Social media is at the core of modern culture and it's use in business has grown dramatically in recent years. According to a recent survey by The Manifest, 73% of SMBs use social media to promote their brand online. But social media channels are also a major target for cybercriminals.
Unsuspecting users are manipulated into divulging personal information – such as the restaurants you frequent, your favourite sports teams, your spouse’s name, and much more – and downloading malicious payloads.
Here’s an example: An employee tweets about how he would love to attend a New South Wales Waratahs game. The next day, he receives an email from a colleague (or so he thinks) offering him free tickets for Sunday’s game, which the colleague can’t attend due to a family obligation. The employee opens the email’s attachment to get his tickets, but it’s actually a file with a payload of malicious programs instead.
It's a common type of attack and underscores how crucial it is that employees are educated about good security practices and how to spot risks and suspicious behaviour.
How social media puts SMB customers at risk
There are several ways social media can be risky for SMBs including:
1. Phishing and social engineering attacks.
Social engineering is a massive security problem. In fact, only about half of social media users in the US keep their profiles private. This means bad actors can access useful information by simply searching and scrolling. Hackers can scrape a surprising amount of data from a single profile – such as pet names or the city the user was born in—which can be used to make phishing emails more convincing. Sometimes, they can use this information to answer security questions and access one of the user’s online accounts. While such details may not be available on business profiles, it’s relatively easy to find links to customers’ or employees’ public profiles from a business account. Once an employee is breached, the hacker has the keys to the kingdom.
2. Watering hole attacks.
Cybercriminals can also use scraped data from social media profiles for watering hole attacks, which target websites frequented by customers in an effort to steal usernames and passwords. Once hackers gain stolen credentials from a social media site, they can test them across multiple sites to see if the accounts match. Our research found 64% of users reuse their passwords across multiple accounts. This means that, even if only one person uses the same password for Facebook as they do for a business account, the SMB – or even your MSP business – is susceptible to attacks.
3. Malware attacks.
Social media advertising also offers plenty of opportunities for cybercriminals. Malware or phishing links can be hidden inside social media ads. The average person sees 5000-10,000 ads every single day and, on average, clicks 13 ads for every 1000 ads they see. That’s a lot of opportunities to download malware in just a single day. The risk to SMBs from Island Hopping, where criminals use malware to leap from one system to another, is even higher. In a recent Webroot survey of 803 IT professionals, 80 per cent of respondents said Facebook and related Web 2.0-based malware posed a serious problem for their company.
How to educate SMBs about the dangers of social media
As an MSP, you have an obligation to keep your SMB customers safe. That begins by educating them about the risks of social media. Teach them how to secure their social media profiles by following these cybersecurity best practices:
- Don’t share or reuse passwords; use strong passwords, and reset them frequently.
- Add two-factor authentication for every social account.
- Set up security answers and restrict your privacy settings.
- Ensure social profiles are private and unsearchable.
- Limit the posting of personal details online and avoid sharing information that could be used as a security question, such as birthdays, schools, and names and pictures of family and pets.
- Don’t click on suspicious ads.
- Turn on login notifications.
- Log out of profiles when not in use and always log out of any accounts when using a public or shared computer.
- Keep up-to-date antivirus and malware protection on every device. Be sure to invest in a full-spectrum product that has real-time, dynamic web defence.
Webroot encourages everybody to stay educated on the latest trends and threats. Its new podcast series, Lockdown Lessons, is a great place to start. And the company knows from experience that security awareness training is highly effective. After just one year of end-user training, the average phishing click rate will drop below five per cent—meaning that organisation’s have actually changed the behaviour of users. What’s more, the risks continue to decrease with increased monthly campaigns.