Social Media & Cybersecurity in the Workplace
November 4, 2016 TSHHRAE 2016 Annual Conference
Kate Morris Attorney CIPP/US
2
Agenda
1. Rise of social media 2. Risks of social media use 3. Impact of social media on information security 4. Minimizing the risks
3 1. Rise of Social Media
https://cybermap.kaspersky.com/
4
Source: https://www.youtube.com/watch?v=N4znQDyz038
Social Media (v. 2016)
5
Want more statistics for 2016?: https://www.brandwatch.com/2016/03/96-amazing-social-media-statistics-and-facts-for-2016/
6 2. Risks of Social Media Use
https://cybermap.kaspersky.com/
7
Risks to Personal Information
Q: What is “Personally identifiable information?” A: Personally identifiable information (PII), as used in US privacy law, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
8
This policy describes what information FB collects and how it is used and shared.
https://www.facebook.com/about/privacy/#
Kinds of Information FB collects:
• Things you do and information you provide • Information provided by others • Your network and connections • Your payment information • Your device information
13
https://www.facebook.com/about/privacy/#
14
15
Risks for Businesses
Reputational risk Operational risk Investment risk Legal/Compliance risk
16
Reputational Risk
Q: What is “reputational risk?” A: Risk arising from negative perception on the part of customers, counterparties, shareholders, investors or regulators that can adversely affect an organization’s ability to maintain existing, or establish new, business relationships and continued access to sources of funding.
17
18
Source: United: Social media case study, presented by Lora O’Riordan and Karin Moan - https://vimeo.com/98272378
19
20
A: An internal or external event causing a loss. • Strategic Risk – leveraging the full power of social media. • Market Risk –losses to investors. • Business Risk – losses when social media is misused.
• Employees sharing too much information • Loss of confidential/business sensitive information • Loss of employee productivity • Increased exposure to malware
Operational Risk
Q: What is “Operational Risk”?
21
22 Legal/Compliance Risks • International
• EU Privacy Shield • APEC Framework
• Federal Laws (enforced by DOJ, FTC, FCC, SEC, EEOC, NLRB) • Children’s Privacy (COPPA, CIPA) • Consumer Privacy (FTC Act, FCRA, ECPA, CAN-SPAM, VPPA, TCPA, JFPA) • Health Privacy (HIPAA, HITECH) • Educational Privacy (FERPA) • Financial Privacy (GLBA, Red-Flags Rule) • Law Enforcement (USA-Patriot Act, CALEA)
• State Law • Breach Notification Laws - 47 States (Ala, NM, SD), • Marketing laws • Data Security Laws (SSN, Data destruction) • California SB-1
• Guidelines • PCI-DSS; ISO 27001
• Company policies, Terms of Use, content ownership • Harassment, discrimination and defamation
https://www.ftc.gov/tips-advice/business-center/privacy-and-security
23 3. Impact of Social Media on Information Security
https://cybermap.kaspersky.com/
24 Who is the enemy?
25 Enemies
Source: State of Cybersecurity: Implications for 2015 - www.isaca.org/cyber/Documents/State-of-Cybersecurity_Res_Eng_0415.pdf
26 But the biggest threat to the security of a company could be….
YOU!
27
What are enemy schemes on social media?
• Social engineering • Phishing (spear phishing, smishing and vishing) • Ransomware • Malware, clickjacking, likejacking • Survey scams
28
Q: What is “Social Engineering”
Social Engineering
A: “Social engineering is an attack vector that relies heavily on human interaction and often involves tricking people into breaking normal security procedures.”
29
30
Phishing
Characteristics: • Phishing attacks seek PII; • Tend to use shortened URLs or
embedded links; • usually attempt to get the user to
act immediately.
Q: What is “Phishing?” A: Phishing is a type of social engineering attack used to gain personal information for purposes of identity theft, using fraudulent e-mails and messages.
31
32
33
Other Kinds of Phishing Spear Phishing – A more targeted version of Phishing, conducted by sending emails to a group known to have a particular relationship. Smishing – Phishing through text messages “Urgent! Your Bank of America Debit Card has been compromised call 555-1212 immediately to verify your information. Vishing – Robocalling with the urgent message to enter confidential information like a debit card and PIN.
34
Ransomware
Source: https://www.fbi.gov/news/stories/2015/january/ransomware-on-the-rise (includes latest threats and tips for prevention)
35
Malware
Q: What is “Malware?” A: “Malware” is short for “malicious software” - computer programs designed to infiltrate and damage computers without the users consent. "Somebody just put up these pictures of
you drunk at this wild party! Check ‘em out here!“
"During our regular verification of accounts, we couldn't verify your information. Please click here to update and verify your information.”
"We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity."
36
37
Scams
38
The Facebook Color Changer
39
The Exploit Video Scam
40
Twitter Instant Follower Scam
41
“OMG! You did something” Bait Scam
42
The “Look Who is Viewing your Profile” Scam
43
Bogus Pinterest Pin Scam
44 4. Minimizing the Risks of Social Media
https://cybermap.kaspersky.com/
45
How do accounts get hacked? How to prevent hacking on social media?
Public Wi-Fi
• Don’t use unsecured wireless networks. • Use a personal hotspot
Password exposed
Keep passwords private: • Do share your passwords. • Use strong passwords or passphrases • Use two-factor authentication. • Consider using a password manager (i.e. Last Pass)
Social Engineering Phishing Spear Phishing
• Don’t open files, click on links, or download programs sent by strangers.
• Don’t electronically transmit personal information. • Learn your company’s policy for reporting suspicious
messages and emails. • Report suspicious messages.
Malware / Scams • Don’t click on shortened URLs. • Install and automatically update security software. • Use a pop-use blocker – don’t click on popups • Use at least a medium browser security setting.
Oversharing. • Don’t overshare on social networking sites
46
47
• Coordination and communication between departments – IT, HR, Legal, Business units, and outside counsel (privilege!)
• Enterprise-wide physical, technical and administrative controls. • Develop a compliance work plan
– Policies, Codes of Conduct – Training – Incident Response Plan – Review and update regularly – Review with outside counsel
• Monitor compliance
Security Plan
48
Additional References General https://staysafeonline.org/stay-safe-online/protect-your-personalinformation/social-networks http://lancasteronline.com/features/how-it-s-done-internet-quizzes-maycollect-more-than/article_c58e438a-9b2b-11e3-8304-001a4bcf6878.html http://www.cnet.com/how-to/how-to-enable-two-factor-authentication-onpopular-sites/ Social Media Account Identity Theft http://www.idtheftcenter.org/Fact-Sheets/fs-138.html http://www.utica.edu/academic/institutes/cimip/idcrimes/schemes.cfm Social Network Site Security https://help.linkedin.com/app/answers/detail/a_id/267/~/account-security-andprivacy---best-practices https://www.facebook.com/help/379220725465972 https://support.twitter.com/articles/76036 https://security.google.com/settings/security/secureaccount (security checkup)
49
Kate Morris, Esq., CIPP/US PRIVACY, INTERNET & TECHNOLOGY LAW
901 Main Street, Suite 6000 Dallas, TX 75202 [email protected] Tel: 214.651.2043
https://www.linkedin.com/in/kathrynemmorris/
http://www.strasburger.com/blogs/intellectual-property-law/