need to ensure sensitive data are protected and risk is effectively managed. Networks must be protected from attacks by hackers and with an increasing number of web-borne threats, Internet usage policies alone are not sufficient to keep organizations protected. Those policies need to be enforced and a web filter is the natural choice.
In some industries, education for example, it is mandatory for the Internet to be filtered. Minors must be prevented from accessing obscene website content or other material that could be harmful. Even when it is not mandatory to filter the Internet it is often desirable. Hotels, restaurants, transport networks, airports, cafes, and coffee shops are choosing to implement controls to ensure all users enjoy a safe browsing experience.
In business, productivity losses from Internet abuse can be considerable. If every employee wasted an hour each day on personal Internet use, the losses to a medium-sized company would be substantial. Some studies suggest even more time is wasted by employees each day on non-work related Internet activities.
Failure to filter the Internet can prove costly in many ways. For example, the accessing of adult content in the workplace can lead to the development of a hostile working environment, which affects morale, productivity, and can cause all manner of HR headaches. The use of torrent sites and the downloading of pirated films, music, TV shows, and software can cause organizations legal headaches as well as placing pressure on bandwidth.
Many websites are unsafe and accessing those sites places organizations at a greater risk of a malware infection. A single compromised computer can cause an incredible amount of damage. The latest ransomware attack on Medstar Health is a good example. A computer virus was inadvertently downloaded which resulted in the shutdown of the health system’s email for its entire workforce, as well as its electronic medical record system.
Hollywood Presbyterian Medical Center was attacked with ransomware and had to pay $17,000 to obtain security keys to unlock its data. It is not only healthcare organizations that are having to deal with ransomware. U.S Police Departments have been forced to pay attackers after their computers have been locked by file-encrypting software, and many organizations have fallen victim to ransomware, keyloggers, viruses, and other malicious software. These infections are a drain on productivity and take a considerable amount of time and resources to fix.
A web filtering solution can protect against web-borne threats, can be used to tackle productivity losses, and prevent illegal or unsuitable website content from being accessed. Web filtering is now less of an option for many businesses and more of a requirement. MSPs offering such a service can fine it is an easy sell and a great way to boost profits.
What to Look for in a Web Filtering Product
In order for a third-party product to be included in an MSPs existing portfolio it should have a number of features. MSPs therefore need to find a web filtering product that:
- Has generous margins
- Is easy for sales teams to sell to clients
- Has a low management overhead
- Is easy to install
- Appeals to a wide range of clients
- Can be easily incorporated into existing product offerings
- Can be easily incorporated into back-office systems
There is a product that ticks all of these boxes, and that is WebTitan Cloud.
WebTitan Cloud and WebTitan Cloud for WiFi – Ideal Web Filtering Solutions for MSPs
WebTitan Cloud is a 100% cloud-based DNS filtering solution that has been designed to be easy to implement, maintain, manage, and sell to clients. WebTitan Cloud a no-brainer for many organizations, allowing thousands of dollars to be saved.
WebTitan Cloud can help organizations increase productivity of the workforce, improve security posture to prevent malware infections, and highly competitive pricing means considerable savings can be made by organizations looking to switch web filtering providers.
WebTitan can be implemented without any effect on Internet speed, there is no need for any additional hardware, no software downloads are required. Our product is easy to use and management is straightforward and not labor-intensive.
Key Features and Benefits of WebTitan Cloud that will Appeal to MSPs
WebTitan Cloud and WebTitan Cloud for WiFi have been developed to be appealing to MSPs and their clients. To make it as easy as possible for our web filtering solutions to be incorporated into existing client packages and allow MSPs to boost profits, we offer the following:
White labelling – Allows MSPs to add their own branding and color schemes.
Hosting choices – We can host on our servers, provide private cloud hosting, or you can run our solution within your own infrastructure.
Generous margins for MSPs and highly competitive pricing – An easy way to boost profits.
Usage-based Monthly billing – Makes WebTitan Cloud more affordable for clients.
Flexible pricing – Our product can easily be included in your pricing models.
Multi-tenanted solution – Advanced customer management features makes it easy to add new clients.
API-Driven – Easy integration into back-end billing and reporting systems.
Highly scalable – Our web filtering solution is suitable for businesses of all sizes.
Excellent Support – Industry leading customer service and technical support. If you have a problem, it will be rapidly resolved.
To find out more about how easy it is to incorporate WebTitan Cloud into your existing portfolio and boost profits contact our sales team today.
Enterprise social media usage policies have only been introduced by 54% of organizations according to a recent social media research study conducted by Osterman Research.
Social media use in the workplace has grown significantly in recent years, both personal use of social media sites as well as the use of the platforms for business purposes. However, just over half of enterprises have implemented policies that limit or restrict use of the websites.
Enterprises face a choice. Allow the use of the sites and accept that a considerable amount of each employee’s day will be devoted to personal social media site use, or place controls to limit use. These can be restrictions on the times that the sites can be accessed, the amount of time each employee is “allowed” to take as Facetime, or the actions that can be performed on social media sites.
There are good reasons for not introducing social media usage policies. Some employers believe social media site use can improve collaboration between employees and departments. Some employers believe social media use can help improve corporate culture and even lead to faster decision making capabilities.
However, some studies suggest that employers lose more than an hour each day per employee to social media networks. If that figure is multiplied by the 500 or more employees in an organization, it represents a considerable productivity loss.
Many employers do not mind a little time on social media sites each day, provided that usage is kept within reasonable limits. An employee cannot be expected to work productively for a full 8 hours a day, so allowing some social media time can help employees recharge before they get back to working at full speed. If an employee takes 5 minutes every hour to check their Facebook feed, it could actually help to increase the work that they perform each day.
Social Media Usage Policies Can Help Employers Manage Security Risk
Use of social media platforms is not only about time not spent working. There is a security risk associated with the use of social media networks. That security risk is considerable and the risk is growing. The Osterman Research study revealed the risk of malware delivery via social media networks is considerable. 18% of respondents said that they had had malware installed as a result of social media site use. 25% said they had experienced a malware attack where they could not determine the origin. Some of those incidents may have also resulted from social media site use.
Social media site use may have benefits, but it is important for enterprises to manage the risks. To do that, social media usage policies are likely to be required along with technological controls to help enforce those policies.
Osterman Research suggested a three step approach should be taken. Before enterprises implement social media usage policies it is important to find out why social media platforms are being used and how often they are being accessed. An audit should be conducted to determine the extent to which sites are accessed, the tools that are being used by employees, the time spent on the sites, and the activities that take place.
This will allow organizations to determine the benefits they get from social media site use and weigh these up against the risks. Appropriate social media usage policies can then be developed.
Employees will need to be trained on appropriate social media usage. Employers have the right to monitor Internet activity at work. The use of Facebook, Twitter, LinkedIn and other social platforms is therefore not private. Employers should explain that they have the right to monitor social media usage at work and take action against individuals who violate social media usage policies.
Osterman suggests that technologies should be implemented to control social media usage to help mitigate the risk of malware downloads and other social media threats.
