An Innocuous Post On Social Media Could Make You A High Value Target For Cyber Criminals
The stressful world of executive risk and protection primarily focuses on keeping your client safe from all manner of physical threats daily. Often, these threats are identified by visual or body language triggers from the assailants. That's bread and butter for protection officers, but what if you couldn't always see the threat right in front of you?
Unfortunately, that's the ever-increasing threat landscape that executives now face as malicious actors discover easier ways to attack or expose these executives for financial gain, reputational damage, or physical harm.
Social media content is one of the main conduits for these increased threats. We've all seen the stories of situations like CEOs and other senior executives who come under fire for distasteful, offensive, and sometimes just plain wrong posts on social media platforms. When this happens, PR teams spring into action and in most cases, the impact is lessened. But what about the potential cyber threats stemming from social media posts?
Most people don't think twice about posting that photo of their daughter's soccer game to Facebook or Instagram. Or what about that picture your son posted showing your family relaxing in the sun at your vacation villa in Vegas? Or your spouse commenting on a Facebook page about their favorite spin class at the gym? These are just parts of normal daily life, some might say. But to an attacker who's selected your company – or your company's executive – as their latest target, it's a treasure trove of intelligence, which can be closely examined to build a real-world exposure landscape of your life.
A closer analysis of the soccer game snapshot might reveal the name of your daughter's school. And further open-source research then identifies that you're a major annual donor to that school. Google Maps, Street View and other open-source tools can be used to identify the address of your vacation spot in Vegas, and the time of the post indicates you and your family are there now. And depending on where your spouse commented about their favorite spin class, those bad actors can now identify the gym and find the schedule for future classes.
These aren't complicated steps for an attacker, and they can be used to expose executives, their families, and their companies to massive risk – and it's important that we stop this before it occurs. For instance, do the three example social media posts mentioned above need to be public? Or could they be limited to family and friends only?
The evolution of social media has made it all too easy to get caught up in the desire to "show off." Perhaps this is a modern-day version of "Keeping up with the Jones's?" As a society, we're slowly forgetting that some things should be kept private. And that's one of the main factors in how to reduce the potential cybersecurity risk posed by social media. A company's new product launch should be in the public domain, but maybe your CEO's daughter's soccer photo shouldn't be.
Fixing the problem
The reality is that social media exposure isn't just a potential corporate culture problem; it could also be introducing cybersecurity risk at the executive level. The three previous examples leave the employee – or high-level executive – open to contextualized spear phishing attacks based on real world, and more importantly, immediate and relatable scenarios. In other words, by piecing together bits of information about your life from social media sources, bad actors have the ability to create a far more realistic phishing email that you’re much more likely to actually click on.
Understanding this risk potential is important, as is knowing how to combat it and how to make sure there's a top-down approach for instituting cyber and social media hygiene policies.
The facts on social engineering and social media
The human element – people making mistakes – accounts for 85% of data breaches, including accidental, inadvertent, and malicious attacks. Social engineering attacks continue to climb, with phishing and Business Email Compromises (BECs) the two most common forms of social engineering, according to the 2021 Verizon Data Breach Incident Report. Phishing accounted for about 36% of the incidents in the report.
Posting on social media is helping fuel the rise and success of these types of attacks. Tha's because once you create a digital profile, at least some of your information is available for everyone to see. This includes malicious actors, who are happy to harvest it.
Every piece of information is a potential intelligence source, but it's not just coming from the content you share. Social media memes and quizzes are just two examples of content that can reveal more than you intended. Think about those quizzes that ask you for the name of your first pet and other bits of information, and then think about what you regularly use for passwords. There's a good chance there's overlap – and the bad actors have that figured out.
Using this kind of content, attackers can aggregate bits of information. One or two bits aren't likely to be dangerous, but if you become the target of an attack, the bad actor will look for more crumbs of information across your social accounts. Any content that's publicly available is of potential risk.
The issue of executive risk
From the bad actor's perspective, company executives are an especially appealing target for attack for the simple reason that they likely have more access to more assets within a company.
That means the potential payoff is larger. And at the same time, there's too often a sense of invincibility when it comes to many executives – a feeling that social engineering attacks and data breaches are things that happen to other people but not them.
But as PiiQ Media researchers found, most executives publicly list information on a regular basis. In general, identification of a personal email address for executives was found in 61% of the profiles, with a business email address for 98% of them. And more than 60% had three or more social media profiles that were easily discovered. All these pieces of information can be used to craft phishing emails that target executives.
Combatting executive risk
Just as with almost any cybersecurity initiative, combatting executive risk starts with education. Most people probably don't realize that their seemingly innocuous social media activity could be putting their company at risk.
The only means to effectively reduce risk to organizations against future advanced attacks is to adopt more detailed guidelines for corporate social media use, incorporate regular employee social media risk assessments and provide more tailored awareness training for employees, especially to those at higher risk. And that means executives aren't exempt from these policies.
Combatting executive risk requires getting executives on board, truly understanding and supporting the initiatives, which is a significant challenge. The previous three examples drive home the actual risk that seemingly innocuous social media posts can introduce. Combining content and other data points can potentially assist bad actors in figuring out your password. It's important to help executives and other employees understand that the risk is not only to themselves; their social media behavior is introducing risk throughout the company.
Social but safe
Very little is sacred or safe online anymore. With all the risk that's possible now, perhaps one day we'll be nostalgic for the times when the worst thing your CEO could do was Tweet out a poorly considered opinion. Nowadays, even the most seemingly harmless social media activity could yield information that’s useful to malicious actors.
Executives are prime targets due to their level of network access, so they must be included in thorough training about proper social media use that doesn't give away anything criminals can use. Executive participation will send a message to all employees that this is a serious matter worthy of their full attention and vigilance.
(Darren Millar is a senior vice president of operations at PiiQ Media)
© Copyright IBTimes 2024. All rights reserved.