Without the proper policies and controls in place, the combination of social media and BYOD can be an enterprise security nightmare. People are more apt to engage in risky behavior—clicking unfamiliar links, opening questionable attachments—on their own devices than they are on corporate-owned, IT-controlled laptops and smartphones, and BYOD devices are often less secure against attack. Mingling corporate data (or the means to access corporate data) with personal social media and communications apps creates several risks. Let's look at the two major ones and how to overcome them.
1. Viruses and malware
The spread of viruses and malware through social media and email is an everyday occurrence. Here's how it usually happens:
- Malicious software compromises an end user device.
- The malicious software attempts to spread, usually by taking over the end user's social media account(s) to post a link that, if clicked, will download copies of it to whomever clicked the link. These links are often disguised as "must-watch" videos or otherwise presented in a way that will tempt large numbers of users into clicking them out of curiosity. An unwary end user, thinking that the link has been shared by a trusted friend or acquaintance, may not hesitate to click.
- Once other users have been infected, their accounts also share malicious links, allowing the malicious software to spread farther and farther.
The purposes of individual pieces of malware vary. From an enterprise perspective, the most dangerous are those that have been designed to steal authentication information or other data from compromised devices. Theft of login credentials in particular is one of the biggest threats to security when it comes to social media and BYOD.
Preventing viruses and malware from affecting BYOD devices demands both technology- and policy-based measures. At the bare minimum, BYOD devices must have robust, up-to-date endpoint security software installed. Mobile Device Management (MDM) solutions can help make sure this security software is correctly configured. And employees must be educated on the security hazards of social media and BYOD.
2. Social engineering
Speaking of employee education, it is particularly critical when it comes to the other major hazard of social media and BYOD: social engineering.
Social engineering is a particularly insidious, if less common, type of attack. In a social engineering attack, victims are tricked into giving out their sensitive information, usually login credentials, or are tricked into providing enough information for the attacker to guess their login credentials. Social engineering attacks can range from phishing scams—typically, forged emails that appear to be from the victim's bank or other trusted service provider, requesting that the victim visit a website (also forged) to update their login information—to fake social media accounts whose owners befriend users in an attempt to steal their information.
Because the success of a social engineering attack relies on the victim's willingness to trust the forged email or social media user, user education is vital to security. Organizations must invest time in training employees on how to spot and report suspicious messages. Employees must also be warned never to give out sensitive information, particularly the kind of information often used to authenticate user accounts online. This might include birth dates, hometowns, mothers' maiden names, and other seemingly innocuous nuggets of information.
Securing enterprise data in the era of social media and BYOD can be a challenge. With the right technology and training in place, however, it can be done.
What dangers do you see social media and BYOD posing to the enterprise? Tell us what you think in the comments.