Securing Your Social Media Strategy Otavio Freire CTO and Co-Founder Social SafeGuard Visiting Scholar University of Virginia Executive Lecturer Darden Business School www.socialsafeguard.com, Tysons Corner, VA
Overview for Today o Discuss how social media has emerged as a new attack vector o Review how social media exposes companies to risks from cybercriminals, hackers and other bad actors who can impersonate a company, a brand, or an employee o Review the types of risks Legal Firms and their Clients face on social media o Discuss a framework to minimize risk o Offer a framework to prepare for social media risk readiness o Discuss new trends in Social Media Security Risk SocialSafeGuard.com
Social Media Threat- Legal Firms and their Clients challenges exploded in ’16 with multiple functions and employees going social creating new risk Marketing
Social Revolution: Social Networking Has Surpassed Email for Communications 1.1 billion Social Users social users Email Users 2011 2015 2007 2008 2009 2010 Source: Comscore
Social media risk is now an urgent matter Proliferation of • Disruptive technology trends such as mobile and social wreak havoc on information security • Comprehensive approach is needed to keep up with disruption of social Channels channels Consumption • 40% of employees check their social media accounts in the workplace more than 10X per day Spike • 50% of corporate executives use daily 2-3 social networks Increasing Risk • Security professionals struggle to meet cyber challenges employees using social are even harder to control. Profile • Regulatory bodies stepping up enforcement and fines (See appendix) Wide ranging • Every industry is affected by the problem • Global issues with customers on all continents concern • Regulated companies have the most complex situation Sources: Forrester Wave, “Social Media Risk Management”, 2015, Forrester, “Social Archiving”, GRC 2020 award Socialnomics.net, Gen Y 2015 Report, Social Media in the Workplace, www.generationirony.com
Companies are feeling the pain of Social Media failure Enterprises Losses • SPAM and Phishing • Corporate Espionage • Identity Theft • Financial Loss • Social Account Takeover • Privacy Invasion • Regulatory violations & fines (FDA, HIPAA, FINRA) • Business reputation “By 2018, organizations that monitor and analyze a broad spectrum of employee activities will experience 50% fewer insider data breaches than organizations that monitor internal communications only.” Source: Gartner, Market Guide for Employee Monitoring and Analytics, March 29, 2016, Andrew Walls. See appendix for examples of catastrophic risks and losses
Notable social media failures • FINRA sanctions financial firms – regulatory agency fines FinServ leaders for violating social media rules. • OIG Investigate's Veteran's Affairs use of Unauthorized Social Network – US Gov’t investigator cites agency for failure to put proper compliance controls in place and for security vulnerability. • Allstate “Mayhem” premieres a Social Media Failure at Super Bowl XLIX - Billions of viewers see the potential impact of inappropriate disclosure on social media. • CENTCOM is breached via social media. • Bank of America hacked through Social Media Social presence levers account takeover. • Iranians indicted for cyber attack through Social Media fake accounts. Affected banks include JP Morgan, Capital One. • The Wall Street Journal reported that two major US law firms had been hacked – social media engineering could have been used 8/5/2016 7
Why is Security vital for Social? • Cisco Report - #1 threat to corporate network breach is Facebook. • Trend Micro – 5.8% of all tweets are malicious – 29 million per day. • McAfee – Employees experience cybercrime on social more than any other business platform including email • Norton - 40% of people have fallen victim to social media cybercrime • Barracuda research - 92% of social media users report receiving spam, 54% have received phishing links and 23% have received malware. • Frost & Sullivan – 43% of information security professionals rated social media as a top of high concern. • Proposed US Budget for 2017 Includes $19 billion for cybersecurity same amount as NASA . 8/5/2016 8
Protect your legal practice and your clients in a 4 step approach Asset Risk Prioritize Remediate Mapping Analysis Risks Identify all social assets across Identify / classify threats for Initiate monitoring or take-down Process assets and using requests and monitor for conclusion selected networks. advanced algorithms and map action threats SocialSafeGuard.com
Start by Mapping key social media attack surface and its risks What is your current risk exposure? Where are you risks concentrated? What are the trends? What types of risks do you face in social? “Risk insights are the new holy grail” – Nick Hayes, Forrester, Tech Radar Report
Understand the risks -Fake Social Accounts and Pages have become a serious issue Page Not Verified Wrong Category No Likes / Minimally completed Frequent Religious Views Posted to Followers profile Page
Impersonation for Social Engineering is Growing Would you have connected with them? Do they work at your company? Does their profile appear complete? Does their profile appear accurate?
Account hacking is a major source of security news Notification and freeze if your social account changes Algorithm driven detection of account hacking Restore immediately to previous state Removal of any malicious content posted by hackers SocialSafeGuard.com
Need to monitor the different types of social Internal Collaboration Tools Social Media Management Platforms communities Social Business Applications Public Social Networks 14
But don’t get in the way of the users… Easy to use and Works like antivirus software with no new deploy: interface needed for users Takes action against security risks by Comprehensive on industry, out-of-the-box Day 1: Choose the people, social networks, profiles Expansion is documents, and apps to protect simple: Secure, no Private cloud architecture scales to enterprise customer’s need maintenance: “Social SafeGuard is the protection we’ve been waiting for” Brand Manager, Major Pharma 8/5/2016 15
Future Threat Trends Social data used to develop campaigns aimed at stealing Facebook, LinkedIn, Twitter sensitive information, creating and others were designed to fake profiles and conducting deliver malware. criminal activity Attackers discover a user's location, contacts and job function, among other information. SocialSafeGuard.com
However, before you begin to implement social media security an operating model is needed... • The CISO (Chief Information Security Officer) should involve legal, human resources, marketing, IT and other relevant departments in a planning phase that defines the objectives of 1 the social media security mitigation program. • An analysis looking at areas representing the greatest risk should review and prioritize current security exposures and the “new” network. 2 • Policies that address the requirements of security, (and regulatory agencies if relevant) need to be created along with policies on acceptable social media behavior, codes of conduct and an 3 explanation of how oversight will take place. • A program roll out should first focus on the departments, teams and individuals that produce the greatest volume of social media data and the most risk. That roll out should be accompanied with comprehensive training throughout the organization followed by close 4 monitoring, so process improvements can be made continuously.
Recommend
More recommend