Are You Ready To Defend Your Club and Yourself? Cyber Threats to Clubs Are Real - Part 3

10_8_14_1
In our first two installments of this four-part series on emerging security threats, we examined how the evolving hacker model could affect the cyber security of Club organizations. In the third and fourth installments, we take a closer look at how cybercriminals are targeting new technologies like social media, as well as outline specific technical solutions for combating these growing threats.
 
The reputational risks of social media
 
Emerging technologies - social media, mobile devices, cloud solutions - are high on the cybercriminal’s list of targets because that’s where the most severe vulnerabilities have been and continue to be discovered. Consequently, they are the new frontier for all types of cybercriminals, hacktivists included. Rather than dive into an analysis of all the new technologies, we will focus on the technology that has become a business-critical platform for clubs: social media.
 
For entities that are reliant upon donations from the public for their survival, platforms such as Facebook, Google+ and LinkedIn are indispensable. However, they also present significant risk for the unwary. The most immediate threat from social media is the reputational damage that may result from uncontrolled messaging coming from the organization. There have been a series of high-profile gaffes over the last few years in which social media communications, whether official or unofficial, coming from an entity have resulted in significant public backlash. While the reputational damage is bad enough for a normal organization, for clubs that often rely on protecting the privacy of their members for survival, the results can be devastating.
 
There are few, if any, technical controls that will effectively reduce the reputational risks inherent in social media. The solutions to this problem are largely an exercise in proper governance and processes. Employees must be trained to understand what they are allowed to say on behalf of the organization or even within their personal networks if they are openly affiliating with the organization.
 
10_8_14_2

Assessing social media risks
 
To determine the adequacy of your current social media policy, ask yourself these questions:

  • Does your club have a social media policy?
  • Does it explain the risks of social media?
  • Does it define acceptable social media outlets?
  • Does it define what types of comments or information are not allowed to be posted on personal sites if the person links their personal site to the club’s official site?
  • Does it discuss information that is never allowed to be discussed or posted on social media?
  • Does it identify the key person responsible for maintaining and managing your club's presence on social media outlets?
  • Does it identify the key person responsible for monitoring your club’s social media presence?
  • Does it address any regulatory compliance requirements?
  • Does it identify who is responsible for employee training?
  • Is training conducted regularly and repeatedly?

An additional reputational issue facing clubs is that members are prime targets for attackers pretending to act on behalf of the organization. Where better to obtain the personal information of many wealthy Americans than the IT networks of clubs across the country?
 
Technical risks of social media
 
In regards to more technical risks, cybercriminals are increasingly leveraging social networks to attack users. The reasons are simple. First, by its very nature, social media is more difficult to monitor and control. E-mail infrastructure is normally controlled directly by the company that owns it, while social media infrastructure falls largely out of their control. Second, because of the inherent friendliness and trust relationships that characterize social media, users are more likely to fall for scams and frauds that appear to come from trusted contacts. Malicious attachments, links to dangerous websites and other tricks that would normally be screened out by corporate spam filters can be delivered directly to users via messaging and file transfer functionality built into social media platforms.
 
Attacks delivered through these methods have a higher rate of success because they occur inside the castle, meaning they have already passed through basic defenses such as firewalls, and are executing on the user's system, with local anti-virus software as the last and only line of defense. Since attackers have the ability to rapidly alter their malware so that it is not recognized by anti-virus software, this is a tenuous defense at best.
 
Additionally, social media makes it easier for attackers to find and target individuals in positions of privilege. It allows attackers to perform extensive research on potential victims and to launch their assaults against the users who, if the attacks are successful, will provide the greatest level of access to their environment.
 
Come back next week for Part Four, where we’ll continue to discuss how cybercriminals could be targeting your club via social media.

09_23_14_3

For more information on security standards and practices for your organization, please contact Daimon E. Geopfert, national leader, Security and Privacy Consulting, Technology Risk Advisory Services, McGladrey LLP, at 312.634.4523.