Social Media, Identity Theft and Corporate Risks
5th August 2014
The growth of web-based social media applications such as Facebook, Twitter and LinkedIn presents a set of unique challenges to organisations, both with respect to the individual users and also the possibility of breaching corporate information security principles. Addressing these risks is an important objective of an Information Security Management System, and should be given proper consideration during formal risk assessment activities.
It is known that law enforcement and public authorities are already using social media applications to seek out information on individuals, as are insurance companies and other investigative organisations. There’s also current and future employers who will be taking an interest in social media activities, and perhaps most sinister of all are those who have illegal intentions such as identify theft, stalking, harassment and corporate fraud.
Social Media Applications and the Individual
Recently described as “one of the fastest growing industries in the world”, identity theft has been defined by the Identity Theft Resource Centre as encompassing five distinct activities:
- Business or commercial identity theft (e.g. for obtaining a line of credit)
- Criminal identity theft (e.g. providing a false identity when apprehended for crimes)
- Financial identity theft (e.g. using another’s identity to obtain credit, goods or services)
- Identity cloning (e.g. using another’s information to replicate and live their daily lives)
- Medical identity theft (e.g. using another’s identity to obtain treatment or medication)
Social media applications promote the sharing of information, and can provide most or all of the information which allow for all of the above activities to take place, if they are not configured and used correctly. Some examples include:
- Disclosure of date and place of birth: frequently displayed on Facebook profiles, without proper consideration for how these could be misused by others
- Mother’s maiden name: used universally as a piece of authentication information – can this be worked out from social media content?
- Holiday plans: not only advertises when property will be empty, but allows identity thieves an attack window when they know the users are unlikely to be checking their accounts
- Use of location services: many social media applications allow users to communicate their precise geographic location, again allowing attack windows
- Unrestricted photographic content: from security arrangements of an office to vehicle registration numbers. Very useful in the wrong hands.
Educating Social Media Users
Most social media applications already offer reasonable levels of protection for user’s personal information, but users need to understand what these are and how to set and maintain these controls effectively. Using Facebook, as an example, users are routinely offered four levels of privacy:
- Friends only – a sensible option, sharing content and photos only with known friends (although it doesn’t restrict how friends might then onwardly share that information)
- Friends of Friends – whilst users will have a reasonable degree of comfort within their friends network, how well do they know the friends of their friends?
- Everyone – the global setting which offers no privacy or security. Using this privacy option provides no protection – anyone with a Facebook account will see this content
- Customise – allows for the individual configuration of content, although is most time consuming to implement. Allows users to limit content down to one person, if need be
Other social media platforms provide a similar range of privacy options, and a program of user awareness and privacy training is a wise investment to ensure that they are used properly.
Social Media Applications and the Employer
Whilst many of the above observations expose vulnerabilities to the individual users of social media applications, some of these users will also be trusted employees of an organisation. An emerging and worrying trend is for individual identities to be compromised, with the associated increased threat of corporate identity fraud using this illegally gained information. This is most serious if the compromised individual is a key member of an organisation perhaps with responsibility for legal or financial matters, where in the worst cases the legal status of the company could be changed, financial records amended or disclosed, or financial funds diverted to unauthorised accounts.
As part of an effective Information Security Management System, organisations should establish, implement and communicate their position on and the agreed acceptable use of social media applications – typically within a Social Media Policy. This document should clearly explain, as a minimum:
- the objectives of the Policy: protecting the company, its information and its employees
- position on using social media applications: from a complete ban to authorised purposes
- communicating an acceptable code of conduct – what should and should not be posted
- communication of known risks – including specific risks about using mobile devices
- managing passwords – keeping social media passwords separate (and different)
- details of monitoring activities that are to be undertaken to measure policy compliance
A balanced, considered view is necessary. A total ban of social media is difficult to enforce, and can lead to the organisation missing out on the positive aspects of using social media:
- raise awareness of the organisation’s existence and its activities
- promote and advertise new products and services
- allow great flexibility for communicating with customers and employees
- advertise vacancies, share press releases
- participation and collaboration in sector based forums and discussion groups
A few moments on Google (other search engines are available) will return numerous stories of social media application postings bring disciplinary action and dismissals for (ex) employees, including examples of a waitress complaining about poor tips from a diner, a journalist challenging the management practices of his senior executives, and an IT manager relieved of his position for openly discussing the salary packages of his colleagues.
If unauthorised or negative postings are located, it is imperative that organisations take prompt and effective action to ensure that they are removed, and any resulting damage minimised. Whilst there is valid debate around “freedom of speech”, this blog is primarily concerned with protecting organisational information assets in these circumstances.
Social media applications, most notably Facebook and Twitter, offer users a bewildering array of third party software programs and utilities, from games and news feeds to shopping channels and music services. If an organisation is allowing any level of access to social media applications, its supporting security policies should clearly state the position on whether such downloads are permissible.
The threat remains that users will not know the authenticity of the code that they are downloading to the organisation’s ICT infrastructure, and therefore cannot be certain that it does not contain any malicious code that could compromise the user’s account, or worse the wider corporate network. High profile social media breaches are sadly all too common, and technical measures may need to be considered to manage such risks.
Social media applications are here to stay, and organisations need to understand and assess the risks that they pose alongside the benefits that they may provide. Effective controls should be implemented to minimise the possibility of individual or corporate identity theft, data loss, as well as the risks arising from downloaded malicious code.
An effective Information Security Policy, Social Media Policy and Acceptable Use Policy should be in place to provide clear direction to employees. Corporate information security training needs to communicate the risks to the organisation, and equally the risks to the individual which relate to their personal use of social media.
Whilst social media channels provide efficient and cost-effective means of distributing organisational communications, but their content and authority to do so should be clearly defined. Maintain awareness of the possibility of posts containing negative, unauthorised or misleading content, and understand the steps to be taken to minimise the impact.
With our help, you can protect your business from social media related risks through an effective risk management framework.