Posts

7 Social Media Security Tips To Protect Your Business

Your employee’s online life could open your business to some serious dangers.

1SMany small businesses recognize the benefits of having a social media presence for customer service and long-term marketing purposes. However, many are slow to recognize social media’s security issues and how employees’ own social presence can add to the company’s security issues.

Some companies restrict internal access. Others may prevent employees from having any corporate association outside of work on their own social platforms. This is due to the fact that whatever an employee says outside of work publicly can have a significant impact on the organization.

Turns out the robbers scanned the teller’s social media sites based on searching the name of the bank as employer.

Last year I presented a robbery response program to a credit union. My presentation came after a mock robbery was staged, using real cops acting as masked robbers with guns. The robbers came in, guns blazing and screaming profanities, and, quite frankly, were very disturbing in their delivery. Some tellers cried, others cowered. Pregnant women were not allowed to participate and for good reason: Cops make great robbers!

At the end of the robbery, we all circled and discussed what happened. The teller who received the robbery note read it aloud, stating: “Your husband works at the Main Street Garage. We intercepted him when he was opening this morning. He is in a trunk at an undisclosed location. If you hit the silent alarm and the police come, we will kill him.”

Turns out the robbers scanned the teller’s social media sites based on searching the name of the bank as employer. Once done, they looked up her spouse’s place of employment. They were able to learn what time he opened and closed the shop. Scary.

Follow these social media security tips for small business to prevent security issues just as scary:

Institute a policy. Social media policies must be in place to regulate employee access and establish guidelines for appropriate behavior. Policies must specifically state what can and cannot be said, referring to slang, abusive language, etc. Employers should train their employees on proper use, as well. At this point, many of the mistakes have already been made; a quick search for “social media policy” will return lots of great ideas.

Consider a no-employment disclosure. Request employees leave their employment status blank when setting up a social site profile. Employees represent their employer 24/7/365, so what an employee says on or off the job and online directly reflects on his or her employer and, as stated in my credit union story, can be used against the organization.

Limit access to social networks. There are numerous social networks serving different uses, from wine and recreation to music to movies, used for everything from friending to finding a job. Some are more or less appropriate, and others are less than secure. Employee association with a social network that is considered off-color in any way will come back and haunt the company.

Train IT personnel. Policies and procedures begin from the top down. Managers and IT personnel responsible for managing technology need to be fully up to speed with social media security risks and set leadership examples.

Maintain ongoing monitoring and security. Once a policy is in place, it needs to be updated and enforced, and employees’ online lives must constantly be scrutinized. Invest in consulting, hardware, software and anti-virus protection, and update critical security patches for your operating system to make sure your business network is up to date.

Lock down social settings. Require employees to learn about and incorporate maximum privacy settings. Most social networks have privacy settings that need to be administered to the highest level. Default settings generally leave the networks wide open for attack.

Don’t completely eliminate social media. Eliminating access to social media opens an organization up to other business security issues. Employees who want access will get it—and when this happens, they sometimes go around firewalls, making the network vulnerable.

How do you ensure social media security in your business? Share your experiences in the comments.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

7 Small Business Social Media Risks

Many executives are concerned about social media related risks (e.g., data security and ID theft), but far fewer actually have any social media training.

4DA recent survey of executives puts the concerns into four categories: disclosure of confidential information; damaged brand reputation; ID theft; and legal and compliance violations.

Another feature that the survey unveiled was that 71 percent of the participants believed that their company was worried about potential risks, but they also thought these risks could be avoided or resolved.

Over half the respondents said that their company lacked any social media risk assessment strategy.

Here’s another striking finding: 33 percent of businesses had a social media policy; 27 percent of participants reported no such policy; and the remaining 40 percent consisted of an even split: those who said their company was planning on creating such a policy, and those who said their organization had some other related policy.

Solutions

While social media can bring benefits to businesses, namely in the realm of marketing exposure, they can also bring in lots of trouble as far as security issues.

How can companies find the right balance in between the two extremes of either banning social media altogether and allowing free reign of social media? Below are some solutions.

#1. Ban the ban. First of all, don’t outright ban access to social media. Otherwise, this can lead to other security issues. Furthermore, an employee who really wants to gain access to social media will dodge security, making the organization more susceptible.

#2. Execute policies. Do implement some kind of structure that regulates employee activity regarding social media. Employees need guidelines for proper use, which would also include what not to do.

#3. Social networks should be limited. There are hundreds of social networks—many uses are served, ranging from movies to music. But there are other uses that are not so innocent and less secure. Learn about these and make sure employees know not to go near them.