Controlling Social Media Usage at Work
WebTitan Gateway – and WebTitan Cloud for WiFi – can help in this regard. Both web filtering solutions can help organizations control the use of social media sites at work and both solutions can be used to enforce social media usage policies. Controls can be placed on when social media sites can be accessed: Outside working hours or during lunch hours for example. Controls can also be set by user group. The marketing department will require a different set of rules to the billing department for example.
Controls can also be implemented to manage risk from malware. The downloading of risky files can be blocked: .exe, .scr, .zip, or .bat for example. Links to malicious websites are often uploaded to social media networks. WebTitan can be configured to prevent those sites from being accessed. WebTitan also allows Internet usage to be carefully monitored.
Many organizations prefer to take a reactive approach to social media use at work, and only introduce controls when there has been a malware attack, a breach of confidentiality, or when site usage has reached unacceptable levels. Taking a more proactive approach can prevent problems before they occur.
Nothing is certain in life apart from death and taxes, apart from tax season phishing scams which have started particularly early this year. Inboxes are already being flooded with phishing emails as cybercriminals attempt to file tax returns early. Not their own tax returns of course, but fraudulent claims on behalf of any email recipient who divulges their Social Security number and personal data to the scammers.
Tax season phishing emails are sent out in the millions in the run up to the April 15, deadline. If a tax refund can be submitted before the victim, the criminals will receive the refund check.
How to Spot Tax Season Phishing Scams
Each year tax fraudsters develop new and ever more convincing phishing scams to get taxpayers to divulge their personal data and Social Security numbers. With these data, fraudsters can submit fake tax returns in the names of the victims.
While phishing emails can be easy to spot in some cases, the fraudsters are now getting much better at crafting official looking emails that appear to have been set from the IRS.
The emails use the same language that one would expect the IRS to use and the email templates use official logos. The emails contain links that have been masked to make the email recipient think they are being taken to an official website. Clicking on the link will fire up a browser window and the soon-to-be-victim will be taken to a website that looks official.
Visitors will be asked to update their personal information, add their Social Security number, or even be requested to divulge their Self-Select PIN for the online tax portal. Divulging these data is almost certain to result in tax fraud.
Tax Season Phishing Emails Are A Growing Concern
Taxpayers have been warned to be ultra-cautious. More tax season phishing scams have been identified this year than in previous years, with tax-related phishing and malware scams up 400% year on year.
IRS Commissioner John Koskinen warned that “Criminals are constantly looking for new ways to trick you out of your personal financial information so be extremely cautious about opening strange emails.”
Tax season phishing scams are not only conducted via email. In fact, phone scams have previously been one of the commonest ways that criminals obtain the information they need to submit fraudulent tax returns; however, the use of phishing emails is growing.
For the 2014 tax year, the IRS received 1,361 reports of phishing and malware schemes in the run up to the April deadline. That total has already been surpassed and February is not yet over. 1,389 reports have already been received. The January total was 254 higher than for the 2014 tax year, with 363 incidents reported by February 16, which is 162 more than the total for the entire month of February last year.
IRS Tax Season Phishing Emails Used to Deliver Malware
While criminals are attempting to phish for personal data, that is not the only consequence of clicking on a malicious link. The websites used by the cybercriminals behind these phishing scams are loaded with malware. Those malware enable cybercriminals to log keystrokes on infected computers and gain access to far more data than Social Security numbers. Bank account logins and passwords can be obtained, access to email accounts, and much more.
Tax Professionals Are Being Targeted with Phishing Scams
It is not only the public that must be vigilant and on the lookout for tax season phishing scams. Tax professionals are also being targeted by cybercriminals using similar schemes. The aim is to get accountants and tax advisers to reveal their online credentials such as their IRS Tax Professional PTIN System logins.
The IRS advice is to be vigilant and report any suspected phishing email. The IRS does not typically request data via email and does not initiate contact with taxpayers via email, text message, or social media channels. If an email is received asking for a link to be clicked or an attachment to be opened, it is likely to be a scam and should be reported to the IRS.
It has been a long time coming, but Facebook has finally taken the decision to stop using Flash for video. The social media site is now using HTML5 for all videos served on the site. Facebook Flash video is no more, but Adobe Flash has not been totally abandoned yet, as it will still be used for Facebook games. Hackers can take some comfort from the fact that Farmville players will still be highly susceptible to attack.
Facebook Flash Video Retired to Improve User Experience
The move away from Facebook Flash video didn’t really require any explaining, although a statement released by Facebook said the move was required “to continue to innovate quickly and at scale, given Facebook’s large size and complex needs.” The move to HTML5 not only makes the social media site more secure, HTML5 improves the user experience. Videos play faster, there are fewer bugs, and HTML allows faster development. The social media network also plans to improve the user experience for the visually impaired using HTML5.
The move appears to have been welcomed by Facebook users. Since changing over to HTML5, users have added more videos, registered more likes, and are spending more time viewing videos.
The End of Adobe Flash is Nigh
Unfortunately, it is not quite so easy for the Internet to be totally rid of Flash. The video platform has been used for so long it is still a major part of the web. However, its 10-year reign is now coming to an end. Google Chrome stopped supporting Flash last year and Amazon also banned the use of Flash for video last year. YouTube made the switch from Adobe Flash to HTML5 and with without Facebook’s 8 billion video views a day no longer being served through Flash, the majority of web videos will now be viewed without Adobe’s platform.
Even Adobe appears to be trying to distance itself from its toxic product, having abandoned the name Flash in recent weeks. The company is attempting to deal with the huge number of zero day vulnerabilities as soon as they are discovered, and is patching them quickly, but it is fighting a losing battle. HTML5 provides everything that Flash offers in terms of functionality, minus the myriad of security holes.
Security Risk from Adobe Flash too High
Flash is well known for being a hackers dream as the software platform contains more holes than a sieve. Early last month a new patch was released to address 78 CVE-classified security vulnerabilities, 75 of which were totally separate. This, it has to be said, is an insane amount of security vulnerabilities to discover and address in a single patch. Adobe was quick to point out that it has not received reports of those vulnerabilities being used in the wild, but this has done little to address security fears about Flash.
The risk of drive-by malware attacks is simply too high with Flash. All it takes is for one malicious Flash based advert to be sneaked onto a site, and any visitor with a Flash browser plugin enabled could be automatically infected.
Even with the 78 vulnerabilities now addressed, Adobe Flash is far from secure. In fact, even the early December mega patch was not enough. Adobe was forced to issue yet another update on December 28 to address a number of new critical security vulnerabilities that had been uncovered. The total number of Flash security vulnerabilities addressed in 2015 is now estimated to be 316.
With YouTube ditching Flash and Facebook Flash video no more, the demise of Adobe Flash has surely been hastened.
A new study conducted by CompTIA has highlighted the risks that are being taken by end users, and suggest low awareness of security threats. End users’ lack of knowledge of basic security measures continually frustrates IT security professionals. End users are usually seen as the weakest link in the security chain, and the results of this study are unlikely to see many minds changed. The study also suggested the persons most likely to take risks and jeopardize security are in their early twenties: Gen Y.
Gen Y Has Low Awareness of Security Threats
One of the tests conducted was a relatively straightforward but ingenious test of risk awareness. CompTIA researchers dropped 200 unmarked thumb drives in locations that received high volumes of foot traffic. The researchers wanted to find out how many individuals would pick up the drives and plug them into their computers.
