For organizations both large and small, security is often the biggest hurdle standing in the way of successful BYOD adoption, and social media use on BYOD devices can create additional challenges. Addressing social media security concerns on corporate-issued devices is fairly simple, since IT administrators have the access and controls they need to simply restrict certain activities or block certain sites. Not so on BYOD devices, which employees use for both personal and business purposes. Social media security must not be neglected in BYOD environments, however. Here are two scenarios illustrating how social networking poses security threats to the enterprise.
1. Infiltration via malware and viruses
Have you ever heard of "Backoff"? It's causing massive security headaches in the retail industry. It's the likely cause of a suspected data breach at Home Depot, according to eWeek; it's reported by some sources to be the cause of last year's catastrophic Target breach and described by others to be "closely related to the malware that infected Target." And it's malware.
How does this relate to how social networking poses security threats to the enterprise? It's quite simple, really. There are few easier ways to spread malware than over social networking sites. Whether or not you like the links your Facebook or LinkedIn connections share, you most likely at least believe those links are safe to click. That becomes a problem when someone in your friends list has his account compromised and used to post links to malware. And it becomes an enterprise security nightmare when an employee clicks on a malware link while using a BYOD device or on the corporate network. Once in the corporate systems, malware can go undetected for weeks, feeling out vulnerabilities and exfiltrating data right out from under an organization's nose—as hackers did with Target.
2. Targeted attacks via social engineering
Malicious malware is more common, but of the two major ways in which social networking poses security threats to the enterprise, targeted attacks via social engineering is more insidious and less easy to defend against.
Consider this scenario: attackers have decided to steal your corporate data. Perhaps they want to steal and sell your customers' credit card numbers. Perhaps they're after your proprietary R&D data or designs. Or perhaps they have an axe to grind with the company and want to leak confidential corporate financial information in order to embarrass the company or negatively affect its stock prices.
How can they do so? One way would be through social engineering. Attackers might begin by searching the Internet for information on your employees, focusing on which employees might have access to the data the attackers seek. Once the attackers have found an employee (or employees) to focus on, the social engineering begins. The targets might get a friend request on Facebook or a connection request on LinkedIn. The friend request might appear to come from an attractive member of the opposite sex, the connection request from an old schoolmate or colleague. (LinkedIn doesn't verify education or work background, after all).
Once accepted, that new "friend" begins combing through the targets' profiles and posts and may strike up a casual conversation, all to find the kind of information that could be used to guess a password. You'd be surprised how many people use the same passwords for personal and work accounts. All too often, once an attacker has guessed one of the target's passwords, the attacker's found a way to get in to the target's work systems. And from there, the sky's the limit.
As you can see, social networking poses security threats that can prove disastrous to any organization. Only a combination of technology—endpoint security software in particular—and end user education can stop those threats.
Do you think social networking poses security threats dangerous enough for enterprises to take seriously? Tell us your thoughts in the comments.