Colin McTrusty | August 09, 2017

End users plus social media can add up to a corporate data breach

People are the last line of defence in your organisation's security infrastructure, yet half the population are ignorant of ransomware, and many don't understand phishing, but trust that social media security is high says Colin McTrusty.

Those of us in infosec — who are immersed in the realm of cyber-security on a daily (if not hourly) basis — tend to assume that people are vigilant about protecting themselves and that awareness of cyber-best-practices is high. Unfortunately, that's just not the case.

In the Wombat Security 2017 User Risk Report, which showcases the results of a survey of more than 2,000 working adults (1,000 in the US and 1,000 in the UK), we can see that the cyber-security fundamentals that we take for granted — that we believe users are practicing while at work and at home — are not well grasped by the typical employee. A few points worth noting from the report:

·         30 percent of workers, on average, don't know what phishing is.

·         63 percent of US respondents and 58 percent of UK respondents don't know that ransomware is.

·         57 percent of US respondents and 25 percent of UK respondents believe that social media business pages are approved (by Facebook, Instagram, etc) before they are published.

If we think about that in terms of people, not just percentages:

·         600 people in 2,000 can't define phishing, even in basic terms;

·         ~1,200 out of 2,000 can't define ransomware; and

·         570 of 1,000 US workers and 250 of 1,000 UK workers think that all business-related posts on social media are safe.

Whatever the size of your organisation, it's important to think how the percentages apply and what the implications of those numbers are.

That said, you may be thinking, “Social media is something people do at home, so there's no threat to my business.” This is a flawed thought process on multiple levels. Even if your organisation blocks social media sites, there is still potential harm to your business. Cyber-criminals can identify your workers, track them, reach out to them, gain their trust, and build a relationship that could result in an inroad to your business. They can also piece together bits of information to craft a very believable social engineering attack, either by spear-phishing email or by phone (or both).

If you don't block access to social media sites, you have extra to think about. Wombat's User Risk Report showed that 54 percent of US workers and 36 percent of UK workers view/post to social media on their work devices. So think for a moment about those numbers of workers who don't know about phishing…or ransomware…and who think that a large portion of posts can always be trusted. Those employees who are unaware and untrained are absolutely exposing your organisation to many risks on social media.

Every day is social media day for your employees. Whilst these sites and applications have transformed the world in terms of connectivity, they have also transformed cyber-crime. The ease with which users can share their info, travels, and thoughts (and meals) has led said users to share more and more data about themselves, their families, and their jobs. Because social media platforms are free and readily available — and used by just about everyone, it seems — the sense of “we're all in this together” has bred a false sense of security among social networkers. Cyber-criminals are taking advantage by mining for information, creating imposter accounts to connect with unsuspecting users, and sending out phishing messages and malicious links.

People are the last line of defence in your organisation's security infrastructure, so it is crucial that they are aware of the common tricks that cyber-criminals could use against them. It is possible for you to increase awareness and educate your employees to make better decisions and fewer mistakes when using social media platforms.