Here’s a true story I like to tell to explain how wide the social media “generation gap” is. And, no, I’m not making this up:
Two Australian girls, ages 10 and 12, got stuck in a storm drain. To get help, they whipped out their smartphones and posted Facebook status updates to say they were lost in a local drain, and someone needed to call 000 (Australian 911).
Now, if you read that summary and concluded, “OK. So what? That’s what I’d do in the same situation,” consider yourself as part of a generation in which social media remains fully immersed within practically every facet of your life.
If you’re like me and say, “Wait…What?! They had phones in their hands and they posted Facebook updates asking someone to call the rescue brigade?!,” then you’re clearly a degree or two removed from this typically younger demographic.
Ironically, however, it’s members of the older generation – the ones who would call 911 instead of asking Facebook friends to do it for them who are often the biggest targets for socially-engineered attacks. That’s because higher-level executives with more access to valuable data tend to fall into this category. This, in turn, makes them more vulnerable. They may be connected to social media (or not, see here for an interesting case of what can happen then), but they’re often not as sophisticated in using it as younger employees are.
Think about it: For many in their 20s, social media is like running water or electricity. There is simply no conception of technology as distinct from daily existence, nor a comprehension of living, working, playing or socializing without it. For older users, technology is a topic, a tool, a discipline. They didn’t grow up with all of “this stuff.” Some are happy to use it, but don’t see it as integral to every aspect of their personal or profeesional lives.
This generational gap – where the least social-media savvy employees are most likely to be the prey in a highly targeted attack – presents a significant risk to corporate and government organizations. One need only read the details of the penetrations of Google, Conoco or RSA to see how public information and social media have become the tools of choice for achieving significant penetration and data exfiltration.
To make these well known cases more “real”, let me actually step through this hypothetical but otherwise very realistic scenario: Let’s say I’m a data thief and I know that executive Joe Smith works for a high-profile IT contractor that serves key DoD agencies. (The company here could just as well be a law firm, an accounting company or a widget maker.) I also know from an easy online search that he’s a big booster for his old college’s football team. So guess how easy it would be for me to come up with a completely believable email to send to Joe about the team, in anticipation that he’ll click my infected Web link to get more information?
The answer: incredibly easy, and that one click is often all I need to compromise the network of the company that employs Joe. (If you’re not sure why that’s true, see our White Paper here on A/V Detection Lag Times).
To mitigate these risks, organizations must come up with standard-operating procedures that allow the senior executives to anticipate, identify and avoid socially-engineered attacks. And all users on the enterprise should take a long, careful look at the extent of information they publish on sites such as Facebook, Twitter and LinkedIn. They need to “think like a data thief,” examining what’s posted “out there” relating to their job duties, associated customers/vendors/partners, building location, e-mail, phone and other details to get a sense of how vulnerable they could be and what information about themselves a hand-crafted attack would likely contain or leverage.
Consider educating your workforce – especially the senior members – about these scenarios as a “Safe Social Media Usage 101” ongoing seminar of sorts. It’s one that would provide great, lasting value, regardless of where your users fall within the generational divide.
Eric Olson, Vice President/ Solutions Assurance, Cyveillance
Question to consider: How up-to-date are your users – especially senior executives on socially-engineered attack methods?