Having a social media presence is a requirement for companies today. Most customers expect to be able to find out about and interact with you on Facebook, Twitter, LinkedIn, and possibly other sites such as Instagram or Snapchat. With this increased visibility comes an increased burden. You need to protect your company from hackers who may wish to use your social media accounts for their own ends. Unfortunately, most social media platforms do not provide adequate security options for organizations.

How can social media accounts be hacked?

Over the past few years, we have seen major organizations whose accounts have been hacked. In 2103, these included the Twitter accounts of Associated Press, 60 Minutes, and others. More recently, Target’s Facebook page was used by a person outside their organization to humorously ridicule complaining customers. While amusing, the fact that this could happen without Target’s knowledge should raise concerns for any company with a Facebook account.

How did hackers manage to use these organization’s accounts? While the Target case involved simply replying to other commenters on Target’s Facebook page while using a Target Logo for a profile picture, more extreme methods can be employed. For example, a proven method hackers have employed to acquire login and password information to accounts is phishing. In several cases, the hackers simply sent out emails to individuals in a company telling them they needed to reset their account passwords and providing a link to do so. This link directed the victims to a false page designed to look legitimate. Victims entered their account information, accidentally giving it to the hackers. In an attack such as this, it only takes one user with account information to be fooled for the attack to succeed.

What are some best practices to protect against these attacks?

1.    Regularly monitor posts on your accounts. In the case of Target’s Facebook page, regular monitoring of the account, especially after enacting a policy that was predictably controversial (gender-neutral displays for children’s toys), would be the best defense against having a person outside the organization appear to speak for it.
2.    Use alert service applications to monitor activity on your accounts. These applications automatically check for varying kinds of unauthorized access.
3.    Use a password manager. Among other features, these can provide random password generators that make is simple for you to create strong passwords.
4.    Control the number of people in your organization who have access to your social media accounts. Keep this number low, and maintain records of who has access. You may want to consider using a social media management system such as HootSuite or SproutSocial, as these make it possible for you to allow members of your organization to post content without knowing account passwords.
5.    Have your IT department change account passwords regularly.
6.    Avoid using a work email address when you set up your social media accounts. Hackers can easily guess at work email addresses (FirstName@YourCompany.com, Marketing@YourCompany.com, etc.) until they hit on one that works.

Protecting against hacking will be an ongoing process. However, following the above tips should provide your organization with additional security.

How likely is your business to be able to recover after a disaster? According to FEMA (Federal Emergency Management Agency), 40% of businesses affected by disaster never reopen. Additionally, 25% more fail within the next two years. The consequences of a poorly thought out or non-existent disaster recovery are clear. No business or organization should risk overlooking this critical need.

Natural disasters including hurricanes, earthquakes, and floods come readily to mind when thinking of disaster recovery. And during California’s severe drought, wildfires are of course of grave concern. There are other kinds of disasters to be aware of too. Can your business recover from data loss caused by a power surge? Can your company still function if the majority of the employees are struck by an influenza epidemic? How well can you recover from a security breach?

Your disaster recovery plan should also take into account relatively mundane concerns that can still have a profound effect on your business, including loss of internet service for an extended period or a server crash at a busy time.

Cloud technology is one way of minimizing your risks during a disaster, since it can allow you to place key functions off site in areas at less risk. And while no one can plan perfectly for all possibilities, there are several steps you can take to further minimize your risks. Before disaster strikes you can plan ahead, making sure to consider the following:

●    Your business location – If a disaster means you can’t do business in your usual location, you’ll need to have an alternate location planned. You may need to arrange to transport employees, equipment, data, and supplies.
●    Staying in touch with your customers – Also develop a plan for how you’ll let your customers know your new temporary location and how to contact you.
●    Documenting your property – In addition to keeping an up-to-date inventory of all of your equipment, consider taking pictures of your property to assist your insurance companies if they need to assess damage.
●    Meeting your emergency cash need – Develop processes for how you’ll manage cash flow. You’ll want to be sure necessary bills continue to be paid as well as being able to deposit payments from your customers.
●    Identifying what’s needed to keep your business running – Prioritize your critical business functions and consider how quickly you’ll need to get each function back up and running.
●    Educating your employees – You’ll need to be able to communicate with your employees during a disaster, of course. But all of your planning will be for nothing if they aren’t trained in your disaster recovery processes before a disaster actually happens. Make certain that your employees know what they need to do ahead of time and that they have access to important contact information for vendors, suppliers, your insurance companies, etc.