Thumb drives can be purchased cheaply, but are extremely useful. Finding one in the street may be seen as a lucky find. However, plugging such a drive into a computer carries a huge risk. There is no knowing what software is installed on the drive, and simply plugging it into a computer could easily result in malware or viruses being installed.
In this case, doing that just resulted in a pop up message being displayed which prompted the new owner of the thumb drive to send an email to the researchers to let them know that the device had been found and plugged in. In total, 17% of the 200 thumb drives resulted in a response being received by the researchers. Not all of the individuals who picked up the thumb drive will have responded to pop-up request to send an email to the study organizers, so the number of individuals who did plug in the drive may well have been higher.
The company also conducted a survey to discover more about end user awareness of security threats. Over 1200 completed surveys were collected by the company, and the results show that many end users are taking considerable security risks. Those risks could result in laptops, computers, and mobile phones being compromised. If IT security professionals were worried about end user risk taking before, they are likely to be even more worried now.
Numerous questions were asked; however, the most worrying statistics for security professionals is the volume of individuals who use the same passwords for personal accounts as they do for their work computers. The study revealed 38% of respondents did this, while 36% used their work email address for personal accounts.
Gen Y end users were most likely to take risks, with 40% saying that they would pick up and use a flash drive they found in the street, and 94% of respondents connect either their laptop computer or mobile to public Wi-Fi networks. Nearly seven out of ten individuals said they use their laptops for work purposes or to handle work-related data and 6 out of ten employees used employer-supplied mobile devices for personal applications.
While IT security professionals reading the CompTIA’s statistics may break out in a cold sweat at the excessive risks being taken by end users, there is a solution. That is to provide more security awareness training to staff. End users may be the weakest link, but with training, risk can be managed.If awareness of security threats increases, organizations will be better protected from cyberattacks.
Less than half of respondents reported having received any cyber security training, so consequently awareness of security threats was understandably low. Employees were not aware of the level of risk they were talking. Unless end users are shown how to be more security conscious, risky behavior is unlikely to decrease.
The Heartbleed security vulnerability was announced recently and had IT security professionals rapidly taking action to plug security holes. System passwords were changed and alerts sent to end users telling them to do the same.
Heartbleed is a highly serious data security vulnerability that was discovered in the OpenSSL cryptographic software library. It is so called because it affects a SSL extension commonly known as Heartbeat. Over half a million websites are believed to have been affected by the Heartbleed vulnerability.
The Internet is normally secured with SSL/TLS encryption. This allows information to be exchanged securely by a wide range of Internet applications, including Instant Messaging (IM) services, email, and even Virtual Private Networks (VPNs). Unfortunately, the Heartbleed bug allows anyone to steal passwords even with SSL/TLS encryption in place. According to American cryptographer Bruce Schneier, Heartbleed is a potentially catastrophic security vulnerability. He recently said, “On the scale of one to 10, this is an 11.”
IT departments have been frantically issuing alerts to change passwords
Sensitive data is protected by passwords; however, Heartbleed has potentially allowed passwords to be compromised. The security vulnerability may have only just been discovered, but it has existed for at least two years. Hackers are not understood to have used the vulnerability to gain access to sensitive data, but it is actually rather difficult to tell even if they have. As a security measure, IT staff have been sending emails to all users advising them to change their passwords just in case.
Unfortunately, they are not the only individuals sending password change requests to users. Online scammers have been piggybacking on the major data security event and have been sending emails of their own. Conveniently, also including links to allow users to rapidly address the huge security hole.
Any individual who has heard about the security issue will be keen to protect themselves against hackers and cyber criminals. Emails telling them to change their passwords are likely to be clicked. Unfortunately, clicking those links will take users to a website where they enter their current passwords. By doing so they will be giving them to criminals. They may think they are protecting themselves, but their actions will be doing the exact opposite.
Beware of Heartbleed Protection Scams
Piggybacking on major news events is a common tactic used by phishers to get computer users to reveal their sensitive information. News of a major IT security flaw is music to phishers’ ears. Computer users are fearful of a cyber attack and phishers play on those fears. The response rate to emails of this nature is typically high.
Many IT professionals have been busy securing their networks and have performed security audits to address the latest vulnerability and search for others that may exist. Software companies are taking advantage and are offering products that will perform full system security checks. After all, there is no better time to boost sales than when the public is keen to improve online security.
Scammers have been taking advantage by sending links to websites that will perform security checks. The scam emails and adverts appear genuine. They offer a free system check to determine whether vulnerabilities exist and they have even promised to clean systems and install the required patches to secure devices. By accepting these checks, users will just be guaranteeing their devices are compromised. It is therefore a time to be extremely vigilant for online scams. Efforts must be made to check that any request to improve security is actually genuine before it is accepted
How to Beat the Scammers, Spammers and Phishers
Fortunately, it is relatively easy to avoid becoming a victim of one of these scams. Receiving an email with a link or an attachment will not automatically compromise a computer. Action is required by the user for that to happen. If the phishing email is deleted, so is the threat. However, not all users know how to identify a phishing email. If one does reach an inbox, a user may end up infecting their computer or, worse still, the network to which that computer connects.
It is important to give computer users the information they need to protect themselves. They must be advised of the tell-tale signs of a phishing email. Only then will they know how to determine if an email is genuine. Training is therefore important, and now is a good time to ensure that the staff is well informed.
It is also an ideal time to install some additional safeguards to prevent spam and scam emails from reaching users’ inboxes. SpamTitan Technologies offers two excellent security solutions. The first is a robust and highly effective spam filter that prevents spam and scam emails from being delivered. The second solution prevents users from clicking links to scammers websites.
SpamTitan web filtering works like a business version of a parental control filter. Instead of just blocking gambling, dating, and pornographic websites from being visited, it also blocks users from visiting known phishing websites and even genuine websites that have been infected with malware.
By installing both of these anti-phishing solutions, IT professionals can sleep easy. The Heartbleed vulnerability will still need to be addressed, but they will be able to relax a little knowing that end users will not be falling for the myriad of piggybacking phishing campaigns that have been developed over the past few days since the Heartbleed announcement was made.
LinkedIn is one of the fastest growing social networks and is now used by employers to build contacts and find new customers and suppliers. The number of LinkedIn users has been swelling, and now the site boasts nearly 1 billion accounts. The professional network is an essential sales and marketing tool for many companies, and recruitment firms would find it very difficult to stay competitive without it.
The website extends a company’s reach and can be used for a variety of purposes. Company news can be announced, new products marketed, new employees found, and the site contains many interesting industry articles, providing hints and tips for busy professionals. Many users now search LinkedIn for information before using the search engines.
Companies now use the social network as well as their employees. In fact the boundary between the two has become somewhat blurred. For instance, if an individual spends personal time building up contacts, are those contacts connecting with the person or the company? In many cases it is a mixture of the two. So who actually owns those contacts? The employee or the employer? A recent court case in the UK sided with the company. However, without social media usage policies in place, a court case could go either way.
