Executives face higher risks
Fake LinkedIn users pose a higher threat for executives, says Ray Kruk, a vice president in social media protection at Proofpoint. The average CEO has 930 LinkedIn connections, according to LinkedIn. “We’re seeing a lot more risk to the brand around fake users impersonating a trusted business partner and reaching out to an executive leader in the company,” he says. Using a post or communication dialog over LinkedIn or social network, the fake user will include a malware link in the form of a shortened link. Clicking on the link will install software on the executive’s computer.
If an executive were to be compromised, cyber criminals would have access to perhaps more important or sensitive data and file systems than they would have simply by trying to socially engineer an HR department to get in, Kruk says.
Most collaboration platforms are vulnerable
LinkedIn isn’t the only professionally focused social network in the crosshairs of cyber thieves. Collaboration platforms and semi-private social networks like Slack or Jive bypass all of the corporate controls that are in place at the network and infrastructure layers, and provide newer entryways for bad actors to infiltrate a company.
“When it comes down to where the vulnerability is – it’s the human element in a cybersecurity strategy that is the vulnerable link,” Kruk says. Security policy and governance needs to focus on how people interact with data, correspond with email and use tools like LinkedIn and others, he adds.
HR departments and recruiters use Slack and Jive to communicate with job candidates, but those tools are also unmanaged and the company has no control of the data that goes in or out, says David King, senior manager at professional services firm UHY LLP in the internal audit, risk and controls practice.
“The biggest risk that I see with these types of services is that…if your recruiter leaves one firm and goes to another, they take all those Slack conversations with them.”
King suggests greater control and oversight to solve the problem. First, establish written policies that forbid the use of personal social media accounts for professional work. Companies can also onboard temporary or part-time recruiters in the same way they welcome full-time employees, by setting up corporate email and social media accounts for them.
“If you’re onboarding one or two recruiters a week and attrition is high, then the overhead will be high,” he says. Another option – setting up a company Slack account, and eliminate personalization for part-time employees. “However, each time somebody leaves you will have to reset the credentials of that account,” King adds.
Protecting corporate systems
Companies should first make sure that employees are aware that the vulnerabilities exist. Training programs, such as spear-phishing campaigns, are an effective first step, Stephen says. Endpoint security and application-layer software can also help deter the threats.
Sign up for CIO Asia eNewsletters.