Over the past few years the consumerisation of IT has become just one more thing for the IT department to 'manage'. The birth of social media and growth of sites such as Twitter and Facebook have seen the use of these channels seep into the working day – and on to business technology devices.
Belonging to a social network has become almost as prevalent as having an email address. Indeed, many organisations see the value of social networking, and are increasingly using sites as part of their HR and marketing initiatives, as well as for customer service, and product research and development.
Yet, while the business benefits of social networks have been discussed at length, a potentially more damaging impact of social networking – the danger it poses to data security and indentify theft – has been at worst ignored and at best unchecked.
The Web Hacking Incidents Database 2009 Bi-Annual Report showed an increase of 30 per cent in web attacks compared to the first half of 2008. Social networking sites accounted for 19 per cent of hacking attacks, making it the most targeted vertical. These figures vividly illustrate the threat to organisations from their employees' use of social networks.
With users accessing personal networks at work and business networks at home, the line between the two worlds is becoming increasingly blurred. A user's password for their Facebook account is more likely than ever to be the same as the one they access their business network with.
Worryingly for businesses, it has never been as easy for hackers to access corporate information. Today, they have access to much easier and lower-tech tools with which they can crack passwords, steal user identities and compromise personal web accounts and organisations' networks. Growing threats such as password guessing, social engineering, Denial of Service attacks, SQL injections and brute forcing passwords – along with malware and phishing – are making it harder for IT departments to protect their organisation's users, network and data. To demonstrate how easy that is, just Google "brute force passwords" and within the first five results you can watch a password-cracking YouTube tutorial.
The Twitter hack in July 2009 is still one of the best examples of how easy it can be for hackers. In this case the hacker – without using any technology – guessed the password to a user's Yahoo! account. Once in, they found Twitter's company information in the person's email account and used it to hack Twitter, stealing highly confidential company documents – including the CEO's credit card details and staff PayPal logins – that were stored in GoogleApps.
Social engineering is also on the increase and it too dodges past security measures such as blanket-bans to exploit the human factor. The situation below shows how a social engineering attack could unfold:
Using false Twitter and LinkedIn profiles, and posing as a member of the IT department, a hacker lures an employee to be their 'friend'Using information found on their new 'friend's' profile, the hacker goes about gathering potentially useful informationWithin this new 'friend' group, the hacker identifies potential target employees – a new member of staff, for example
The hacker then targets employees whose email addresses they have acquired, enabling the hacker to carry out a number of attacks, such as phishing
From there the hacker compromises the target further and starts to profile additional attack streams such as webmail, SSL/VPN and online CRM
This scenario is not outlandish, as many of us will know people who accept people as 'friends' and 'contacts' that they have no real knowledge of.
So, how can businesses tackle these myriad threats? While it would be easy for businesses to ban social networking, these sites are just a few of the many applications businesses use that utilise Web 2.0, so a blanket ban would not combat the risks presented by these sites.
Instead, organisations should face-up to the variety of threats social media poses by introducing policies and defences to manage this risk and prevent hacks. In addition to adopting new generation anti-virus and malware applications and producing 'best-use' guidance for employees on social networking in the workplace, organisations should look to combat the root cause of these threats: the password.
As demonstrated, many businesses are only as secure as a single password. The way to best mitigate the threats outlined above is to introduce more robust security measures, with one of the most effective being two-factor authentication (2FA). By replacing vulnerable static passwords with a PIN and One-Time-Password generating token, organisations can take away the hackers' opportunity to gain access to their networks and data. When used as part of a robust security policy, 2FA allows organisations to use 21st century security measures to see off 21st century threats.