Recruitment consultant discovers his LinkedIn contacts are not his own
A recruitment consultant at Hays Recruitment had been building up contacts via his professional account. When he decided to leave his employer and set up his own business, he copied contacts to his personal account. These were people he had been dealing with frequently as his job demanded.
Hays objected to this activity and took the ex-employee to court over the matter. The judge agreed with Hays and ruled that LinkedIn contacts built during employment at Hays be handed over. The employee was also required to disclose all of the emails that had been sent to those individuals.
The employee, Mark Ions, maintained that by connecting with individuals they had disclosed their contact information and were no longer confidential. Hays maintain that Ions stole business contacts.
This landmark case highlights the potential problems with the use of social media accounts at work. Many companies actively encourage employees to the use LinkedIn to build up contacts, but then claim that those contacts are confidential and cannot be used by the employee for personal purposes.
Court cases such as this are likely to become much more common as the use of professional social networking sites increases. Another case went to the courts in July of last year. Whitmar Publications discovered that some former employees had used the company’s LinkedIn network to market the services of a rival business. Again the courts ruled in favor of the company. The former employees had breached an implied duty of good faith by using the list.
Other problems can arise from the use of the professional network. What happens if an employee of a company wants to find a new job? Can an employee upload a CV and tick the career opportunities box indicating he or she is in the market for a job?
The matter was taken before the courts recently, although the ruling did not exactly clear up the matter. While employed at BG Group, HR manager John Flexman indicated on his LinkedIn CV that he was assisting his current employer reduce its attrition rate. This was deemed to be a breach of confidentiality by BG Group. The company also claimed Flexman had breached its social media usage policies by indicating he was in the market for a job.
BG Group demanded that Flexman remove all details of the company from his profile, other than the company name and his job title. Flexman did not agree. The situation deteriorated and Flexman eventually felt he had no alternative but to resign. He then claimed constructive dismissal. In this case the court ruled in favor of the employee.
Social media usage policies must be developed by businesses
Some companies may have already introduced social media usage policies to cover the use of personal Facebook and Twitter accounts in the workplace, banning staff from spending company time accessing their own accounts. These legal cases highlight the importance of developing comprehensive policies covering all uses of social media websites at work, including contacts that are developed as a result of employment.
Employees must be informed about contact ownership. Any information that is in the public domain – i.e. could be found in a business directory or phone book – cannot be classed as confidential information. However, other information that has been obtained by employees during employment is different. This includes the email addresses of those contacts and their direct dial telephone numbers.
Since LinkedIn is a relatively new website, and legislation on employment law has yet to be introduced to address the issue, there are many gray areas; in particular, when personal accounts are used by an employee. Employers are advised to ensure that LinkedIn accounts are set up and maintained by the company, and employees are not told to create their own accounts for work purposes. All contact information then belongs to the company not the employee.
Policies on the use of LinkedIn and other social media websites should be clearly stated. These could be included with general Internet and email usage policies that are issued to all employees.
Social media usage policies are required to cover use and ownership of accounts, but it is important not to ignore the security aspect. Employees must also be told about acceptable use of the sites from a data security perspective, and instructed what can be uploaded and downloaded to accounts.
Ever since the advent of social media networks, employers have been trying to devise ways to prevent employees from using the sites in the workplace. Employers see the sites as a huge drain of the staff’s time and believe they are one of the biggest killers of productivity. It is true that a lot of time is spent on the websites instead of performing work duties, and some employees spend far too much time checking posts. However, new research has now been released suggesting social media site usage may not actually be that bad. In fact, there could even be major benefits for employers.
Do you Ban Social Media Site Use at Work? You Could be Causing More Harm than Good!
A new study conducted by Warwick Business School shows that banning the use of social media access in the workplace is more likely to kill productivity than allowing staff access. Any employer believing the opposite is true needs to have a rethink. Some downtime in the workplace is a good thing.
Employees cannot work for 4 hours straight without a break and be expected to be as productive at the end of that 4-hour stretch as they were at the start. Taking a few minutes here and there to check Facebook can mean employees’ productivity actually increases.
Warwick Business School’s Professor of Information Systems, Joe Nandhakumar, ran the investigative study. He believes that some workers are better at organizing their workflow if social media site access is allowed. Knowledge workers in particular can perform better at work if access is provided.
Rather than social media being a distraction, Nandhakumar believes the opposite to be the case. Employers just need to find the positives and not concentrate on the negatives. He has also pointed out that the use of social media may be a new issue for employers to deal with, but they have faced a similar situation in the past with the use of email. That was thought to be a huge drain of time, yet evidence suggests that not to be the case. Take it back even further, and the use of the telephone was believed to be a killer of productivity. In actual fact, social media, email and the telephone make workers more productive, and allow them to achieve much more during their working day.
Social media use has been shown to increase productivity
If employers believe that employees should be spending 100% of their working day dealing with working matters, they will naturally see social media use as a drain on productivity. However, employees are not necessarily goofing off when they access Facebook. Many check the sites intermittently while performing work duties. The younger generation especially is particularly skilled at multi-tasking, and can keep an eye on Twitter, update Facebook, send emails and answer the phone at the same time.
These workers are able to cope with highly varied workloads, and banning social media use may actually kill productivity. Without some entertainment provided by Facebook, workers become bored, less productive, and less willing to work hard for their employers. Taking a short break from work can actually help to increase mental focus when they are working.
Studies have shown that it is not possible for people to concentrate for more than an hour at a time. Others suggest 45 minutes is more realistic, or even 20 minutes depending on which study you read. What is clear is concentration drops off after time, and simply taking 5 minutes an hour to check Twitter will actually have a positive effect. Workers will also be more creative and efficient. Clear benefits in certain industries.
Market research firm Ipsos was contracted by Microsoft to conduct a study into social media usage in the workplace. The study showed that 46% of workers felt that they were more productive if they took a few minutes off to check Facebook. There were some surprising differences between workers from different countries. Workers in India for example, found they were much more productive at work if their employers allowed some social media time. 71% of respondents from the Indian subcontinent agreed they were more productive if allowed access to Facebook, Twitter and other popular social media websites
The best approach? Use common sense!
There will always be workers who are overactive on social media websites and spend more time on those sites than they do working. Clearly these employees must be advised that the time they spend on the sites is unacceptable. However, not all workers will abuse the good nature of an employer.
How can social media site use be managed? There are some technical solutions that are highly beneficial in this regard, not just for curbing social media use, but also preventing personal Internet use from becoming problematic.
By installing a web filter – such as SpamTitan – the use of social media websites can be blocked entirely. A better tactic is to block access to the sites at specific times of the day. By doing this an employer can be more relaxed about usage of the sites, yet still ensure that employees are controlled. An example would be to block use of the sites during busy times, or in the mornings and directly after lunchtime.
The management can decide on an acceptable level and then configure the web filter accordingly. Controls can even be defined by employee or department. The marketing department and other groups of individuals who need to be creative could be set different limits than other workers in the business.
Data entry staff may need a break every few hours. Providing some access could therefore improve the level of work that is achieved each day. With a configurable web filter, employers can easily experiment and find the right balance. This may take a little time, but if it results in improvements to productivity and efficiency, this will be of great benefit to the organization.
