Remember that old New Yorker cartoon of the two dogs at a computer? One confides to the other, “On the internet, no one knows you’re a dog.” Today, if you are on social media, the issue may be, “In social media, does anyone know for sure that you are … you?”
And how do you know that someone you are following is truly who they say they are, barring something like Twitter’s Verified Account badge? And that business celebrity who has supposedly sent you a LinkedIn invitation to connect? How’d that big name happen to pick you?
Trusted, because … why?
We often accept at face value—literally face value, given photos on social media, which are easily faked—that people are who they say they are online.
“It comes down to the trust model of social media,” says Dr. Shane Shook, chief strategy office at ZeroFOX, a security vendor, in an interview.
Yet malware, hacking, and other electronic risks can thrive in an environment like social media where “social engineering” to build trust on very little foundation exists.
“Social media is like a gold mine for cyber criminals,” says Shook.
Shook won’t connect with anyone on LinkedIn, he says, who hasn’t contacted him by email first, and he will likely Google the person before accepting that connection, if they haven’t met personally.
Because social media hinges so much on trust, “the potential problems have been staring us in the face,” says Shook. Though an expert in cyber-risk issues, with related experience in banking, consulting, and the military, Shook says the exposures of some aspects of social media took some time to become apparent to him. He says he, like many other people, grew comfortable with social media very quickly.
Exposures within the “trust”
Social media risk for banker users can take several forms.
One is profile hijacking, either of one’s personal identity or potentially one’s company. A bad actor posing as a bank officer or a banking company can use the impersonated identity to tap into that party’s “network of trust,” says Shook. That can be used to spread malware and other threats to the unsuspecting.
Bank social media users can, vice-versa, fall for such risks themselves, inadvertently exposing their computers or mobiles to threats. Those threats, in turn, may infiltrate bank systems.
Social media threats don’t have to be high-tech, necessarily.
Simple spreading of bad information can do damage. Shook notes that a bit more than a year ago the Associated Press Twitter feed was hacked, and as a result a phony report tweeted out that the White House had been attacked and the President injured. At social media speed, such misinformation or even disinformation can run rampant in minutes.
Banks and other financial providers risk “brand infiltration” by those who would pose as those companies. And it is estimated that multiple millions of fake accounts exist on such mainstream platforms as Facebook and Twitter.
You can’t just lock the door anymore
In the late 2000s, notes a ZeroFOX white paper, technological threats of social media, such as downloading malware from a social link, were solved by simply banning social media use at work.
The paper cites research indicating that in 2009, three-quarters of companies surveyed blocked social media access at work. But in 2013, only one company in four did.
“However, this did not mitigate risk for a multitude of reasons—most notably because businesses need social media to drive marketing, brand presence, and sales,” the paper continues. “Accordingly, organizations need a way to use social media safely so that they can derive the benefits of social media while mitigating its associated risks.”
Beyond some of the common sense precautions that Shook referenced earlier, there are tools like his company’s cloud-based software platform, which identifies, manages, and mitigates information security risks related to social media.
ZeroFOX’s white paper notes that companies must recognize that social media, and its threats, range far beyond the common platforms people generally think of—Twitter, Facebook, LinkedIn, and Google+. Many more platforms, including blogs, messaging, and more, are out there. The paper points out that even online games and other applications may now have social functionality, which opens up new channels of communication but also exposure to risks.
“Social media has really opened up a lot of new frontiers of risk,” says Shook.