Most companies understand the threat posed by using company email. The simple act of opening an infected attachment can release viruses, worms and Trojan horses into the company’s network. The effects can range from mere annoyance (such as changing desktop backgrounds) to devastating (dissemination of confidential business and client records—think Sony Pictures and Target). However, many employers fail to recognize the potential exposure from their employees’ use of social media.
The Same, Yet Different
Similar to email, messaging systems used by various social media sites are used for phishing-based attacks through infected URLs and attachments. However, these attacks are becoming more sophisticated in the social media world. Cyber attackers are now using fake “Like” buttons and fake plug-ins or infected apps. Each of these is designed to install malware or obtain sensitive and confidential data and information, not the least of which could include network access credentials.
But malware is not the only threat to a company’s cyber security. Social media provides the cyber attackers with additional avenues that may not normally be available to them through email. Case in point, the “Newscaster” or “Charming Kitten” attack last year that targeted senior military and diplomatic personnel. In waging the attack, which is believed to have originated in Iran, attackers utilized false on-line personas on various social networking sites. Once an initiation to connect was accepted by the unsuspecting individual, the cyber attackers worked at establishing a trust relationship with the target. This led to the target being vulnerable to opening attachments infected with malware, with the total extent of the damage still unknown.
Cyber attackers will also use social media sites to obtain personal information of the company’s employees. An individual with the right amount of personal information may then gain access to a company’s network through a “forgotten password” recovery system. Even if unable to gain access through such a portal, the sophisticated cyber attacker can obtain enough information to ascertain a company’s network set-up and protections in order to take advantage of the system’s security weaknesses. Regardless of the way the attacker gains access, the end result is the same—the company’s private data has been compromised.
What Can a Company Do To Protect its Data?
As an initial matter, the company and its employees must accept the fact that the use of social media creates potential security risks. With this acknowledgment, companies must emphasize the importance of cyber security with its employees. One way of emphasizing this importance is through the drafting and implementation of a Cyber Security Policy. As we all know, just having a policy in place is not enough. The most important steps to implementing a policy or procedure are training and communication. The policy should be communicated consistently and frequently through the company’s ranks to ensure that everyone from the mailroom to the C-suite understands how to handle suspicious emails or social media links they may encounter.
The phishing scams and other methods attackers use to gain access to a company’s sensitive data continue to become more sophisticated and trickier to identify. Many clients and industries now require vendors to provide clearly documented Cyber Security Policies to ensure that their client’s data is protected while in your company’s possession. If you need a policy, or are concerned that your current policy has not kept pace with this ever-evolving area, Carlson Dash’s employment attorneys can assist your company with drafting and reviewing your policies as well as training your employees.
This document is intended for informational purposes only and is not legal advice or a substitute for consultation with a licensed legal professional in a particular case or circumstance.
C. Douglas Moran| Employment, Litigation: Complex Commercial, Real Estate and Bankruptcy
Doug’s practice focuses on providing employers with advice and counsel in employment-related matters, and representing employers, corporations and banks in litigation, including complex litigation. If you need assistance with a related matter, contact Doug.