Twitter, like many other social media platforms, is a target for hackers and cybercriminals. The company has recently become the victim of a number of cybersecurity incidents that have resulted in the account names and passwords of users being obtained by criminals.
Each attack spells bad news for the company, and even worse news for users of platform. They face an increased risk of suffering identity theft and fraud as a result of having their login credentials compromised. Twitter security measures were simply not good enough to prevent a data breach from occurring.
Twitter security bolstered with two-factor authentication
To address the situation, Twitter security has been improved with two-factor authentication. This is an important security measure to implement as it makes it harder for accounts to be hacked.
Two-factor authentication uses two means of identification to help ensure that accounts are only accessed by the correct individuals. In addition to entering a username and a password, Twitter now requires an extra element to verify the identity of the person trying to access an account.
A number of websites and online services have now added two-factor authentication to provide better protection for users of their online services. Google, for instance, added two-factor authentication in 2010.
Google’s reputation would be tarnished if it was hacked. The company proactively added the security measure to offer more protection to its account holders. Users of its services must supply a mobile phone number when opening an account. A unique code is then sent by SMS to the phone when a new device tries to access the account. Users can alternatively choose to have an email alert sent to advise them when a new device is used to access the account. This ensures that if someone tries to login to an account on an unknown device, they will be prevented from gaining access, even if they supply the correct login name and password.
This is a vital security measure to keep accounts secure and it has been adopted by a number of websites and social media platforms, although it appears to have taken a major data breach for Twitter security to have been improved with this fundamental security protection.
Social media accounts contain a considerable amount of data about the user. Should a criminal be able to gain access to an account, they would be able to gather a considerable amount of personal information that could be used to conduct a highly effective spear phishing campaign.
Two recent high-profile cyberattacks involved compromised Twitter accounts. They affected the UK’s Guardian newspaper and the American Associated Press. Hackers gained access to the accounts and released links to fake news items. Since the messages came from a trusted source, and contained click-bait links, the fake websites received hundreds of thousands of visitors.
The links were to fake articles detailing explosions at the White House – a potential terrorist attack – and a fake story about President Obama. Unsurprisingly, when news of the hacks emerged stock prices plummeted.
Oftentimes, the hacking of a company’s social media accounts causes permanent damage to the brand image. The compromising of a social media account could even allow hackers to launch further attacks, especially if passwords are shared across multiple platforms.
Two-Factor Authentication – An Essential Security Control
If you want to improve the security of your website or online services, setting up two-factor authentication is one of the best protections to implement.
Login names are easily obtained by cybercriminals, and passwords can all too easily be guessed. Many people still use “password” for example, or their data of birth. 1234567890 is also a surprisingly common password and one that is very easily guessed.
Enforcing secure passwords is essential. Force users to include capital letters, numbers, and special characters when creating passwords. Then add a second step that needs to be completed. Make sure the user registers an email address or a mobile phone number, and then verify these by sending an email or SMS text.
Whenever an access attempt occurs using a different device to that used during the registration process, a code should be sent via email or SMS. If that code cannot be provided by the user, the account should be blocked.
This will ensure that even if a password is obtained by a cybercriminal, access to the account will not be possible unless the person has also managed to gain access to the email account used to register, or has the victim’s mobile phone.
Twitter has suffered two major security breaches that have exposed the login credentials of hundreds of thousands of its users. In response to the incident, a number of additional security controls have been considered. The best solution was deemed to be the addition of a two-step authentication process.
This will not guarantee another data breach will be prevented, but it will make sure that it becomes a lot harder for hackers to gain access to login credentials. The new controls are likely to put off all but the most skilled and determined cybercriminals from attacking Twitter in the future. There will be much easier targets they can attack.
Two-step authentication is an important security control. In order to create an account, a user must sign up and create a login name and a password. The second step in the process, which will shortly be added to Twitter, is the requirement to have a code sent to an email address, mobile phone or the Twitter app.
The additional control will log the user’s device. If another device is used to login, another code will be sent to the app, phone or email account used to register. If the code is not entered, access to the account will not be permitted.
Wired.com has recently reported that Twitter is in the process of testing the new security measure before making it live. Once testing has been completed it will be rolled out to all accounts. This will not come a moment too soon. Cybercriminals are targeting social media networks, and if security measures are inadequate, data breaches will be suffered.
Social Media Networks are an Attractive Target for Cybercriminals
The networks are a big target for hackers and cybercriminals. The data stored in user accounts can be considerable. The data can be used to conduct highly effective spear phishing campaigns. With detailed information about each user, those campaigns can be very convincing.
Criminals can use stolen data to craft emails that the user is likely to respond to. They can find out who their contacts are, and make an email appear that it has been sent by a friend. That makes it far more likely that the target will click a phishing link or open an infected attachment.
Not only that, passwords are often shared across websites. Many people use the same password for Twitter as they do for their online banking and for work. One single password could potentially give a criminal access to much more than a social media account.
Phishing emails are being sent with increasing regularity
In the first half of 2012, phishing attacks are estimated to have increased by 19%. Many criminals still use email as the vector of choice, but many are now targeting social media networks. Criminals are finding it is easier to use Facebook and Twitter to get users to click on links to phishing websites. People even unwittingly share phishing links with their friends, helping the attacker infect more machines and steal more passwords.
Phishers are targeting individuals, but many are after a much bigger prize. If a user’s work computer is compromised, it can allow access to be gained to a corporate network. In fact, businesses are now being increasingly targeted using phishing campaigns.
These campaigns are far more sophisticated than in years gone by. The emails and social media posts are much harder to identify, and many employees are convinced to (unwittingly) download malware and viruses.
Unfortunately, many businesses are still not addressing the risk and have failed to implement adequate security controls. Some employees have not even been trained how to identity a phishing email!
Unless greater investment goes on improving security protections, and further training is provided to the staff, it will only be a matter of time before a network is compromised, customer data is stolen, and corporate secrets sold to the highest bidder.
The rise in popularity of social media websites such as Facebook, Twitter, LinkedIn and Google+ has had a significant impact on employers. Many employees would rather spend their entire working day on these websites than completing work duties. Many employees waste an extraordinary amount of time on Facebook, YouTube and similar websites.
Employees will always find a way of wasting time, so the increase in use of social media at work is unsurprising. However, employers who ban employees from accessing the websites – such as by using a web content filter – may find that they are actually shooting themselves in the foot. Allowing employees to spend a little time on social media websites can actually be beneficial for a company, resulting in employees being happier at work. Happy staff are actually more productive.
If an organization does not implement a total ban on employees accessing social media and social networking websites, it is essential that staff usage of the sites is monitored. Most employees will use the websites responsibly, but there will always some cases of social media abuse at work. The aim must be to keep that to a minimal level.
Installing a Web Filter to Block Social Media Abuse at Work
The installation of a web filter and Internet monitoring software lets employers block access to certain websites and monitor usage of others. Web filters can be configured to block a specific website for an entire organization, for groups, or for specific individuals. If an individual is excessively using social media at work, it may be appropriate to block them from accessing the sites from their work computer. Access to the websites can be made a privilege, which can be taken away if an individual is found to be abusing the good nature of their employer.
