Keeping your company image safe on social media

Brand protection firm Cyveillance has seen an explosion of brand abuse on social media. What can you do to stop it?

The umbrella of security responsibilities now includes brand protection at many companies (See Brand protection: The expanding CSO portfolio for an in-depth look) and it seems like a constantly moving target. When the internet took off, organizations had to contend with scammers registering web site domains using company names for fraudulent purposes. Now similar activity is happening on the hottest forum for brand abuse--social networks.

Terry Gudaitis, Director Cyber Intelligence for brand protection services firm Cyveillance, lays out some common fraud scenarios and gives advice on how to protect your organization's good name.

CSOonline: Cybersquatting, or fraudulently registering a web site using an organization's name has been a big concern in brand abuse in recent years. Is this still the case?

Terry Gudaiti, Cyveillance: Where we have seen the increase in abuse is in social media sites. That includes, depending on how you define social media, the big ones like Facebook,LinkedIn, Twitter, MySpace, and that variety. But some even include the blogsphere in there where people can comment on other articles. Unlike a domain name where you have to go and register a name, you can jump on one of these social networks and as long as you have an email that appears to be legitimate, you can register basically any name.

What kinds of brand abuse occur on social networks?

We are seeing a trend where on Facebook and Twitter, people are registering the names of a company, as well as the executives, like the CEO or director of marketing. It's sort of like domain-name squatting but you are squatting on a social media site with a person's identity. And a number of things can occur for both brand abuse but also for security reasons. And we pay particular attention to that.

Read up on basic social media risks

Why the increase? Is it simply the huge growth in social networking? Or is there more to it?

I believe it's the prevalence of it but also the ease of access. And I mean that in two ways. Everyone has access at home now to a computer or smartphone, so it's easy for anyone to sign up for these services.

I also think it is proliferating because in traditional network protection models you lock down your firewalls and you get egress protection where people from your corporate network are not allowed to go out to these sites, but people don't need to operate through the corporate network anymore. I can walk outdoors with my smartphone and bypass the corporate network altogether.

And there are a lot of different people to consider now. You have rogue individuals who want to do the company harm, but also people in your company who maybe just because they love their company want to have the company associated with their Twitter page or Facebook page. There is also the authorized member of the team who is allowed to go out and message out to the public. So you have a lot of different entities now playing in a space that was typically designated for the authorized user. And even for authorized users, if the company doesn't have policies on how to use these social media sites; in terms of how to use these sites, how to be consistent on setting them up so the public knows this is the legitimate site for the corporation, it can create problems.

What do you recommend to clients in terms of protecting their brand on social media?

First we have several different types of training we do, and it includes executive level--C-level--training. (See also: Why executives are the easiest social engineering targets)Training on what risks and vulnerabilities a company and executive faces on social media. Because of issues like whale phishing, spear phishing, a lot of high profile executives are being targeted specifically and very directly. So we are training to familiarize them with these new issues that go along with social media and how it impacts them.

What they have to realize is it's not just their company blogging or tweeting, but also their family. That means their spouse or their children are maybe divulging information innocently that could have real security or brand impact on that company or executive.

After training, we look at social media policy for an organization. Do they have a policy? Is it up to date? We'll do a review and recommendation for what that organization needs to be able to enforce that policy. And in order to enforce the policy, Cyvelliance provides monitoring along the lines of what the companies have put forth to make sure the employees are following policy and we report violations.

Read 4 tips for writing a great social media security policy

We also assist companies with locking down their social media sites. Even if they don't use Twitter, don't want to use Twitter because that's not part of their business model, we still do domain name registration. We want to go and register their legitimate names across social media sites so the public can realize this is actual a legit site and not some individual masquerading as the company.

Can you give us some sample scenarios of brand abuse you've seen on social media?

We've seen a range of fraudulent behavior. One tactic is to set up a Linked In and Facebook account in someone's name. They reach out saying 'I'm Joe Smith, CEO of such and such company." They reach out to people who may be in that individual's network. What they are doing is collecting the network of an executive. That is valuable for both for scam and fraud, but also for sales reasons, for marketing reasons. To collect a social network like this is valuable data to have.

We've also seen people masquerade as companies or individuals on social media sites and put out false messaging that is interpreted by the public as being real. That can affect stock prices and it can impact what shareholders think of a company thus impacting investment and the bottom line. It's an effective way for competitors to plant rumors.

We've also seen activists utilize and take advantage of brand names to start campaigns against companies. They use the company name against them in a way that violates trademark rules.

And in some cases it may be purely mischief or a disgruntled employee who wants to paint a company in an unfavorable way.

Even in authorized users, they could message about the company or tweet back to companies in a way that violates company policy.

What are some best practices a company can adopt to ensure brand protection on social media?

Some of the best practices have to do with what industry are they in. What are they most trying to protect? What are their crown jewels and what wouldn't they want people discussing and registering for and the like? The first part is determining what is most important to you in your organization.

But I would say the first best practice is having a social media policy; one for unauthorized, and one for authorized users. While a lot of companies have a standard policy across the board, I do believe those professional individuals engaging with the public on social media should be guided by a company policy.

Join the CSO newsletter!

Error: Please check your email address.

Tags business issuesInternet-based applications and servicesCyveillancesecuritysocial mediainternet

More about CyveillanceFacebook

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Joan Goodchild

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts