By Anna Larkina, web content analysis expert at Kaspersky and Roman Dedenok, spam analysis expert at Kaspersky
Threats to enterprise social media are evolving alongside the social engineering skills of perpetrators at a breakneck pace. Sometimes their techniques reach such a level that even the knowledgeable administrator of a corporate network cannot tell the difference between a scam and the truth.
As many businesses use social media to promote their products and services, these threats affect a very large number of businesses. To help them stay safe, Kaspersky experts offer the following tips to mitigate cyber risks associated with social media in 2023.
Kaspersky says cybercriminals are spreading malware via ‘The Last of Us’
Kaspersky observes a peak in cyber warfare in 2022
- Be careful with direct messages and drafts folder, delete old irrelevant information
Businesses should be careful not to keep sensitive information in direct messages, as this can present cyber risks.
People often use corporate social media to write directly to brands, ask for help, use the account holder’s product or service. Also, some partnerships, such as those with bloggers, can be negotiated in direct messages. Sometimes personal or financial information is shared during these conversations, which may remain in the message folder long after the interaction. In the event of a breach allowing cybercriminals to gain unauthorized access to the account, sensitive data may be leaked or used to stage an attack.
To avoid this risk, get into the habit of deleting irrelevant messages when the dialogue is over and the information it contains is no longer relevant. The same goes for messages – It’s worth taking a close look at what’s saved in the drafts folder from time to time.
- Review old posts to minimize reputational risk
The power of reputation is growing: every word, every action and every decision can help or hurt a company’s image.
Everything published online is also of great importance in terms of cybersecurity: when sensitive information (re)appears in public, it almost always ends up damaging a company’s reputation and can lead to financial losses.
To be on the safe side, spend some time reviewing posts that have already been published, as they may contain information that does not correspond to current reality, whether it be inappropriate jokes or controversial advertising campaigns.
What was normal yesterday may provoke a negative public reaction today. A review of publications made over the past few years greatly reduces the associated reputational risks.
- Be careful when posting your success stories
After signing a lucrative contract or closing a deal, we want to post it on social media to let as many people as possible know about our success. But we really need to be aware of the attention of unwanted cybercriminals. If a potential attacker knows who your vendors or contractors are, they could attempt to carry out an attack by impersonating them or breaching their accounts and acting on their behalf.
Also, the more clearly you think about your company’s social media structure and ways of working, the easier it is for perpetrators to stage an attack. For example, if it is possible to trace who is responsible for finances, an attacker can impersonate that person’s supervisor and try to trick them into urgently transferring a large sum of money to a fake account to “make a deal” or “buy”. necessary equipment.” By exercising various social engineering techniques, an attacker can impersonate another person convincingly, and a victim would hardly notice the fraud.
- Warn newcomers of the risks associated with “new job” posts on social media
After getting a new job, newcomers usually share the news on social media, but they don’t yet understand how cybersecurity processes are built in that company: for example, how identification works or with whom they can share sensitive information. Therefore, a newcomer is more vulnerable to cyberattacks.
Imagine: an attacker follows this person on social media and collects information about them. Then the criminal writes the new employee a malicious letter in the name of the IT administrator of the company asking to share the password to create a technical account. It is very likely that a newcomer will share the password because he does not know that the administrators would never write such a letter. Also, new employees are usually shy and may be hesitant to ask their co-workers if the letter is genuine. A tiny social media post could turn the employee into an entry point for cybercriminals.
To mitigate the risk, immediately offer newcomers an information security course and tell them to be extra careful when posting about a new job.
- Control account access (and remember to change the password when an employee leaves)
Logins, passwords, and access to the email address used to create a social media account are just as valuable as other internal company documents.
If an employee with access to accounts and authentication data leaves the company, it is useful to apply the same rules as when blocking their access to the company network.
To start, change the password of the e-mail account linked to the corporate social network; Then unlink the former employee’s cell phone number and check other authentication methods, such as a spare mailbox.
- Don’t ignore two-factor authentication
Any social media account, let alone a business account, needs to be securely protected. Two-factor authentication is an absolutely necessary setting for any type of account.
The email address linked to the account should be as protected as the social media account itself. Often the attack begins with the initial access to email. After hacking into an account, an attacker can configure filters in the mailbox settings to delete all support emails from the social network. Therefore, a user will not be able to restore access to their account, as all emails will be automatically deleted. Not to mention that in a stressful situation we will not check which filters are currently configured in our mailbox.
It is best to register a social media account using a corporate email address. For starters, it’s better protected (assuming the company cares about cybersecurity). Additionally, internal security specialists can block access to this mailbox as well as all access to the corporate network.
- Provide your employees with anti-phishing training
To mitigate cyber risks in social networks, it is not enough to technically protect your company’s account, it is equally important to provide special training to employees on information security, different types of phishing and other threats.
According to user statistics from the Kaspersky Gamified assessment tool, designed to educate workers and help managers measure their cyber skills, only 11% of approximately 4,000 employees demonstrated a high level of cybersecurity awareness in 2022 , while 28% could not prove sufficient cybersecurity. skill.
Attackers use sophisticated social engineering methods. Even the most advanced representatives of Generation Z can succumb to it. The human factor cannot be reduced to zero, but it can be minimized as much as possible through dedicated training.