Some employers prefer to ban all employees from using the websites, but there is a problem with this. This tells the staff that you do not trust them to be able to achieve a good balance. Also blocking social media usage at work can have a significant negative impact on staff morale. The more restrictions are put in place at work, the less happy staff members are likely to be, and unhappy staff means low productivity.
The banning of social media site access at work isn’t always about stopping staff members from wasting time online instead of working. Use of the websites carries a data security risk. Phishers, scammers and spammers use Facebook and other social networking websites. If employees use the sites at work, view posts, click links or even download files from the sites, they could inadvertently install malware on their computers. If malware or viruses are installed, hackers and other cybercriminals could easily gain access to a corporate network and steal confidential data or gain access to corporate bank accounts.
It is therefore essential that actions are taken by employers to prevent social media abuse in the workplace, to prevent a fall in productivity and to ensure that risks are not taken by staff members that could potentially result in networks being compromised.
Tips to Prevent Social Media Abuse at Work
Purdy Fitzgerald Solicitors have recently issued some advice to organizations that are concerned about the use of social media websites by employees. Two of the most important elements have been detailed below:
1. Monitor Employees’ Use of the Internet and Email in the Workplace
If employees are allowed access to the Internet at work, then the websites they visit must be monitored. The same applies to email. It is now standard practice to monitor Internet use at work to ensure that risky or dangerous sites are not visited. Websites containing offensive material must not be viewed and email must be monitored to make sure it is not being abused. To avoid social media abuse at work, site usage should be monitored, although care must be taken, especially if personal information is being entered into these websites. Data protection laws may apply.
The Article 29 Working Party, an advisory group comprising members of data protection authorities in the European Union, has produced a document which can help employers not fall foul of the law. Even though employees choose to use their work computer to access social media websites and send email, they have privacy rights. They have a legitimate expectation that employers will not violate those rights. That said, employers must take steps to prevent abuse, and they are allowed to do so by law. They are permitted to monitor the activities of employees to ensure their businesses are being run efficiently.
It is important that the right balance is achieved between monitoring computer usage to ensure employees do not abuse Internet access, but not to monitor to the point that employees’ privacy is violated.
2. Develop Internet and Email Usage Policies to Prevent Social Media Abuse at Work
If access to the Internet is provided to staff members, they must be informed of company policies covering the use of the Internet; the websites that cannot be visited, what information can be entered on websites; the type of material that can and cannot be downloaded, and the acceptable use of social media and other web 2.0 sites. These policies must be concise and easy to read, but should also be comprehensive.
Polices should cover chat rooms, blogging, social media websites, and the permitted and prohibited use of the Internet and email. Polices should also detail the types of devices that can be used to access email and the Internet.
There have been a number of cases of employees having had their contracts terminated due to Internet and email abuse at work. However, some of those employees have taken their cases to Employment tribunals. Employers who terminate work contracts for Internet and email abuse are likely to have those decisions overturned if they have not issued staff members with policies covering allowable and prohibited uses of the Internet. In some cases, employers have been found to have unfairly dismissed staff members and have had to pay damages simply because company policies on usage have not been explained.
What Should be Included in Social Media Policies?
Each company’s Internet, email and social media usage policies will be unique. When writing usage policies, each company must carefully assess the advantages and disadvantages of allowing employees to access social media websites, surf the net for personal reasons, and use email accounts to send personal email. The aim should be to restrict usage, but to make policies workable. It is important that all members of staff are provided with the policies and that they are put on display in a highly visible location.
Social media usage must be stated in the policies,and they should stipulate whether accessing websites such as Facebook is prohibited or permitted in moderation. Policies should detail which departments are permitted to use the sites and the allowable uses and general conduct of employees while on these websites should also be stated.
For instance, a policy may be put in place that prohibits employees from posting disparaging remarks about their employer on social media websites, or that employees are not permitted to upload material or download files from social media websites while at work.
Since everyone may have a different understanding of “social media” it is advisable to specify this in the usage polices. Employees may not think they are using the sites inappropriately, whereas managers may consider usage levels to equate to social media abuse at work.
It is also essential that usage policies advise employees of the consequences of breaching company rules. Employees conduct online should be treated in the same manner as general conduct in the workplace, and the disciplinary policies must similarly be stated. For instance, employees found to have viewed, downloaded, or even uploaded pornographic material while at work will face instant dismissal and termination of their work contract. Get your policies right and it will help you to prevent social media abuse at work. Fail to issue policies and you will be asking for trouble.
A recent survey conducted by SpamTitan Technologies indicates the vast majority of companies are prepared to terminate the contracts of employees for inappropriate social media use, such as exposing confidential data on social media networks. The corporate social media usage study showed that 87% of respondents would consider firing an employee for inappropriate social media use if company policies were violated.
Only 16% of companies think social media use at work is acceptable
The use of social media channels during work time is frowned upon by most companies. Many turn a blind eye to a little social media time during the working day, but only 16% of organizations taking part in the study said that they actually think it is acceptable for the staff to spend some time on Facebook, Twitter, LinkedIn and other social media networks.
The threat of termination of employment contracts for misuse of social media, in particular the posting of confidential information or disparaging remarks about an employer, is not an empty one. According to a study conducted by Osterman Research, one company in six has already made the decision to terminate at least one employee’s contract for inappropriate use of social media in the workplace.
With the rise in popularity of websites such as Facebook, Twitter and LinkedIn, it is understandable that members of staff with Internet access are tempted to spend a little of their working day checking their accounts. For many employers the main issue is not the loss of productivity that occurs as a result of inappropriate social media use. It is the security threat that inappropriate social media use introduces.
Malware is rife on Facebook
Social media websites are a honeypot for cybercriminals and malware is rife on the sites. Online criminals trawl Facebook, Twitter and LinkedIn looking for corporate data, while phishers seek information that can be used to conduct spear phishing campaigns.
Twitter now has 145 million active users and Facebook has 845 million users around the world. Many of these users are accessing their accounts during working hours too. Osterman discovered that 36% of employees use part of their working day to check Facebook and that figure has increased by 28% over the course of the past year. Twitter and LinkedIn are also being used at work. There has been a 6% jump in Twitter use and a 7% hike in LinkedIn use in the workplace over the course of the past 12 months.
With so much social media use, it is clear that any company that has yet to develop a policy on acceptable use of social media networks during working hours will have to do so soon. Interestingly, while almost one in nine companies would be prepared to fire an employee for inappropriate social media use, only 22% actually have a policy in place covering the use of social media sites at work.
Facebook, Twitter, LinkedIn and YouTube use carry major risks
The loss of productivity resulting from personal Internet time is considerable. A recent ISACA survey conducted on “Shopping on the Job” revealed that 40% of companies said the loss of productivity as a result of employees using websites for personal reasons was costing them at least $10,000 a year.
There is also the potential for damage to a company’s reputation. Take Domino’s Pizza for example. The company has just been forced to fire employees for posting a video of them playing with customer’s food at work. Even the clergy is not immune. A bishop was recently issued with a suspension for posting disparaging comments online – in this case the comments related to the Royal wedding of the Prince of Wales and Kate Middleton.
