Companies face increasing threats derived through the use of social media channels which can result in loss of customer confidence, trust and ultimately, share price value. Those that seek to attack individuals and organisations in cyber space use social media extensively to organise and perpetrate their activities.
Online threats, not all of which are social media based, have been around since the late 1970s and the establishment of the Internet. However, the growth of social media since the start of the millennium and the sudden rise in ‘hacktivism’ has seen the threat environment change substantially. There is a growing need to utilise social media in defence of company and individual reputation, to gather infor
Monitoring online content and social media is one of the most important defence mechanisms an organisation can undertake yet this is an area few organisations adequately address. It provides information on the organisation’s online footprint and the activity of those seeking to target them. The provision of advanced warning of a potential attack enables an organisation to prepare a defence and response.mation to develop intelligence and to act on this for protection.
A static approach to risk management is no longer adequate
The traditional “point in time” risk assessment and management approach is no longer sufficient. The speed of social media threat can be very rapid with many developing in real time and coming to fruition in a matter of days. This rate of development has rendered the traditional static security posture inadequate and can lead to both inefficient and ineffective use of resources.
For successful reputation management, a response plan needs to take into consideration the speed and breadth of communication propagation that is achievable using social media. Simple monitoring of Twitter or Google searches can be inadequate due to the pace of change and potential for escalation in social media. The threat environment can change rapidly within a few hours. With threats continuously changing in this manner, real time monitoring of the environment is required if enough time is to be gained in order to adopt a defence.
The malicious use of social media information
The potential for malicious use of personal information accompanies social media use. High profile individuals or those with specific access may be attacked using information that has been placed in open source by their family, friends and contacts. Such information may be found by an attacker on social networks such as Facebook and LinkedIn.
An attacker is often able to find a wealth of information in the social media, which enables a profile to be built for an individual and an enticing phishing email to be constructed. The resultant email is able to engender a high degree of trust and/or interest by bearing information that is personal to the recipient. Several attacks have been successful by targeting individuals working for organisations in the supply chain of the target and using the existing relationship as a trust factor.
Information that has already been leaked or disclosed can also yield useful information to an attacker. Name and password combinations attributable to individuals working with the target organisation are often amongst leaked information. As many people use a single name and password combination across multiple services for ease of memory, it is likely that some combinations found in leaked information will remain functional across some services.
Creating the right balance
After reading the above, one might feel it best not to use social media. However, this too presents the opportunity for threat. If a company does not have, for example, a Facebook profile, there is a “void”.
Voids are effectively empty spaces on the Internet, when a company publishes no official material regarding itself. Voids present an opportunity for “Cyber Squatters”. Should an organisation have no official presence, others can set up a fake profile purporting to be the company.
These sites are often filled with inaccurate or malicious content, leading to damaged reputations with customers, suppliers and other shareholders. Should this happen to an individual or organisation, they will not themselves have access to change or remove the malicious content and may be exposed for some time until a take-down request can be actioned by the service administration.
It is therefore best to achieve a state of balance where there is accurate information publically available relating to a company, but without personal information or any content which could be deemed controversial.
Means of monitoring
Countering social media attacks starts with monitoring open sources. An organisation or individual needs to be aware of their social media presence and any associated threats as they form and take shape. Three broad categories of monitoring exist which assist with this task:
Basic search engines
Search engines currently provide free searches for names, both company and staff. In simple terms an individual manually types the name into any search engine and looks at the results. In many cases these searches can be combined with automatic alerting should a search term appear.
Whilst free and flexible, these services have their limitations; they are time-intensive, not a hundred percent accurate and companies may miss a change or development. They only locate what is intended to be found and will not search the areas which are not designed to be searched, known as ‘deep web’ or ‘darknet.’
Media monitoring services
There are several “media monitoring” services available. Primarily designed for marketing purposes, they search a variety of social and printed media for occurrences of a company or product name and display them on a dashboard.
These services are active in the background but they, too, have their limitations; they will only locate what is intended to be found, are primarily designed for marketing purposes and will not search the more clandestine and secretive areas of the Internet.
Cyber Intelligence services
Some security companies offer a personalised private service and will conduct an open source intelligence gathering exercise, sometimes finding information not designed to be found and document findings in a report.
These services are extremely flexible as they use human analysts to fine tune and to follow up leads; in some cases according to an ongoing priority as advised by the customer.
There are a number of advantages to such services; they are extremely flexible and customisable both in scope and detail. They allow for diversification of analysis (i.e. following up new leads perhaps into unforeseen areas) and most importantly can match threats against the actual vulnerabilities relevant to the organisation. The resultant output can make recommendations and prioritise actions.
Monitoring as part of a corporate cyber policy
Management of the organisation’s social media footprint should be an explicit tasking within the organisation – i.e. it is a fundamental aspect of the corporate risk governance regime and should be integrated into the corporate risk management strategy.
The first step in the protection of reputation and brand is awareness of the threat, which is achievable through monitoring. This knowledge then has to be mapped against the organisation’s vulnerabilities in order to assess risk and address in an appropriate manner.
Staff must be made aware of what is considered acceptable information to be made available online and what is not, backed up by an understanding of the potential for misuse, clear policies and training.
Company policies should also be considered for their usability. Many attacks are successful due to staff circumventing company policies to deliver services to customers or suppliers. When policies are too stringent they become a barrier and staff will utilise alternative routes. In many cases, personal and company sensitive information is sent from secure corporate email systems, where functionality may be controlled, to insecure personal webmail systems so that the extra functionality available may be used to increase accessibility and productivity.
The monitoring of Internet and social media spheres, and any actions taken to defend organisations need to form part of the organisational processes such as the incident response, business continuity disaster recovery plans rather than sit in isolation. A balanced response is essential to ensure consistency of message across all stakeholders, including other organisations in the supply chain so that an holistic response can be presented should several organisations be impacted by the same event.
The threats posed via social media are growing, expanding and developing.
Active management and control of the organisational footprint on the Internet and social media should be an explicit tasking within the organisation. It is fundamental to the corporate risk governance regime and should be integrated into the corporate risk management strategy.
Organisations and individuals should select from the monitoring services available to provide an appropriate and cost-effective level of monitoring in order to identify the threats specific to their market, sector and organisation. The monitoring activity should form part of the corporate risk governance regime and should be supported by staff awareness and policy.
The threats must be considered against the organisation’s vulnerabilities to determine a measure of risk, which can then be appropriately mitigated.
Author: Tony Dyhouse