At a time when many banks are finally easing up their social media policies for employees, at least one security firm is warning that the social media profiles of bank staffers are providing valuable information to those seeking to do banks harm.
Bank websites are well-protected from attempts to break in and compromise accounts, but it is more difficult to protect the universe of sites that surround them, not to mention the computers of users and vendors that have access to them. A critical and often overlooked area that can make a bank vulnerable is employees’ social media pages, Joram Borenstein, VP of marketing with financial crime, risk & compliance company NICE Actimize told Bank Innovation.
“There are a lot of different soft underbellies for midsize to large institutions,” Borenstein said. “Employees themselves are being targeted, and it’s not unusual for an FI to have 10,000 employees, let alone 50 or 100.”
The social media profiles of employees — from cafeteria workers to corner-office executives — are largely public and can offer valuable information to hackers.
“Social media leads to knowledge about employees’ access to sensitive networks, and even who their friends are,” Borenstein said.
It’s often easier to go after an employee than to try and overcome a firewall, Borenstein said. “Who at Bank XYZ has access to sensitive information? Using social media, you know what events they attended, what attachment might they be likely to click on?”
Rather than breaking into an employee’s account, Borenstein said, “Perhaps it’s easier to build an infected website. There are multiple ways of tricking people into reading emails, visiting a site, and infecting their machine. Links in social media, too, can mask an infected website.”
A criminal can build up his knowledge about, say, a bank executive, dummy up an email with information he thinks is likely to interest the individual into clicking a link, and once he does, it’s game over. When the user visits an infected website, a so-called drive-by download can take place invisibly in the background. The computer is infected and the user probably doesn’t know it.
Additionally, many users access social media on mobile devices. (More than half of Facebook’s traffic is now said to come from mobile.) This brings its own set of challenges. “Mobile security is in its infancy. How mobile devices may be compromised is poorly known.”
Concern over the security of social media reared its head at a recent credit union conference, where one executive said, “We were on the cusp of relaxing staff access to social media sites before the conference. Now, if anything, we’ll be tightening down access to social media sites.”
Tightening access is one strategy to minimize risk. Or companies can simply “not let employees have their own social media pages,” as one attorney in the space recommended recently. (Limiting employees’s speech on social media can itself be a tricky legal matter.)
Borenstein recommends a more gradual approach. “You have to embrace the problem in a responsible way.” He said. “You need to conduct training,” and this training should involve your risk people as well as your information security people. Banks seem to have only recently reached a place of comfort regarding social media.
Strategies for engaging customers have matured, regulations are emerging to define the space, and products are being created to manage social media channels in a regulated environment. But banks’ official social media profiles are not the problem. It’s easy enough to forbid rank and file employees from spending time on Facebook during work hours, but what about executives? And what about when employees go home? Can they really be forbidden from creating social media accounts that might keep them in closer touch with children and grandchildren? And what about sites liked LinkedIn, which employees may have been encouraged to join and fill out profiles on at one time?
With so much information freely flowing around the internet, how can banks plug all the holes? “You can put your finger in the dyke only for a certain amount of time, “Borenstein said. It seems banks’ risk and security teams have some work ahead of them — what else is new?
I love it when articles like this come out, because you see how ridiculously silly people can take pragmatic caution to crazy extremes.
1) You will never be able to ban employees from having personal social accounts. Never. Even if you could, you’ll end up with a self selecting group of employees that leaves you weak and uncompetitive.
2) There is nothing hackers or thieves can do in social media that they can’t do in the analog world. If I want to learn about the life of the head of IT at a firm I can follow him around, see his/her personal likes or dislikes, and craft the exact same kind of social engineering schema. This is not new, just easier to accomplish.
3) There is only one smart course of action here. ONLY ONE. The best defense against the hackers and thieves is having a true understanding of the way these mediums work, and translating good security discipline into these mediums, and training your employees. OVER AND OVER AND OVER. Every branch of our military (and in other countries as well) send their “employees” out into a dangerous world. A world where he amazing social tools that help maintain morale by connecting the “employees” with their families from 10k miles away, also have the potential to expose military tactics and secrets with the most severe of consequences. And that is why part of basic training, and on going training, is the importance of good social media behavior, how to identify risks and threats, and a reminder of the implications and consequences of making a mistake.
These mediums exist. The threats they pose are NOT new. Pretending you can insulate yourself from them is irresponsible at best, remarkably stupid at worst.
Wonderful challenges entirely, you simply acquired the latest reader. What can an individual would suggest in regards to the publish you produced some days before? Every beneficial?