The umbrella of security responsibilities now includes brand protection at many companies (See Brand protection: The expanding CSO portfolio for an in-depth look) and it seems like a constantly moving target. When the internet took off, organizations had to contend with scammers registering web site domains using company names for fraudulent purposes. Now similar activity is happening on the hottest forum for brand abuse—social networks.
Terry Gudaitis, Director Cyber Intelligence for brand protection services firm Cyveillance, lays out some common fraud scenarios and gives advice on how to protect your organization's brand.
CSOonline: Cybersquatting, or fraudulently registering a web site using an organization's name has been a big concern in brand abuse in recent years. Is this still the case?
Terry Gudaiti, Cyveillance:Where we have seen the increase in abuse is in social media sites. That includes, depending on how you define social media, the big ones like Facebook,LinkedIn, Twitter, MySpace, and that variety. But some even include the blogsphere in there where people can comment on other articles. Unlike a domain name where you have to go and register a name, you can jump on one of these social networks and as long as you have an email that appears to be legitimate, you can register basically any name.
What kinds of brand abuse occur on social networks?
We are seeing a trend where on Facebook and Twitter, people are registering the names of a company, as well as the executives, like the CEO or director of marketing. It's sort of like domain-name squatting but you are squatting on a social media site with a person's identity. And a number of things can occur for both brand abuse but also for security reasons. And we pay particular attention to that.
Why the increase? Is it simply the huge growth in social networking? Or is there more to it?
I believe it's the prevalence of it but also the ease of access. And I mean that in two ways. Everyone has access at home now to a computer or smartphone, so it's easy for anyone to sign up for these services.
I also think it is proliferating because in traditional network protection models you lock down your firewalls and you get egress protection where people from your corporate network are not allowed to go out to these sites, but people don't need to operate through the corporate network anymore. I can walk outdoors with my smartphone and bypass the corporate network altogether.
And there are a lot of different people to consider now. You have rogue individuals who want to do the company harm, but also people in your company who maybe just because they love their company want to have the company associated with their Twitter page or Facebook page. There is also the authorized member of the team who is allowed to go out and message out to the public. So you have a lot of different entities now playing in a space that was typically designated for the authorized user. And even for authorized users, if the company doesn't have policies on how to use these social media sites; in terms of how to use these sites, how to be consistent on setting them up so the public knows this is the legitimate site for the corporation, it can create problems.
What do you recommend to clients in terms of protecting their brand on social media?
First we have several different types of training we do, and it includes executive level—C-level—training. (See also: Why executives are the easiest social engineering targets)Training on what risks and vulnerabilities a company and executive faces on social media. Because of issues like whale phishing, spear phishing, a lot of high profile executives are being targeted specifically and very directly. So we are training to familiarize them with these new issues that go along with social media and how it impacts them.
What they have to realize is it's not just their company blogging or tweeting, but also their family. That means their spouse or their children are maybe divulging information innocently that could have real security or brand impact on that company or executive.
After training, we look at social media policy for an organization. Do they have a policy? Is it up to date? We'll do a review and recommendation for what that organization needs to be able to enforce that policy. And in order to enforce the policy, Cyvelliance provides monitoring along the lines of what the companies have put forth to make sure the employees are following policy and we report violations.
We also assist companies with locking down their social media sites. Even if they don't use Twitter, don't want to use Twitter because that's not part of their business model, we still do domain name registration. We want to go and register their legitimate names across social media sites so the public can realize this is actual a legit site and not some individual masquerading as the company.
Can you give us some sample scenarios of brand abuse you've seen on social media?
We've seen a range of fraudulent behavior. One tactic is to set up a Linked In and Facebook account in someone's name. They reach out saying 'I'm Joe Smith, CEO of such and such company." They reach out to people who may be in that individual's network. What they are doing is collecting the network of an executive. That is valuable for both for scam and fraud, but also for sales reasons, for marketing reasons. To collect a social network like this is valuable data to have.
We've also seen people masquerade as companies or individuals on social media sites and put out false messaging that is interpreted by the public as being real. That can affect stock prices and it can impact what shareholders think of a company thus impacting investment and the bottom line. It's an effective way for competitors to plant rumors.
We've also seen activists utilize and take advantage of brand names to start campaigns against companies. They use the company name against them in a way that violates trademark rules.
And in some cases it may be purely mischief or a disgruntled employee who wants to paint a company in an unfavorable way.
Even in authorized users, they could message about the company or tweet back to companies in a way that violates company policy.
What are some best practices a company can adopt to ensure brand protection on social media?
Some of the best practices have to do with what industry are they in. What are they most trying to protect? What are their crown jewels and what wouldn't they want people discussing and registering for and the like? The first part is determining what is most important to you in your organization.
But I would say the first best practice is having a social media policy; one for unauthorized, and one for authorized users. While a lot of companies have a standard policy across the board, I do believe those professional individuals engaging with the public on social media should be guided by a company policy.