Perhaps the most damaging aspect of inappropriate social media use at work is the threat to corporate security. Facebook in particular is being used by unscrupulous individuals to spread viruses and malware. A link contained in a post about the latest viral video is sure to attract a lot of clicks. If that link directs people to a website containing malware, malicious software could easily be downloaded to a work computer. Installed malware could then be used to launch an attack on a corporate network.
How to control social media usage and protect corporate networks
There is no single solution to the problem of inappropriate social media use that can be adopted by all companies. Banning social media use entirely may be neither practical nor appropriate. Use of the networks can offer advantages, but the cons will outweigh the pros unless usage is monitored, managed and controlled. An Internet security policy is therefore essential to combat the increasing risk from viruses and malware. Companies are also advised to install a web filter. This will at least prevent users from visiting malware-ridden websites. It can also be used to block access to social media websites at work, should that be required.
Social networking websites are here to stay. They may have been created to give people an easy way to stay in touch with friends, family and meet new people, but there are considerable benefits for businesses. In fact, any business that has not yet embraced the social media revolution is likely to be losing customers to competitors.
However, social media use at work does carry security risks and employees may spend a lot of their working day posting status updates, reading articles, and communicating with their contacts.
A study was recently conducted by Proskauer Rose that set out to explore some of the problems businesses are having with social media website use by employees. It would appear that social media access is not being effectively managed by some businesses, and employees are spending too much time accessing the likes of Facebook, LinkedIn, Twitter and Pinterest.
Key findings of the Proskauer Rose social media study
- Social media misuse was reported as being a problem for 43.4% of respondents
- 3% of companies have taken disciplinary action against employees for misusing social networks
- Surprisingly, 45% of companies do not have a social media or Internet policy covering usage at work
There are benefits to be gained from allowing employees to have some time each day to access the websites, should they wish to do so. Unfortunately, the drawbacks can outweigh the advantages if care is not taken and usage is not effectively managed.
In addition to time being spent on the websites instead of work being performed, there is a considerable risk to network security. Malware and phishing schemes are rife on social media networks. Then there is the issue of wasted bandwidth. On the plus side, employee productivity can be increased by allowing some time to access accounts each day, and businesses can harness the potential of social media and get closer to their customers.
Provided use is managed, the benefits can outweigh the disadvantages. The solution is to implement policies to control usage in addition to software solutions to block access if necessary.
Protecting networks from attack and controlling social media use at work
Simply implementing a ban on accessing the websites is rarely an effective strategy. Staff morale can fall, and end users will carry on accessing the websites if they want to. They may just use their Smartphones to do it instead. The best methods to use to keep networks secure and control access are:
Implement Web technology solutions to protect corporate networks
Many companies use a web filtering solution to prevent employees from accessing websites that are inappropriate for the workplace. Gambling websites for instance, pornography, and bans of file-sharing sites are common. It may be tempting to use web filters to block all social media websites as well, but this would prevent the company from maintaining a social media presence.
Some web filters offer much more granular controls. They can quickly and easily be configured to block certain user groups from accessing the websites.
SpamTitan Technologies offers such a solution. The web filter means that HR departments can work with IT to implement appropriate controls that allow employees some time to access the sites, while ensuring that the social media needs of the business can be met.
Role based settings can be implemented and can even be set by at an individual level. If misuse becomes a problem, an individual can lose the right to access the sites at work. If one employee misuses Facebook, the whole workforce, including those who use the sites responsibly, should not be penalized.
Implement an Internet and Social Media Usage Policy
Regardless of your decision on social media use at work, you must implement a policy to cover usage. Your policies should cover acceptable use of the Internet, the types of web content that cannot be viewed, and the repercussions for attempting to view objectionable or banned content. If you do not have policies in place, from a legal standpoint you may have difficulty taking action against individuals for inappropriate use.
It is important that Internet and social media restrictions are explained to staff members in terms of the risk they pose to the business. Restricting access is not only about ensuring time is spent productively. Cybercriminals are targeting businesses using malware, viruses and phishing campaigns. It is all also easy to inadvertently infect a computer with malware or become part of a botnet.
Develop policies to cover usage, explain the risks and they can be effectively managed without implementing an unpopular and counterproductive social media ban.
A new study recently published by Osterman Research indicates there are major Facebook malware risks that many companies are not aware of. Furthermore, those risks are very real. 24% of companies have discovered malware has affected their corporate Facebook pages.
The risk of malware affecting corporate social media pages is considerable, with Facebook the main social media network that has been attacked by criminal gangs. LinkedIn and Twitter can also be risky, but only 7% of companies have had their Twitter and LinkedIn accounts infected.
The problem could actually be far worse. The study revealed that many IT security professionals were not even aware if their social media accounts had been hacked or infected with malware because they never check.
Employees social media use during working hours has increased significantly
Researchers at Osterman discovered the use of social media sites by employees during working hours had increased significantly over the past year. The survey results revealed that 36% of employees of corporations were accessing their Facebook accounts during office hours. Last year the figure stood at just 28%.
Use of Twitter during working hours is also increasing. Last year, 11% of employees were using Twitter at work, while this year the figure has risen to 17%. The same is true for LinkedIn, with employee use rising from 22% to 29% over the same period.
Employees are a major risk to corporate network security
It is clear is that social media accounts are being targeted by hackers and cybercriminals; and, as the sites grow in popularity, the problem is only likely to get worse. Furthermore, when employees access social media sites at work they could be placing corporate networks at risk.
As more employees use social media sites during working hours, and more time is spent by individuals on those sites, the risk to data security increases. Personal information is being shared on the sites, but some employees are also sharing corporate information. Sometimes this is deliberate, other times potentially sensitive data is unwittingly shared.
Criminals trawl social media websites looking for information to launch spear phishing campaigns
A great deal of information is being posted on social media accounts. Some users choose to share their posts only with their nearest and dearest. However, friends of friends can also view posts in many cases, and even individuals who are careful about who they accept as friends, may find their content read by friends who have a much more carefree attitude when it comes to accepting new friend requests. Oftentimes, posts are made public and can be viewed via the search engines by anyone with Internet access.
Criminals are now using the wealth of information that is freely available on these social media sites to build up a considerable amount of knowledge on individuals. That information can then be used to launch highly convincing spear phishing campaigns. Those campaigns can result in user accounts being compromised, and malware being installed on the devices used to access the sites. If the site is accessed on a work computer, corporate networks could also be threatened.
Many Facebook posts contain links to phishing and malware-ridden websites
Facebook posts and pages contain useful information, details of great products, excellent jokes (occasionally), funny memes, and cool viral video content. Unfortunately, there are also links to very nasty websites. The content may be great, but they can be a serious security hazard. Just clicking on the links could result in malware being downloaded. The problem is, it can be very difficult to tell which websites malware-free and which should carry a public health hazard warning.
An administrative assistant may click on a link, but so could an account executive, IT security professional or even a CEO. All business users could potentially fall for a scam, or be convinced to visit a website as a result of reading a post, only to end up downloading a Trojan, keylogger or nasty piece of ransomware.
Many users are not particularly security aware and end up sharing passwords between personal online accounts. Unfortunately, many also use the same passwords to access their work computers as their own personal accounts.
