[BreachExchange] How To Change Security Behaviors: Social Media

Audrey McNeil audrey at riskbasedsecurity.com
Fri Jun 22 14:32:42 EDT 2018


https://securityboulevard.com/2018/06/how-to-change-
security-behaviors-social-media/


Changing behaviors is never an overnight fix. There’s no special formula
for an annual training session that will transform employees into
security-savvy superhumans.

But there are some areas of life where changing behaviors is particularly
difficult — usually areas where bad habits are repeated multiple times per
day.

Social media falls into this category.

Many of your employees spend hours on social media every single day, while
simultaneously displaying a whole range of poor security behaviors. And if
you intend to maintain a low level of cyber risk, you’re going to need to
change those behaviors.

What Could Go Wrong?

For a medium designed to encourage friendly networking, social media use
comes with a surprising array of potential downsides for organizations.
Here are some of the most common threats posed by employee use of social
media:

Phishing or Account Compromise

Yes, that old chestnut. Many consumer-focused phishing attacks are designed
to facilitate the takeover of social media (and other) accounts. Once an
account has been compromised, it is typically used to send out messages
with malicious URLs to all of the victim’s connections. This tactic has
proved highly effective in recent years, so you can expect to see it
continue for the foreseeable future.

Also keep in mind that since many people use the same password for
everything, compromised personal credentials could also jeopardize a
victim’s business accounts.

Social engineering

Remember the old Nigerian prince scam, where a threat actor would reel
victims in with a tall tale about making them rich if only they could
provide some cash up front? Well this type of scam has skyrocketed in
recent years thanks to the success of social media. Instead of
cold-emailing random people, threat actors now setup fake social media
profiles, send out thousands of friend requests, and then run their scams
using the built-in instant messaging functionality.

Of course, these days not too many people are likely to accept random
friend requests from people they don’t know. To make up for this, threat
actors often create profiles on other sites (e.g., dating sites) in order
to make first contact with a potential victim, and then befriend them on
social media sites.

Malvertising

While some social media sites are reasonably good at weeding out malicious
advertising, many others show no evidence of even trying to do so. As a
result, by combining clickbait headlines with paid advertising, threat
actors have a tailor made distribution mechanism for their latest malware
variants.

Leaks

Got any important company secrets to keep? If so, you’d better ensure none
of your employees accidentally share them through social media before
you’re ready to announce them to the world.

Sabotage and Defamation

Not every leak happens by accident. Disgruntled employees have been known
to intentionally leak sensitive information, or publish inappropriate
and/or damaging posts publicly.

The Ostrich Approach and Why it Doesn’t Work

It can be tempting to simply block employees from visiting social media
sites, and assume that the problem is solved. Sadly, it isn’t.

The thing is, there’s nothing at all you can do to prevent employees from
using social media when they’re at home, or even when at work if they’re
using a personal mobile device. If you choose to block social media sites
outright, there’s a good chance you’ll simply push poor security behaviors
underground.

And since there are a whole bunch of ways for employees to endanger your
organization which don’t involve direct infection, burying your head in the
sand like an ostrich isn’t a great long term strategy.

Training users to adopt strong security behaviors may take time and
resources, but it will ultimately yield much better results.

Think Bite-Sized

There’s plenty wrong with traditional security awareness training.
Unfortunately, one that’s often overlooked is the format: long, annual
training sessions.

Quite simply this approach has almost nothing going for it. For starters,
long security training sessions have been sending people to sleep since
time immemorial. At the same time, 12 months is way too long a gap to have
between sessions. Most people will have forgotten everything within 12
weeks, possibly much less.

So before you start thinking about content, here’s our first tip: Train
your employees in short, regular microlearning lessons, in place of longer,
less frequent training sessions. For obvious logistical reasons, online
training (preferably multimedia) works best for this approach, as nobody
wants to be dragged away from their desk to sit in a classroom multiple
times each month.

Each lesson should be highly focused, timely, and completely devoid of
fluff. Your users should get the information they need, precisely when they
need it, and nothing else.

There are two benefits to this approach:

1. Your employees are far more likely to retain learning if lessons are
provided in the context of their normal daily routine, and;
2. Frequent lessons never give employees the chance to forget about your
security awareness program.

Quite simply, if your employees are thinking about the specific aspects of
security that affect their roles on a regular basis, they’re far less
likely to make unnecessary mistakes.

Social Content

Once you have your training mechanisms in place, it’s time to consider the
topics you’ll need to cover. Thankfully the dangers of social media for
organizations are (mostly) well established, so there are some definite
places to start.

Here are some of the top contenders:

Password hygiene

Helping employees understand the need for different, hard-to-guess
passwords is a huge step towards reduced cyber risk. Password reuse attacks
are consistently popular and highly successful, so help your employees
understand what makes a good password, and encourage them to use that
knowledge both at work and at home.

Links

Malvertising and other link-based threat vectors are all the rage right
now, and can easily lead to malware and/or ransomware infections. Once
again, if you teach employees that following links blindly can be hazardous
you’ll be doing everybody a favor.

Oversharing

For some people, sharing every moment of their day on social media is
normal. Unfortunately, this habit can easily lead to unintentional data
leaks and/or breaches of information security.

Profile Skimming

On a similar note, threat actors have often been known to use publicly
available information from social media profiles to identify and profile
targets. Explain to your employees the potential downside of having a
public profile, and show them how to make their accounts private. If
necessary, you may consider asking them not to include your organization’s
name in their social media profiles.

Communication

Social engineering via social media has become popular with threat actors
in recent years. Using built-in private messaging functionality, threat
actors befriend their victims in order to achieve their objectives, which
could be anything from a BEC scam to industrial espionage.

Reinforcement, Reinforcement, Reinforcement

Social media was intended to be a force for good. And while there are
certainly risks for both individuals and organizations, there’s no reason
why people shouldn’t enjoy using it for both business and personal purposes.

So while many organizations choose to forego training their users in the
use of social media, we just can’t recommend that approach. Your employees
are going to use it anyway, so it only makes sense to help them use it
safely.

To that end, your training program will live and die on its ability to keep
your message at the forefront of employee minds. Reinforcement is key.

In our experience, online multimedia training is the simplest and most
effective way to go. If employees can easily navigate and complete micro
learning sessions from the comfort of their own desk, they are far  more
likely to learn, and far less likely to become frustrated and disengaged.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180622/0e73335b/attachment.html>


More information about the BreachExchange mailing list