#4. No default settings. Default settings typically leave networks very vulnerable to attack. Settings should be locked down; most social networks do provide privacy settings and these must be managed at the highest level.

#5. URL lengthening service. Employees should never click on a shortened URL without first decoding it to see where it leads to. Shortened URLs can be pasted into an URL lengthening service.

#6. Train IT personnel. Don’t effectuate policies from the bottom up, but rather, from the top on down. Those in charge of managing technology need to be fully geared up with the risks of social media.

#7. Keep security updated. A business network always needs to be up to date with its security.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

IT Guys get duped Pretty Girl on Social Media

Defenses of a U.S. government agency were duped by an experimental scam created by security experts.

9DThe “scam” involved Emily Williams, a fictitious attractive woman with a credible online identity (including a real photo that was allowed by a real woman), posing as a new hire at the targeted agency.

Within 15 hours, the fake Emily had 55 LinkedIn connections and 60 for Facebook, with the targeted agency’s employees and contractors. Job offers came, along with offers from men at the agency to assist her with her new job.

Around Christmastime the security experts placed a link on Emily’s social media profiles linking to a Christmas card site they created.

Visitations to this site led to a chain of events culminating in the security team stealing highly sensitive information from the agency. Partner companies with the agency were also compromised.

The experimenters got what they sought within one week. The penetration scam was then done on credit card companies, banks and healthcare organizations with very similar results.

An authentic attacker could have easily compromised any of the partner companies, then attacked the agency through them, making the assault more difficult to detect.

Recap: The scam began from the ground up, inflating Emily’s social network till it enabled the attack team to suck in security personnel and executives. Most of the people who assisted Emily were men. A similar experiment using a fake male profile had no success.

Preventing getting suckered into Social Media Scams

  • For agencies and other organizations, social engineering awareness training is crucial, and must be done constantly, not the typical annually.
  • Suspicious behavior should always be questioned.
  • Suspicious behavior should be reported to the human relations department instead of shared on social networks.
  • Work devices should not be used for personal activities.
  • Access to various types of data should be protected with separate and strong passwords.
  • The network should be segmented to guard against scammers infiltrating a network segment simply because an employee with access to another segment was compromised.
  • Learn from this. Reverse engineer this same scenario in your own life or organization to see how this might happen to you.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

7 Tips to avoid ‘deadly’ social media

The vacant 5,000 square foot house next door to this kicking victim was on sale, and he had agreed with the realtor to keep an eye on it. Some kids got wind of this vacancy and put out a Facebook invitation to a Halloween rave party there.

1DHe called 9-1-1 and the police broke up the party. However, kids kept arriving because the Facebook notice was still up. A mob of perhaps 60 kids was brewing at the end of the street.

The victim-to-be began chatting with the realtor’s partner—in front of the rave house. The realtor then approached a kid and was assaulted. Our victim intervened without much thought, got blindsided by one thug, then kicked by several kids to the ground.

Hindsight is 20/20

The victim, only after the beating, realized that he should have:

  • Fled to his house and called the police.
  • Remained outside and called the police (not as safe as above, but a lot better than jumping into a fight)

However, these weren’t the best options. The best option would have been this victim calling the police to come back when the mob was forming.

  • The victim could have taken pictures of these kids (with his Nokia 1020) before any of the rumbling began.

Conclusion

  1. Avoid mobs at all costs.
  2. If someone is attacked, call the police and take pictures.
  3. Do not jump in to break up a fight. Three scrawny but very angry punks can take down a much bigger well-meaning solitary person.
  4. If you do get attacked, go ballistic—and target the gang’s leader.
  5. Sprint to safety first chance you get.
  6. Warn your kids about the dangers of raves.
  7. Check out the “crime radar” of your neighborhood with this new tool.

 

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Social Media A Big Risk To Banks

For more than a decade criminals have been attacking online banking successfully by one upping security professionals their and clients by creating viruses to bypass existing security measures.

In response security companies offer new technologies to fight new threats and federal regulators have continually updated their compliance rules in response to existing vulnerabilities.

However one variable that technology has yet to fully fix is the human element. Sure many of the existing security technologies help protect the consumer and bank from human error like downloading a virus or social engineering tricks like clicking an infected link and alert us to a phish email. But no technology or even security or privacy policy can prevent someone from exposing all their life’s details on a social media site.

When criminals target an organization like a bank they start by looking for vulnerabilities in the network infrastructure. Beyond that they target the employees of a bank and their customers using the information provided on the corporate site, and via social media.