Even when password policies exist that force employees to use strong passwords, if malware has been downloaded onto their work PC’s that contain keystroke loggers, even unguessable passwords will be revealed. Once this information has been sent to hackers’ control and command center, attacks on corporate networks can easily be launched. Should the password and login of a member of the accounts department be obtained, company bank accounts could well be emptied.
Social media malware and phishing protection is essential
All users of corporate social media accounts must exercise caution when visiting social media websites and employees must take care not to inadvertently place their employer’s network at risk of a cyber attack. Due to the high security risk, it is essential that social media use (and email for that matter) is monitored closely.
Companies that develop policies covering the use of social media websites at work are likely to be better protected from malware. Employees must also receive training on acceptable uses of social media at work and must be informed of the potential risks and social media best practices. They may be using their personal accounts at work and this could impact work computers and networks. If they are not made aware of the risks, they are likely to continue to engage in risky online behavior.
Fortunately, there are a number of tools that can be used to reduce the risk of malware infections via social media websites. Spam filters can be used to protect users from phishing campaigns sent via email and web filters can be employed to prevent users from visiting websites that are known to be risky.
Alongside training of the staff on good security practices such as archiving old emails, risks can be kept to a minimal level. If little effort is put into security, and use of social media websites is not overseen, organizations will be leaving themselves wide open to cyberattacks. Those attacks are likely to cost far more to resolve than it would have cost to pay for security training and a spam and web filtering solution.
Recent research shows that the use of social media websites at work is on the increase, with many employers seeing Facebook and Twitter usage at work as being particularly problematic. A new study from Palo Alto suggests that since 2010, the use of Facebook at work has tripled. Twitter use is also increasing, and at a far higher rate. The study showed that usage has increased by 700% during the same period.
Facebook and Twitter usage at work: Is it really a problem?
The increase in time spent on social networking websites is not all about employees accessing their personal accounts at work. Many companies have started using social media websites to connect with clients and customers. The sites are an incredibly useful way of getting closer to customers. Corporations can use social media to find out what customers really want and what they really think of the organization. They are now essential for many businesses, allowing customer service standards to be improved, while the sites can also be used to effectively promote goods and services. The latter is arguably far cheaper than TV adverts and newspaper and magazine adverts.
Nowadays, it is actually a rarity for a business not to have a Facebook and Twitter account. In many cases, companies provide employees with a range of tools to manage social media accounts to send Tweets on Twitter or post content to Facebook.
Social media introduces security risks
There is no denying that social media is useful for businesses. In fact, having corporate accounts is now sometimes considered essential. Unfortunately, the use of these websites is not without risk. Operating a Facebook page and running a Twitter account potentially exposes a company to malware, viruses, and cyberattacks. The sites take up a lot of valuable bandwidth. Social media websites can also take up a huge amount of time and produce little in the way of additional revenue. The productivity of employees can be seriously reduced if they are spending too long accessing their personal accounts.
While companies are using social media sites more, there is a concern that employees are spending too much time on the sites for non-work related matters. Many employees do spend a considerable amount of work time maintaining their own personal presence on Facebook, Twitter and Google+.
The researchers have acknowledged that employees do spend time on their own accounts, but say that much of the extra time spent on the sites is in fact work-related. Consequently, it has been suggested that employers should not be overly concerned about the rise in reported social media use at work.
While it is a fairly easy process to determine how long is spent on social media sites, it is not quite so easy to calculate how much time is spent on work-related matters and how long employees are spending on their own accounts. Any company concerned about personal use of social media accounts should develop clear policies on acceptable use of social media websites. That is arguably the easiest first step to take to address personal use.
Personal use of the sites must be monitored and managed, and it is vital that policies are developed to tackle personal use. That includes the time spent on the sites as well as the information that is posted. Facebook and Twitter usage at work is likely to be a problem if controls are not put in place to limit access, or if policies are not developed to determine acceptable levels of Facebook and Twitter usage at work.
Get the balance right and social media can be of great benefit to your business, but get it wrong and it will just be a huge drain on time, resources and money. It could also result in your systems being compromised. Social media sites contain a considerable amount of malware, and phishers use posts to trick users into revealing personal and corporate information.
Some employers may feel the security risk from Facebook and Twitter usage at work warrants a company-wide ban on site access in the workplace. If that is the case, a web filter is the easiest way to block usage. A flexible product will also allow usage for certain departments to ensure that corporate accounts can still be accessed, or can be used to block malware without blocking access to the actual websites.
Last week, SpamTitan issued a press release about its new social media cost calculator. The calculator was developed to help companies estimate the amount of man hours (and therefore money) they are losing as a result of employees accessing social media websites at work. The SpamTitan social media cost calculator has proved popular and attracted a great many online comments.
Calculating the true cost of social media site use by employees
In order to calculate the true cost of social media, SpamTitan took a close look at social media usage statistics. An average profile for a typical organization was created and data was extrapolated to provide an estimated annual cost.
The results of the calculations showed that a typical company loses approximately $65,000 every year as a result of employees spending time checking and posting information on Facebook, Twitter, LinkedIn and the myriad of other social media and social networking websites. SpamTitan calculated that the figure corresponds to 5% of every employee’s salary being wasted on personal social media use.
Many of the comments came from individuals who thought we were suggesting that all organizations should install a web filter and implement a company policy that bans the accessing of all social media sites at work. This was not our intention. There are advantages to allowing members of staff access to social media sites at work. There are also many disadvantages to banning access. Managers will be well aware that social media websites are being accessed by employees, and that employees spend a considerable amount of time those websites. What they perhaps do not know is how much time is spent, and how much this is costing them. That is information they need to know.
Should social media site access be banned at work?
Companies should make a decision about the use of social media at work. They will need to assess the benefits of allowing the staff some “Facetime”, and the disadvantages from the loss of access rights. There are also many legal considerations to consider and the accessing of these sites also raises a number of privacy and security concerns.
Many organizations may like to ban the accessing of the websites; but, in reality, doing so is complicated. It is not possible to implement a web filter that blocks all social networking and social media sites for everyone in the organization. The marketing department will need to access those websites. The IT department may do too for work purposes. A company-wide ban may not be realistic.
Some employees may only spend a few minutes a day on the sites, or may access them when they do not have work duties to complete. Some may only use the websites during coffee breaks. Should those individuals be banned from using the sites when it doesn’t impact on their work duties?
Something else worth considering, is whether it is better to allow staff to use their work computers to access the sites than have employees access them surreptitiously on their Smartphones. Is it better to be able to monitor use of the sites?
One of the most workable solutions is to put policies in place covering the use of social media websites and to instruct employees that the use of the sites must be kept to a minimum. If used in moderation, social media site usage need not result in a major cost to the business. However, it must be possible to control use of the sites and, for that, a web filter can be highly beneficial.
Provided that the chosen web filtering solution is flexible, and can allow controls to be put in place for the entire organization, departments´ – or individuals´ – usage can be effectively controlled without implementing a blanket ban. The same web filter should can also be used to block other websites – those containing malware.
Would a social media site ban work in your organization? Would productivity fall further due to unhappy staff?