Social has arrived, but it took time. The crowds of people fluttering around the IT industry claiming to be social experts because they can define a ‘retweet’ and have 700-plus friends on Facebook has frustrated many, with companies struggling to get a real grasp of how social media and networks can effectively help power businesses into the next generation of trade and success.
What social media does do is collect an impressively large amount of customer data — positive and negative. It offers a constantly reachable platform of customers and partners from across the globe. It allows casual engagement and coherent communication channels. All-in-all, social networking is a powerful tool when businesses realise its potential.
Socialbakers.com reported that there are 3,370,780 Facebook users in the United Arab Emirates alone, making it the 48th highest country in the world for users. The survey also suggested that 35 percent of Internet users in the region do so for business purposes. In the UAE, that suggests that around 1,179,773 of these Facebook accounts are businesses — that’s a large database which is instantly reachable and easily contactable.
Saudi Arabia represents the highest percentage in the region; 43 percent of the 35 percent is driven from there.
The danger of numbers
So what do these numbers mean for security? It’s been said that nearly 80 percent of Internet users have the same basic email address, username and password for social media as they do for critical accounts such as online banking, and business databases. Consider this idea with the numbers mentioned above; if 3,370,780 UAE residents use Facebook, and 80 percent of those replicate their passwords for other accounts, then the opportunity for cyber theft and hackers to infiltrate personal accounts is extremely high.
“Answers to the simple questions you get asked when logging securely into financial sites — like when were you born, where were you born, what’s your mother’s maiden name, etcetera — can be found easily on Facebook if you’re a sophisticated attacker. It’s very easy for someone to hack you using your social activity,” says Justin Doo, Director of Security Practices, Symantec.
This is a basic risk for employers who now have the added concern of BYOD — with many devices being constantly logged into social sites on an operating system which is also hosting the company’s applications.
“Maybe it is not so much BYOD that has changed this, but more that social media is available on the smartphones that we all now possess. Today any smartphone will have Facebook, Twitter, Tumblr and other services installed — to some extent, social media has been one of the major drivers for smartphone adoption,” says Nicolai Solling, Director of Technology Services, help AG.
“With that, organisations needs to understand that most of their employees have a device in their pocket which connects them to social media, which the organisation may not have any control over. Again this means that social media usage is closely linked to acceptable usage policies and, very importantly, the acceptable communication policies which should apply to the individual both on and off work as long as they are under the employment of the organisation.”
Khalid Abu Baker, Corporate Sales Director, Kaspersky Lab Middle East, adds: “Staff are now ‘always-on’, working from a range of different locations and using a variety of devices. This has widened the attack surface that a cyber-criminal can aim at. Staff may access a corporate Facebook or Twitter account using an insecure public Wi-Fi network.
“This introduces the risk that information sent or received could be sniffed by a stranger on the same Wi-Fi network. It’s also very easy for mobile devices to be lost or stolen; and if data isn’t encrypted, and there’s no passcode set, corporate data — and automatic access to social networks — is wide open to whoever takes the device. BYOD further adds to the complexity because staff are combining personal and corporate activities on the one device — and companies may not have technology to ‘containerise’ personal and business data.”
Behind enemy lines
Once in, the effects can be harshly damaging. As Abu Baker explains here, many elements must be taken into account when attempting to limit post-breach consequences.
“There are several risks. First, if the security on the account is weak — for example, a weak password — and it’s hacked, the attacker can post things that could seriously damage the company’s reputation. An attacker could post something embarrassing, or post misinformation about the brand, or use the account to spread malware. If the account is a shared account (e.g. a corporate Twitter feed), with a shared password, there’s a greater risk of the account falling into the wrong hands — people are more likely to choose an easy-to-guess password, so that everyone accessing the account can remember it easily. Second, information posted by employees in social networks can be used to gather information that can be used to launch a targeted attack.”
And according to Solling, despite the obvious risks and publicly noted cases of breaches and compromises, employees still have a very relaxed approach to social security.
“In June of last year, over 6.5 million user passwords were leaked from LinkedIn’s database. And earlier this year, as many as 250,000 of its user accounts may have been compromised by the online conglomerate known as Anonymous. It is shocking that, despite the widespread media coverage that such events have received, users still choose to believe that they will not fall victim to the effects of such attacks,” he says.
On top of this, LinkedIn itself has spoken out and claims that as much is being done as possible to protect its users and secure their data.
“LinkedIn are constantly looking for ways to improve the security of member accounts. All LinkedIn accounts are already protected by a series of automatic checks that are designed to thwart unauthorised sign-in attempts. Now, LinkedIn are introducing a new optional feature that adds another layer of security to LinkedIn sign-in— two-step verification,” a spokesperson said.
“Most Internet accounts that become compromised are illegitimately accessed from a new or unknown computer (or device). Two-step verification helps address this problem by requiring users to type a numeric code when logging in from an unrecognised device for the first time. This code will be sent to users’ mobile devices via SMS. When enabled, two-step verification makes it more difficult for unauthorised users to access user accounts, requiring them to have both personal passwords and access to the user’s mobile phone.”
Social malware
The challenges faced by LinkedIn should highlight the need for a far sterner view on social security risks. The multi platforms from which we access these certainly increases those risks, but the fundamental issue is always the same.
Mahesh Venkateswaran, Managing Director, Social, Mobile, Analytics and Cloud, Cognizant, explains that subtle and common attack methods are effective when targeted at social networks. And as we evolve our communications, the threats evolve to counteract this. Though the given names might not be terrifying, the consequences certainly are.
“Phishing is one of the key threats, even more so with variants such as Vishing — the social engineering approach that leverages voice communication — and Smishing, a form of social engineering that exploits text messages,” he says.
“Short URLs can readily become a destination of malicious links — users do not know the links are malicious unless they click them. There is also the risk of malware spreading through mobile devices to others on the contact list. Access to online shopping accounts through mobile devices is another potential threat.”
Jamil Ezzo, General Director of ICDL GCC Foundation, concludes, suggesting that public awareness must improve to better promote safer use of social media channels. But the attacks will continue to come, it’s a simple case of having the correct steps in place to react to post-breach, as well as the awareness to recognise potential threats.
“The lack of control over the use of social media in the workplace could cause irreparable damage to the person and the company he or she represents. To avoid this, we encourage the promotion of public awareness in order to eliminate the misuse of this technology,” says Ezzo.