Once they gather enough information about their target they use that data to circumvent all the security technologies meant to prevent a user from downloading a virus or social engineering tricks like clicking an infected link and alert us to a phish email.

This is where banks need to step it up and incorporate complex device identification. iovation, an Oregon-based security firm, goes a step further offering Device Reputation, which builds on complex device identification with real-time risk assessments, the history of fraud on groups of devices, and their relationships with other devices and accounts which exposes fraudsters working together to steal from online businesses.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

Why Your Employer Needs Social in the Workplace

Social media is the fifth form of mainstream media. It encompasses all media, making it the king of all media. At this point, most people know how to use social media and how to navigate the various websites. But many employers are still on the fence.

Hootsuites’ CEO says, “The world’s top brands—like Pepsi, Virgin, NHL and American Express—[are] now embracing [social media] company-wide.”

MarketingDonut reports, “One of the simplest ways to convince your boss that social media is the future is [by] showing how much profit [the company] can make. Show how your competitors are using social content to attract potential clients, showing the strengths and weaknesses of their campaigns. Use your website analytics to monitor the flow of visitors to your website from Facebook, Twitter or organically, and how many convert to leads or sales.”

And social isn’t just for business-to-consumer communications. It’s also great for connecting employees too. SHRM reports, “Social networking platforms may allow organizations to improve communication and productivity by disseminating information among different groups of employees in a more efficient manner, resulting in increased productivity.”

As you are setting up social media as an effective tool, you must consider the security implications.

  • Implement policies. Without some type of policy in place to regulate employee access and guidelines for appropriate behavior, social media could be problematic. Teach employees effective use by providing training on proper use—including, especially, what not do, too.
  • Limit social networks. In my own research, I’ve found 300-400 operable social networks serving numerous uses from music to movies, from friending to fornicating. Some are more or less appropriate and others even less secure.
  • Train IT personnel. Effective policies begin from the top down. Those responsible for managing technology need to be fully up to speed.
  • Maintain updated security. Whether you’re using hardware or software, anti-virus or critical security patches, make sure you are up to date.
  • Lock down settings. Most social networks have privacy settings that need to be administered to the highest level. Default settings generally leave the networks wide open for attack.
  • Register your company name and all your officers at every social media site. You can do this manually or by using a very cost-effective service called Knowem.com.

Robert Siciliano, is a personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures

Social Media Security Risks for Small Business

For more than a decade, cyber criminals have launched countless attacks on banks’ online infrastructure, successfully one-upping security professionals and their clients by creating viruses that bypass existing security measures.

In response, computer security companies have continuously updated their technologies to address new cyber threats.

However, one major variable that technology cannot control is the human element. Sure, many of existing computer security technologies help protect consumers, banks and small businesses from human errors like accidentally downloading a virus, or social engineering tricks designed to fool targets into clicking infected links, by warning users about potentially dangerous webpages and phishing emails. But no computer security technology or privacy policy can prevent people and employees from exposing all their lives’ details on social media websites.

When internet criminals target an organization, they start by looking for vulnerabilities in the network’s infrastructure. Beyond that, they target a business’s employees and customers by using information freely provided on the corporate site and collected through social media.

Once they have gathered enough information about a target, hackers use that data to circumvent all the IT security technologies meant to protect users. Below are some things you can do as a small business owner to reduce your social media security risks.

Implement IT Security Policies.

Social media is a great platform for connecting with existing and potential clients. However, without some type of policy in place that regulates employee access and guidelines for appropriate behavior, social media may eventually be completely banned from every corporate network. Teach effective use by provide training on proper use and especially what not do too.

Train IT Personnel.

Effective online security policies begin from the top down. Those responsible for managing technology need to be fully up to speed with social media security risks.

Maintain UpdatedITSecurity.

Whether hardware or software, anti-virus or critical IT security patches make sure your business network is up to date.

Lock Down Online Privacy Settings.

Most social networks have privacy settings that need to be administered to the highest level. Default settings generally leave your computer security wide open for attack.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussing ADT Pulse on Fox News. Disclosures

What Happens to Your Profile After You Die?

If you were hit by a bus, and passed on to whatever heaven might exist, would you care about your Facebook page? Probably not. But your loved ones more than likely would. Things like email, websites, and social media profiles are considered “digital assets,” which may have some monetary value, but for the most part offer sentimental value to the family of the deceased.

