Social media’s security risks: How to protect yourself
Saturdays at CPA Success are usually spent reviewing online tools that can help increase our productivity. Keep in mind that we do not endorse any of these services. We simply offer them up for your consideration. Do your own homework and find the service that best meets your needs.
As great a tool as it is, social media technology does raise some concerns, with security usually at the top of the list. Chris Jenkins of the Ohio Society of CPAs has been doing some thinking on the subject and offers some great advice. Chris?
Recently the SNOsoft Research Team released an excellent blog post titled "Facebook from the hackers perspective." In the article, they detail a social engineering / phishing attack built on information found within online communities. After reading the article, several things came to mind:
Would a simple security awareness program have saved them?
While it’s possible, it’s unlikely due to the nature of the attack. Phishing through cross-site scripting can be almost undetectable. Obviously, the attack was well implemented if someone with firewall credentials was compromised. Perhaps the staff would have trusted the engineered account less if they had been warned about the potential risk. Just seeing, "Omigawd have you seen this I think we got hacked!" should have raised some red flags. Staff could have been trained not to click hacked links.
Would shutting off access to social networking sites have saved them?
Nope. People will continue to utilize communities regardless of access restrictions. Mobile capabilities, open APIs and third-party sites make blocking social networks unrealistic. More important, the benefit of social networking will outweigh the risks in most organizations.
Would a good documentation and change management program have saved them?
Most likely. With proper documentation and change management, the vulnerability would have been identified or never existed. This vulnerability most often occurs when programmers fail to test code properly and would have been captured in the testing phase of a change management process.
Of course, we know what did save them …
A security vulnerability scan saved this company from a potentially devastating breach. So in these times of budget cuts, I’d be very cautious about rolling back on that security budget.
With the economy down and people out of work, cyber attacks will be on the rise. Make sure you’re doing your due diligence to protect your assets. A security audit should be conducted yearly and recovering from a data breach should be part of your business continuity planning.