For any organization, cybersecurity vulnerabilities start with human beings. And when it comes to third-party digital tools, in this day and age, the lines between personal and professional are blurred.
There are distinctly work-related collaboration applications, like Slack and Teams. But employees and executives also maintain private accounts such as Twitter, LinkedIn, and WhatsApp. And though these social media and mobile chat applications are nominally personal and employee-owned, their actual use crosses over with their professional space.
Executives and employees now regularly use personal applications to access work-related information or documents, talk to customers, or grow their network. The toggle between personal and professional use is constant. And so, even though these channels are employee-owned, they implicate the company. These channels widen the organizational attack surface for bad actors who view third-party accounts and devices as a pathway to penetrate the enterprise security perimeter.
Employees and Executives are Targets
It is essential to include employee-owned private accounts in your security and compliance strategy.
According to CyberNews, individuals have recently been selling stolen private profiles in cybercriminal forums. In separate reports, a leaker is offering data from 500 million Facebook users online, virtually for free. Days later, another hacker announced he’s selling 780,000 LinkedIn profiles in a popular cybercriminal forum, leaking 2 million of those records as proof.
In the summer of 2020, 130 prominent individuals and accounts became victims of a coordinated social engineering attack on Twitter. The scam urged followers to donate Bitcoin to a link in exchange for double the amount they contributed. About $100,000 worth of Bitcoins were scammed from unsuspecting victims.
Of course, executives and employees know these dangers:
- 84% of C-level industry leaders have become the target of at least one cyber attack.
- In general, about 70% of execs fear massive damage to their brand and reputation in the event of a successful social engineering attack.
But despite this level of awareness, there is still a lack of appropriate response to this matter:
- 76% of executives admit to sidestepping security protocols in exchange for speed. This can potentially cause massive n brand and reputation damage if their social media accounts become compromised.
- 52% cited the use of unsanctioned apps as their biggest security and compliance challenge within their organization.
With the pandemic rapidly forcing digital transformation across enterprises, both executives and employees are resorting to whichever helps them accomplish their goals faster, never mind the risk. This includes using their private accounts whenever it feels most convenient.
Blog: Learn how hackers profile victims
for social media engineering attacks
Employee-Owned, Private Applications Expand the Threat Surface
First, we must understand that there are two basic types of attack surfaces that a company can possess: the public attack surface and the private one.
Employee-owned accounts and private profiles fall under the private attack surface. Most organizations currently possess no way to secure these channels and wouldn’t know how to institute this security without creating serious privacy breaches.
71% of IT security professionals surmise that the hyper-acceleration of digital transformation greatly increased data breach risks and cybersecurity threats. This is an accurate observation because the private attack surface has expanded for many companies.
In reality, the following scenarios are happening more and more:
- Sales teams are corresponding with prospects using closed tools like WhatsApp and WeChat.
- Executives and business development teams are networking via LinkedIn direct messages, using their private accounts.
- Businesses are responding to customer inquiries and offering support via social media channels like Facebook that are linked to their personal profiles.
All of this communication and information exchange is happening through private, “employee-owned” accounts. Naturally, no security team can police this unless they find the right tools for the job.
Leveraging the Right Tools and Approaches
Organizations are best served by partnering with their employees to protect private accounts. Before applying any solution, companies should secure their employees’ buy-in; there needs to be consent that a security and compliance solution can be mutually beneficial.
Once this consent is in place, what is the right solution for the job?
First, any solution has to be scalable. Traditional cybersecurity and compliance tools cannot deal with the threats from tools like LinkedIn and Twitter because they’re not scalable enough. The sheer volume and velocity of data that travels to and fro in these private channels cannot be manually monitored and reviewed.
Then there’s privacy. Your solution has to be able to truly monitor the content streams of these channels without breaching the privacy of the employee who owns them. No one likes the idea of being spied on, not employees, and certainly not executives. Security teams, then, need to look into solutions that monitor for threats but do not intrude on message-level privacy.
What brands need is a cybersecurity solution that provides the following benefits:
1. 100% Threat Visibility
An effective solution must provide security teams with the power to onboard and protect all employee accounts. That means scanning communications and private accounts for the following:
- Direct messages sent to their accounts that include unsafe links or attachments, such as malware or phishing lures.
- Inbound threats, such as connection requests from bad actors.
- Information changes on their social media profiles.
- Notifications when potential bad actors follow their accounts.
- High-volume follows or likes on your accounts.
- Breaches that contain the email addresses associated with social media accounts.
2. Privacy Considerations
At the same time, an effective cybersecurity solution should maintain the privacy of employees’ messages.
Teams reviewing risk events should only be able to see the relevant security or compliance issues that have been flagged, such as malicious payloads, data leaks, and suspicious account activity. This is enough to assess the situation and determine remediation measures.
Message content should be masked and unarchived. No reviewer should access message content within these private accounts.
3. Deep and Dark Web Coverage
Many threats don’t even exist on the surface, public web. They lurk in the darker corners of the internet. Companies need to be able to scan the deep and dark web for interactions that mention trigger keywords such as brand name, personnel, projects, and other confidential information. They must be able to receive real-time alerts to activate response and security protocols immediately.
Report: Read Metrigy's research on how companies
are adopting workplace collaboration platforms
Protect Your Employee-Owned, Private Accounts and Channels
Executives and employees have their own lives and therefore maintain private accounts and channels. However, in this day and age, they are likely to use them frequently for business communications.
This is where the threats come in, and it’s up to businesses to find ways to secure these private profiles as they secure their work-related channels. The only way to do that is by leveraging a cybersecurity tool that provides (1) 100% threat visibility, (2) privacy considerations, (3) dark web coverage, and (4) account/instance access monitoring.
To see how a cybersecurity tool can accomplish these things, request a demo here, and see it in action.