In my last article, The human factor, I discussed how you could have the most secure technology that currently exists in place and that could all amount to nothing if an attacker can persuade one of your users to do their bidding. In this article, I want to focus on a particular topic that fits in nicely, social media. There are apparently as many definitions of social media as there are people who use it but in the context of this article, I am referring to online services that people use to dynamically share information and media. Examples of such services include Facebook, Twitter, Instagram and YouTube.
The world has certainly changed a lot in the last 10 years when these kind of services really took off. There has been a massive culture shift from people sharing things via snail mail, to email, to social media. Most businesses have a presence across a number of social media sites as applicable and the vast majority of workers expect to be able to use them for personal use whilst at work. I could go on a rant here about the business risk caused by the lost productivity as social media addicts check in to their accounts every few minutes, but I don't want to be a party pooper. Instead, I will use my shield of security to justify why access to social media, especially from work computers but also on personal equipment on the office network if you have a BYOD policy, presents a risk to businesses that can be difficult to mitigate against.
Why? It goes back to the theme of my last post. People. There was a time when we seemed to be winning the battle against the bad guys. Most people (even my Dad!) knew not to be clicking on URLs sent in emails without going through a number of precursory checks. With the previously mentioned culture shift, we have now become so used to clicking on links that our friends and family post on social media that I doubt if the majority of people even stop to think about what they are just about to click on.
Consider that people who are active on social media are checking their various feeds throughout the day and you have a recipe for disaster just simmering away, ready to boil over. If you have a loose BYOD policy, or are one of those organisations that gives users local admin accounts (ya know, just to make it easier for them to do their jobs), or your training programme doesn't include social media, then you are opening yourself up to a massive risk.
I used to have a colleague many years ago who, having witnessed somebody at work send a trick URL to another colleague which got that person in hot water, told me "you are only ever one click away from being fired". That's a pretty harsh take, but perhaps "you are only ever one click away from data loss" might be a better message to share across your company.
As always, I'm really keen to hear your thoughts on the topic of today's post.