"With that, organisations needs to understand that most of their employees have a device in their pocket which connects them to social media, which the organisation may not have any control over. Again this means that social media usage is closely linked to acceptable usage policies and, very importantly, the acceptable communication policies which should apply to the individual both on and off work as long as they are under the employment of the organisation."
Khalid Abu Baker, Corporate Sales Director, Kaspersky Lab Middle East, adds: "Staff are now 'always-on', working from a range of different locations and using a variety of devices. This has widened the attack surface that a cyber-criminal can aim at. Staff may access a corporate Facebook or Twitter account using an insecure public Wi-Fi network.
"This introduces the risk that information sent or received could be sniffed by a stranger on the same Wi-Fi network. It's also very easy for mobile devices to be lost or stolen; and if data isn't encrypted, and there's no passcode set, corporate data — and automatic access to social networks — is wide open to whoever takes the device. BYOD further adds to the complexity because staff are combining personal and corporate activities on the one device — and companies may not have technology to 'containerise' personal and business data."
Behind enemy lines
Once in, the effects can be harshly damaging. As Abu Baker explains here, many elements must be taken into account when attempting to limit post-breach consequences.
"There are several risks. First, if the security on the account is weak — for example, a weak password — and it's hacked, the attacker can post things that could seriously damage the company's reputation. An attacker could post something embarrassing, or post misinformation about the brand, or use the account to spread malware. If the account is a shared account (e.g. a corporate Twitter feed), with a shared password, there's a greater risk of the account falling into the wrong hands — people are more likely to choose an easy-to-guess password, so that everyone accessing the account can remember it easily. Second, information posted by employees in social networks can be used to gather information that can be used to launch a targeted attack."
And according to Solling, despite the obvious risks and publicly noted cases of breaches and compromises, employees still have a very relaxed approach to social security.
"In June of last year, over 6.5 million user passwords were leaked from LinkedIn's database. And earlier this year, as many as 250,000 of its user accounts may have been compromised by the online conglomerate known as Anonymous. It is shocking that, despite the widespread media coverage that such events have received, users still choose to believe that they will not fall victim to the effects of such attacks," he says.
Sign up for CIO Asia eNewsletters.