A final step to consider in any disaster recovery plan is to re-analyze your processes

What is “social engineering?”

Even if you think you’ve taken every possible step to make certain your data is secure, there’s one aspect of security you may well have overlooked – exploitation of the human factor, which is also referred to as “social engineering.” In the context of IT security, this involves the psychological manipulation of people so they act in a way that allows attackers to get past technological security features, or so they share information that should be confidential. For example, rather than trying to break into a system or crack a password, an attacker would instead persuade a human user to give them a password.

What are some kinds of social engineering to watch out for?

Phishing: This is a technique of getting confidential information by fraudulent methods. It can involves attempts to acquire user names, passwords, credit card details, or even money. Phishing attempts frequently make use of the following techniques to make people more likely to share information:
●    Using link shorteners or embedded links to create apparently legitimate links. After these links are clicked, they direct the victim to websites created for fraudulent purposes.
●    Using threats to create a sense of urgency and fear so the victim will act quickly without thinking through their actions (e.g., “Your account will be canceled unless you act immediately!”).
Tips for preventing phishing: You and your employees should be wary of requests for information that should be confidential. Take the time to verify that these requests are legitimate before providing information.

Tailgating: Also known as “piggybacking,” this kind of attack refers to a method of entering an unattended but secured area by simply walking in behind a person who has the proper access. After gaining access to a secured area, an attacker has much easier access to unattended laptops, etc.
Tips for preventing tailgating: You and your employees need to create an atmosphere where it is not considered “common courtesy” to allow entrance to unknown people who do not have the proper security credentials. While it might seem polite to hold the door for another person, train employees to only do so if they also verify that the other person has the appropriate security card or other credential.

Quid pro quo: Quid pro quo means, “something for something.” These attacks involve a promised benefit in exchange for information. For example, a common type of attack can involve a person who makes multiple calls to phone numbers at a company, pretending to be a technical support representative calling to help with a reported problem. Odds are good that after enough calls, they’ll stumble upon a person who does, in fact, have a problem. At that point, the attacker may exploit their victim by having them install malware or otherwise give the attacker access.
Tips for preventing quid pro quo attacks: Technical support representatives should be able to provide identifying information (e.g., a ticket number for a reported issue) before you or your employees trust them with information or access. More generally, you and your employees should be wary of offers that appear “too good to be true,” and of unexpected offers to improve credit scores, financing, and so on.

Additional tips to avoid social engineering attacks

Don’t be in a hurry – Attackers want you to act before you think. When dealing with suspicious requests, remember to slow down.
Be wary of unusual emails – If an email that appears to come from a trusted source seems odd to you, that source may have been hacked. Verify the source of the email.
Educate and train your employees regularly – Make sure everyone in your company is familiar with the various types of social engineering attacks and that they know which information is considered confidential.

REGISTER FOR OUR LUNCH AND LEARN EVENT BY CLICKING HERE

It was 15 years ago when we first opened our doors at Aperio IT and it was 15 years ago when Lee applied for a job and stepped foot in our office.  It was than we hired him as a Systems Engineer.  Lee has been like the glue to Aperio IT, holding everything together, figuring out problems before they become problems and we couldn’t of asked for a better employee.  Lee was recently promoted to our Service Manager where he oversees all of our Help Desk.  Lee has helped shape our company into what it is today and we never could of done it without him.  Thank you so much Lee.  We are looking forward to 15 more years with you.