Think Before You Click

Scottish Business Resilience Centre Press releases

The Scottish Business Resilience Centre is warning businesses in Scotland to be cautious when using social media due to a rise in online scammersBusinesses in Scotland have been warned about the dangers of having their IT systems hacked from staff making ‘friends’ through popular social networking websites.

The Scottish Business Resilience Centre (SBRC) has revealed that increasing numbers of businesses and individuals are being targeted by scammers who trawl social networking sites to steal personal information which gives them a doorway to raid a company’s personal files, sensitive data and even its finances.

Research undertaken by PWC found that 87% of small businesses experienced an IT security breach in the previous 12 months – with 63% of those attacks by ‘unauthorised outsiders’ including hackers.

And it has been revealed for the first time that one Edinburgh financial services organisation in particular was left shocked when it employed an ethical hacker to test the security of its IT systems.  Using – among other tools – spoof LinkedIn and Facebook accounts, the hacker was able to identify and gain the trust of employees and ultimately obtain access to the firm’s network, critical systems and sensitive corporate and client data.

The company now uses the experience as part of its ongoing security training and has noticed progressive improvements in staff awareness and diligence towards cyber crime.

Awareness Online

The PWC research, conducted for the Department of Business Innovation and Skills, found that 57% of small businesses suffered staff-related security breaches. So with around half of Scottish internet users using social media – and openly revealing where and who they work with – the need for employees to think before they connect with strangers online has never been more important.

SBRC Director Mandy Haeburn-Little said: “Social media offers many benefits which businesses in Scotland need to seize upon, such as providing a dynamic, accessible link to customers and creating a community for feedback and consultation on products and services

“However, e-criminals are all too aware of people’s trusting nature and are now commonly using social media to source private information – through legitimate means.

“As young children, we are routinely told not to speak to strangers. Online, as adults, that same rule and level of caution does not apply. Most of us surf the web on a wave of naivety, connecting with virtual – and literal – strangers.

“There’s a misconception that cyber criminals use smart, developed technology to steal personal information, but a large amount of their current tricks of the trade involve using social media in the same way as billions of other regular users. They establish fake profiles on social media platforms and dupe unsuspecting users who have willingly accepted a new friend or business connection.

“With one misguided click of a button, you can allow a scammer access to your private network of friends, colleagues and confidential information without them ever needing to contact or speak to you.

“From there is to all too easy for the cyber criminal to secure the information they need to hack into a companies’ IT system, leaving its sensitive and financial data at risk of capture or to infect the system with highly damaging viruses and malware.

“As well as invading and stealing private information, these breaches can also be costly. In the worst cases, they cost small businesses an average of between £35-£65,000.”

Social Media means business

Gary Fairley, SBRC’s Cyber and Digital Lead, added that the current drive by many businesses to develop social media campaigns, such as increasing likes and connections on social media platforms, is adding to the problem.

He said: “Many of them happily rack up an audience without considering that malicious hackers and scammers are amongst genuine customers.

“With almost half of small Scottish businesses having no formal information security policy, it’s important for employees to take measures to establish good social media practices without exposing the business to risk.”

“Facebook and LinkedIn give the option of stating everything from birth date to schooling and current place of employment. It’s important for people to remember that it’s not essential to fill out all of this information; especially if they are connecting with people they don’t personally know or trust. Privacy settings on Facebook and LinkedIn can also be set to control who sees your posts and your information.

“If you are opting to tag employees in posts and photographs, ensure their own personal accounts have strict privacy settings in place.

“But at all times aim to restrict personal details on a social page that could compromise your business’ and staff members’ safety.

“Your personal information should be safeguarded and treated as confidential at all times.”

Top Tips:

Treat your social media pages and feeds as you would any other IT system

Make sure only authorised staff can post on your business’ behalf.  Ensure that passwords are managed properly, ie kept private and changed regularly. 

Make sure your staff know

Consider a policy on the use of social media.  Make sure employees are clear on their responsibilities when using social media – even privately – especially concerning the reputation of your business and its information.

Remember the law

Businesses and organisations using social media may have responsibilities under the Data Protection Act.  Public bodies using social media may also have obligations under Freedom of Information legislation.

Don’t be Afraid!

Social media is a valuable tool to help businesses engage with customers.  Listen to their ideas, address their needs and do be sociable.