I went to high school with a darling young woman who passed away at far too young an age. Her Facebook page sees a lot of activity. Not a day goes by that someone doesn’t make use of this forum to leave a message telling her they love her. It’s quite nice to visit her page and witness this outpouring of affection.

When Facebook is informed that a profile’s owner has passed away, the account is memorialized, which means that nobody can access or edit the account, nor can any new friends be accepted, but people can still post messages and comments.

However, the inability to access an account might pose a burden to the family of the deceased, who might wish to learn more about their loved one or need administrative abilities in order to access crucial information, alert loved ones, or even finalize the deceased’s affairs.

The Associated Press reports, “Now lawmakers and attorneys in at least two states are considering proposals that would require Facebook and other social networks to grant access to loved ones when a family member dies, essentially making the site contents part of a person’s digital estate. The issue is growing increasingly important as people record more thoughts and experiences online and more disputes break out over that material.”

Facebook currently provides an online form that can be used to report a user’s death. “If prior consent is obtained from or decreed by the deceased or mandated by law,” Facebook will provide the family of the deceased with a download of all account data.

Though you may not particularly care to acknowledge it, now might be a good time to instruct a trusted friend or family member on how to access your various social media assets in the event that something bad should happen.

Robert Siciliano is an Online Security Evangelist to McAfee. Watch him discussing information he found on used electronic devices YouTube. (Disclosures)

Holiday Phishers Use Social Media

Every social media website in existence depends on advertising for its survival, to some extent. Criminals exploit this by mimicking these familiar platforms when sending millions of phishing emails designed to entice users into clicking malicious links or visiting spoofed websites that resemble legitimate social media. They also create pages within popular social media that are infected with malware, or malicious links designed to infect the PCs of anyone who clicks.

McAfee has exposed numerous Christmas-related scams. To avoid being snared in a holiday phisher’s net, beware of:

  • Promotional scams and contests: Scammers know that contests and free offers make attractive lures, and have sprinkled Facebook with phony promotions aimed at gathering personal information.
  • Holiday phishing scams: Since people tend to be busy and distracted during the holiday season, phishers incorporate holiday themes into their emails and social media messages, hoping to trick recipients into revealing personal details.
  • Coupon scams: When accepting an offer for an online coupon code, you may be asked to provide personal information, including credit card details, passwords, and other financial data.
  • “It Gift” scams: When a particular gift is hot, sellers tend to mark up the price. Scammers also like to advertise popular gifts on rogue websites and social networks, despite not actually having these items to sell.

 

Awareness is the key. If you can see a potential scam coming and behave proactively, you won’t get hooked.

Robert Siciliano is a personal security expert contributor to Just Ask Gemalto, and he is running the Boston Marathon in April 2012 to support Miles for Miracles for Children’s Hospital Boston.

Cybercriminals Target Senior Citizens

Cyber scams happen to the young and the old, the rich and the poor. It doesn’t matter how good or bad your credit is, or whether or not you have a credit card. Cybercriminals target everyone, regardless of how much or how little you rely on a computer.

The lowest of the lowlifes, however, tend to prey upon the weak and uninformed. And all too often, that means children or elderly.

Senior citizens are in a unique position because they often have money in the bank, plus access to additional lines of credit. They are less likely to be frequent Internet users, relative to younger generations, and are therefore less likely to be aware of the many scams that may be targeting them.

Many common scams take place using the telephone rather than the Internet, such as “grandparent scams,” in which victims receive calls from their supposed grandchildren, requesting money.

Online, beware of social media and dating scams. Not everyone who contacts you online is your friend, so be cautious before sharing personal information. Never, under any circumstances, should you send money on the basis an online relationship.

You’re most likely heard the term “phishing,” and have certainly received a fake email at some point. But scammers are getting better at creating targeted, personalized emails that include your name, email address, and even stolen account numbers. Never click any links within an email. Instead, go to your favorites menu or manually type the address into the address bar. If you suspect that an email might not be legitimate, hit delete.

Scammers are constantly searching for the information they need to take over your existing accounts, either by hacking into your own personal computer or by stealing data from your bank, credit card company, a government agency, or any other institution that keeps personal data on file. To prevent account takeover, keep your antivirus software updated, and pay close attention to all your bank statements. Refute any unauthorized transactions right away.

Bad guys love your Social Security number, because they can use it to open new credit accounts in your name. You’ve probably disclosed your Social Security number hundreds of times in your life, and can’t avoid disclosing it in the future. But you can protect yourself with identity theft protection and a credit freeze.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss how to protect yourself from identity theft on CounterIdentityTheft.com. (Disclosures)