A new study recently published by Osterman Research indicates there are major Facebook malware risks that many companies are not aware of. Furthermore, those risks are very real. 24% of companies have discovered malware has affected their corporate Facebook pages.
The risk of malware affecting corporate social media pages is considerable, with Facebook the main social media network that has been attacked by criminal gangs. LinkedIn and Twitter can also be risky, but only 7% of companies have had their Twitter and LinkedIn accounts infected.
The problem could actually be far worse. The study revealed that many IT security professionals were not even aware if their social media accounts had been hacked or infected with malware because they never check.
Employees social media use during working hours has increased significantly
Researchers at Osterman discovered the use of social media sites by employees during working hours had increased significantly over the past year. The survey results revealed that 36% of employees of corporations were accessing their Facebook accounts during office hours. Last year the figure stood at just 28%.
Use of Twitter during working hours is also increasing. Last year, 11% of employees were using Twitter at work, while this year the figure has risen to 17%. The same is true for LinkedIn, with employee use rising from 22% to 29% over the same period.
Employees are a major risk to corporate network security
It is clear is that social media accounts are being targeted by hackers and cybercriminals; and, as the sites grow in popularity, the problem is only likely to get worse. Furthermore, when employees access social media sites at work they could be placing corporate networks at risk.
As more employees use social media sites during working hours, and more time is spent by individuals on those sites, the risk to data security increases. Personal information is being shared on the sites, but some employees are also sharing corporate information. Sometimes this is deliberate, other times potentially sensitive data is unwittingly shared.
Criminals trawl social media websites looking for information to launch spear phishing campaigns
A great deal of information is being posted on social media accounts. Some users choose to share their posts only with their nearest and dearest. However, friends of friends can also view posts in many cases, and even individuals who are careful about who they accept as friends, may find their content read by friends who have a much more carefree attitude when it comes to accepting new friend requests. Oftentimes, posts are made public and can be viewed via the search engines by anyone with Internet access.
Criminals are now using the wealth of information that is freely available on these social media sites to build up a considerable amount of knowledge on individuals. That information can then be used to launch highly convincing spear phishing campaigns. Those campaigns can result in user accounts being compromised, and malware being installed on the devices used to access the sites. If the site is accessed on a work computer, corporate networks could also be threatened.
Many Facebook posts contain links to phishing and malware-ridden websites
Facebook posts and pages contain useful information, details of great products, excellent jokes (occasionally), funny memes, and cool viral video content. Unfortunately, there are also links to very nasty websites. The content may be great, but they can be a serious security hazard. Just clicking on the links could result in malware being downloaded. The problem is, it can be very difficult to tell which websites malware-free and which should carry a public health hazard warning.
An administrative assistant may click on a link, but so could an account executive, IT security professional or even a CEO. All business users could potentially fall for a scam, or be convinced to visit a website as a result of reading a post, only to end up downloading a Trojan, keylogger or nasty piece of ransomware.
Many users are not particularly security aware and end up sharing passwords between personal online accounts. Unfortunately, many also use the same passwords to access their work computers as their own personal accounts.
Even when password policies exist that force employees to use strong passwords, if malware has been downloaded onto their work PC’s that contain keystroke loggers, even unguessable passwords will be revealed. Once this information has been sent to hackers’ control and command center, attacks on corporate networks can easily be launched. Should the password and login of a member of the accounts department be obtained, company bank accounts could well be emptied.
Social media malware and phishing protection is essential
All users of corporate social media accounts must exercise caution when visiting social media websites and employees must take care not to inadvertently place their employer’s network at risk of a cyber attack. Due to the high security risk, it is essential that social media use (and email for that matter) is monitored closely.
Companies that develop policies covering the use of social media websites at work are likely to be better protected from malware. Employees must also receive training on acceptable uses of social media at work and must be informed of the potential risks and social media best practices. They may be using their personal accounts at work and this could impact work computers and networks. If they are not made aware of the risks, they are likely to continue to engage in risky online behavior.
Fortunately, there are a number of tools that can be used to reduce the risk of malware infections via social media websites. Spam filters can be used to protect users from phishing campaigns sent via email and web filters can be employed to prevent users from visiting websites that are known to be risky.
Alongside training of the staff on good security practices such as archiving old emails, risks can be kept to a minimal level. If little effort is put into security, and use of social media websites is not overseen, organizations will be leaving themselves wide open to cyberattacks. Those attacks are likely to cost far more to resolve than it would have cost to pay for security training and a spam and web filtering solution.