Profits and Pitfalls

Editorial Type: Case Study Date: 2020-06-10 Views: 944 Tags: Security, Social Media, Phishing, Covid-19, Cyber Crime, Cyber Security, Cyjax PDF Version:
Well-crafted social media content can deliver a multitude of benefits. But there is a potential downside, warn the Cyber Threat Intelligence Professionals at Cyjax

Pitfalls’ begins with an exploration of how companies can best harness the opportunities offered by platforms such as LinkedIn, Facebook, Twitter and YouTube. Well-crafted content can enhance a commercial footprint, attract new customers and encourage brand loyalty. As noted in a 2019 survey by Social Media Today: “77% of consumers are more likely to buy from businesses/brands they follow on Social Media.” Intriguingly for businesses building a social media strategy, the same survey found that “Non-Customers areFocusing on the use of social media for business, our paper ‘Social Media for Business: Profits and 3 times more likely than customers to visit retailers from Social Media ads.”

Yet the use of social media also raises questions about the responsibilities of companies to keep customers informed about problems. While clients now expect early disclosure in the public domain, communicating bad news can impact client confidence. Companies may consider it to be too great a risk to publicise the problems, even though failing to do so could result in serious consequences for brand loyalty.

A recent example of social media being used to announce a security incident occurred in May 2020, when easyJet announced on its Twitter account that malicious actors had accessed the email and travel information of around nine million customers – including the credit card details of around 2,000 of these – in a “highly sophisticated attack”. This, inevitably, led to questions from customers about the data breach, allowing easyJet to respond quickly to the concerns and demonstrating transparency over the incident. However, it also invited criticism of the length of time taken to inform customers about the breach: despite having informed the Information Commissioner’s Office within 72 hours, as required by the General Data Protection Regulation (GDPR), it appears the incident actually occurred in January - five months before the news hit the media. It is still too early to tell what reputational effects this will have on the airline.

The paper continues with a brief discussion of privacy, noting that many people do not appreciate that the posts they make on social media are essentially open to public view: even if they have implemented privacy settings, there are no guarantees that the information they post will remain private. For businesses, difficulties can also arise when a member of staff shares company information on their private accounts or criticises their employer openly. Can we all be certain that the people we allow to view our posts are as responsible with their privacy settings as we are? Who knows if a friend or other contact is sharing that post or taking a screenshot of it and then having it read by a competitor?

One other point here concerns the issue of social media being used as a vector for conspiracy theories. At first glance, that may appear to be of little importance to workplace social media. However, bear in mind that the latest ‘theory’ consists of allegations that 5G is behind the coronavirus (COVID-19) pandemic. This could have a detrimental impact on companies involved in the telecommunications sector, were 5G conspiracy posts shared on their social media accounts. Similarly, the furore over President Trump’s pronouncements on his use of the anti-malaria drug hydroxychloroquine could inspire people to target pharmaceutical companies and health facilities.

The next section of the paper comprises an overview of phishing scams, detailing the methods used by both cybercriminal gangs and state-sponsored APTs to dupe individuals and employees into inadvertently providing them with the information they need to hack into a company’s network. According to research carried out by KnowBe4, 91% of successful data breaches start with a phishing attack, meaning clear strategies to deal with the threat are vital to the smooth running of any business today.

Further refining the phishing attack, threat actors with greater resources may spend significant time – in some cases, months – studying a business and its workforce, in order to perpetrate a successful Business Email Compromise (BEC) campaign. The FBI’s Internet Crime Complaint Center (IC3) reported in 2019 that it had received 23,775 Business Email Compromise (BEC) complaints, with adjusted losses of over $1.7 billion. An increase in scams specifically targeting payroll funds was also noted. These attacks are only expected to increase in 2020.

We conclude that it is essential for companies to develop a specific social media policy for all employees, with clear guidance on the posting of both personal and corporate information. A small team of employees should also be given responsibility for the operation of corporate accounts. Suggestions are also given about relevant cybersecurity training for all staff in all organisations – from the post room to the boardroom. Social media can be a great resource for business when managed properly and deployed successfully.