IT-Seal Logo Social Engineering Analysis LabsIT-Seal Logo Social Engineering Analysis Labs

Social Media as a risk - and what to do about it

Author: David Kelm, 21 August 2018
Reading time: 3 minutes

Social media poses a real threat for companies. Employees sometimes publish extensive information about themselves, their employers and internal structures. How threatened are you? Should you bring the topic closer to your employees once again? IT-Seal answers these questions with its analysis of attack potential.

Today's phishing emails are becoming more and more sophisticated.
Spear Phishing is a term used to describe attacks that are carried out very purposefully against an organization or even an individual. The attackers usually begin to collect information from publicly available sources in order to obtain a profound image of the target person. According to the jargon of espionage, this step is called OSINT (Open Source Intelligence). The information collected is used to find the most credible pretext for contacting the target person. The aim is to provoke a visit to a website or the opening of a file in order to infect computers, steal sensitive information oder instruct wire transfers.

For you to assess how threatened your company is by information on social media, we have developed our "analysis of attack potential". We analyze how much (critical) information employees disclose on professionally used social media and evaluate the results found anonymously.

In addition, we use the collected data to make our spear phishing simulations even more targeted: "Invitation to the company hiking group", "I remember you worked for this company before - what do you think about this report" or "I would like to buy my first paragliding equipment. Can you give me a hint?"

This enables us to simulate not only mass phishing but also highly targeted spear phishing attacks. The simulation of this range of attack scenarios enables us to obtain a comprehensive picture of your risk situation and to calculate your individual ESI®.

Data protection is - always - a central component that must be taken into account. The fact that we only use publicly available information that has been published and released by the employee themself was considered legitimate by data protection officers. Privately used social media such as Facebook is not part of the IT seal analysis of attack potential. It is also important to us not to present any danger to employees: There is no personal evaluation - all data is stored pseudonymised, reported in aggregated form and protected by multi-level security concepts.

Stay in contact:
Subscribe to our social media channels