Social Media’s Minefield

Security teams struggle to keep pace with social media

In order to gain and maintain a competitive advantage in today’s digitized, omni-channel, ever-evolving  media and entertainment landscape, it is critical to maximize exposure where viewers and customers are most active: social media.

As marketing, advertising, sales and recruiting continue to push the envelope on social media engagement, security teams are struggling to keep pace. Unlike traditional business communication platforms, information security teams have no control or visibility into social media data, and they have no ability to remediate.

As long as this unprotected gap between growth and security on social media continues to expand, cybercriminals and scammers will exploit consumers and businesses alike.

Here are the top four social media threats targeting the media & entertainment industry:

Account Hijacking

A media company’s social media profiles are incredibly valuable assets—arguably more important than the brand website or the corporate network. The company’s value and its ability to reach targeted audiences is directly related to and reliant upon their social media presence. Media organizations invest millions into building a strong follower-base, engaging with consumers, and translating social reputation into revenue—which puts a bulls-eye target on these accounts for cyber criminals.

For media organizations with sizable followings, the fallout of a social media security breach can be devastating—whether it be millions of lost followers, public relations nightmares, lost customers or decreased engagement. Even a one percent decrease in social ROI can have long-term consequences for media giants. The reputational impact is harder to quantify—yet equally, if not more so, damaging.

Attackers have a variety of tactics they implement to breach social media accounts, ranging from brute forcing insecure passwords, to targeted phishing schemes against social media managers, to breached third-party apps at a partner organization (i.e. a digital marketing agency). Once inside, they can slander the brand by sending malicious content to followers or lay and wait, exfiltrating sensitive data, pivoting their access into the corporate network and biding their time to launch a high-impact public attack.

Security teams must work with marketing teams to lock down these accounts. Just like security is responsible for securing the website, they also must be placing controls around social. They need to work with social media teams to enable multi-factor authentication, standardize privacy settings, monitor access and train social media practitioners on safe, compliant usage relative to company security policies.

Impersonations

Just as cyber criminals look to hijack media organization’s social identities, they also look to impersonate them. Attackers create fraudulent brand profiles and support accounts to engage with hard-earned followers. Once these malicious actors gain the trust of followers, they strike and customer scams run rampant on social. Attackers distribute phishing links, malware kits and financial scams disguised as authentic brand social media content, including coupons, promotions, ads for products, company updates and more.

The most popular scammer tactic on social media is creating fake accounts to engage in all forms of social engineering. Building a fake account is trivial, and even non-technical adversaries can build a convincing fake account with images, logos, and messaging pulled verbatim from the real account. Fake accounts also often impersonate a celebrity or executive profile to engage fans and followers to extort money and distribute malicious links.

Spearphishing

Social media is an inherently trusted platform, lacks security visibility and broadcasts its users to nefarious actors, making it a prime vector for cyber attacker’s bread-and-butter: spearphishing. All it takes is one simple LinkedIn query to enable a cybercriminal to footprint an entire media institution.

Once this footprint is obtained, fake accounts begin targeting employees with spearphishing messages. As long your company has people, spearphishing will be the main tactic used to breach your corporate network.

Stopping spearphishing is no easy thing. There’s a reason why it’s been the backbone of the cybercriminal’s arsenal for years. When it comes to social media, organizations must take a combined technological and educational approach. Employees are the weakest link in the security chain, but they’re also the first line of defense. The better trained they are, the less likely the organization at large will fall victim to a breach. Security teams should also monitor for malicious links and fake accounts on social media.

Physical Threats

Media organizations often work closely with public figures and celebrities and utilize physical spaces for events, sponsorships, filming etc. Both people and locations are subject to physical threats across social media and digital channels. Corporate security personnel are often surprised at how often physical threats are broadcasted online beforehand. Getting this intel quickly can mean the difference in anticipating a security disaster.

Alternatively, if a highly-public person posts about their whereabouts, travel plans or lodging, they are immediately putting themselves at risk of robbery and physical attacks. In the same vein, all it takes is one on-site media production employee to “check in” to his or her location on social media, post a photo with a location tag, or send a Snapchat with a geo filter to put the entire media series at risk. Disclosing filming location over social and digital channels could result in individuals flooding the filming site, pirating or leaking content before the official release—or worse, physically harming the production team and equipment.

Media organizations can avert disaster by leveraging data to identify at-risk executives and celebrities who disclose a dangerous amount of information and gain insight into external threats nearby to the people and physical spaces they rely on.

Protect Yourself

Departments within media & entertainment organizations need to work collaboratively to identify and combat these risks. Solving business risks and security threats on social media requires input from marketing teams, security teams, and risk teams to be effective. Organizations should start by hardening their owned social media accounts to prevent account takeovers. Subsequently, security and risk teams can ingest social media data to identify cyber, brand and physical threats to their organization.

In our digital world, security must align itself with the go-to-market side of the house to protect the business where it distributes content, advertises new media, engages customers and spends millions of marketing dollars. In the social media age, the reality is that the biggest threats never touch the firewall. This is a paradigm that security teams at media organizations are swiftly coming to understand.

Spencer Wolfe is marketing manager at ZeroFOX, a Baltimore-based social media and digital security firm.