Cyber attackers looking for social media clues about their corporate targets have plenty of help.
Job hunters litter the Internet with their skills and abilities while current employees looking for Mr. or Mrs. Right start online dating profiles or are lazy screening pending connections in apps like LinkedIn and Facebook.
Knowing that attackers are looking for this type of social information to target and inform their attacks on your company, the possible risks to digital disclosure kind of makes you want to be antisocial, right?
Fighting the simple human need to connect with others is a battle any organization will lose. Instead, cyber defenders need to cope intelligently and cost-effectively with the risk of skilled social engineering.
1. Is the threat bigger than a breadbox?
Any effective and efficient cyber defense has to begin with this basic question: How great is the threat I face? Defenders must gauge what information they need to protect and respond appropriately.
Some enterprises’ information may be too valuable to take almost any social risks. Naturally, securing data at a local McDonald’s franchise requires a different approach than securing the NSA — but what, specifically? What percentage of transactions are credit cards? How would a breach be insured? If you lost 10 percent of your business following an exposure, what would be the economic impact? Answering questions such as these will tell you how to best approach your cyber defense and your level of comfort with employees use of social media.
2. The best things in life are free.
Using the right tradecraft or the thoughtful and skilled analysis of seasoned human network defenders can help evolve an organization’s security at little to no cost. Identify your existing resources and tune them to disrupt the threats your enterprise actually faces. With that understanding, you can add additional defenses for greater resiliency.
This is far more valuable than integrating a popular but costly tool into existing processes. Take spear phishing, the most common way attackers attempt to use social information, for example. Tagging external emails before they land in your employees’ inboxes as “EXTERNAL” in the message header gives employees a chance to act appropriately and serves as a flag that they should assess whether the email should be trusted.
The cost? Trivial.
3. It’s not you... It’s me.
The question is not if you should buy a given cybersecurity technology because others are buying it or because it scores well in analyst reviews. The far more important issue is how the tool fits into your current defenses.
Does it overlap or conflict with existing tools? If it provides additional functionality, is there another tool that provides a similar function for significantly lower cost? It is, after all, all about you. And how are you using what you already have? Are you leveraging the information about attempted and successful breaches? A relatively simple knowledge management tool that can be rapidly searched and store information about potential threats is the most fundamental step to embracing intelligence-driven defense.
By examining your current cybersecurity posture and considering the three points above, you can take your enterprise from being vulnerable to possible “social” risks to an intelligence-driven, strong and stable network defense.
Being social, it turns out, does not mean you cannot also be secure.
Greg Boison is the Director of Lockheed Martin’s Homeland & Cybersecurity line of business. This diverse portfolio includes capabilities in systems integration, software development, enterprise IT, credentialing, biometrics, and cybersecurity. Follow Greg on Twitter @gregboison.