Digital startup EatSleepRide was preparing for a major tradeshow in Milan when CEO Marina Mann received a notification that stopped her cold: Someone had changed the login information for the brand’s Twitter account.
A hacker had taken control of the account, changed the email and contact information, and started changing the company’s profile. The hacked account began sending threatening messages to another of the brand’s Twitter accounts, Mann told the Financial Post.
It soon became clear what the hackers were after: A $9,500 ransom in exchange for control of the account.
EatSleepRide’s experience is not an isolated one — instances of social media hacking have risen dramatically over the past few years, said Ray Kruck, co-founder and chief revenue officer for Nexgate, a social media brand protection firm in San Francisco, Calif.
“Social media hacking is up over 340 per cent since 2011, and we don’t see that rate decreasing in 2014,” he said.
Hackers are initiating a broad spectrum of attacks on companies and brands of all sizes — and while motivations for the attacks vary, it usually comes down to one thing, said Mark Nunnikhoven, vice-president of cloud and emerging technologies at Trend Micro in Ottawa.
“Usually, it comes down to financial gain. Over the last two or three years, cyber crime has shifted to be a big business, so this is
organized criminals who are in it for profit. It’s taking little to no effort to take over someone’s Twitter account, for example, and extract $2,000 in ransom. That’s profit for them and that’s something they’re going to go after. So the primary motivator is profit.”
Other motivations often include reputational damage to the brand and capturing sensitive information, said Kruck.
“The primary drivers to date for hackers have been to damage a brand’s reputation and demonstrate their ability to operate freely in social media,” he said.
“However, for brands that are in financial services, retail, entertainment and B2C markets, the stakes are much higher. For higher-value targets like these, (the) risks include leakage of sensitive corporate data as well as private customer data, like credit card or account information.”
And it’s not just big or well-known brands hackers are after — small to medium-sized businesses can also be attractive targets, said Nunnikhoven.
“What it comes down to is the dynamics of small business marketing,” he said.
“For small and medium businesses, they’re on a tighter budget and social media and online media in general tends to provide a much bigger bang for their buck... So (it’s) attractive for attackers to go after it because those accounts that they’re going after mean more to the people who own them.”
Also, attacks can happen on a broad scale — it takes very little effort for hackers to attack many different brands at once, said Nunnikhoven.
“If somebody’s going to rob a store... that takes a lot of effort and it takes a lot of risk. If someone’s going to rob a second store, they increase their chance of getting caught, they increase their risk,” he said.
“In the digital world, that’s not true. So once an attacker’s developed a way of attacking one account or one site, they can run that against hundreds of thousands of others with little to no incremental cost or risk to them.”
When it comes to social media hackers, some of the risks can be expressed as a dollar amount — ransoms, stolen credit card information. But there are other risks that are not quite as tangible, but just as real.
“The first and most prominent risk is damage to a brand’s reputation,” said Kruck.
“When a community cannot trust that their conversations or content are being curated responsibly or that they are exposed to harmful content like malware, pornography or hate speech, it creates a negative social climate around the brand.”
And while hacking can have a very negative impact on a company’s overall brand and marketing, it can also be detrimental to an employer brand and employee communications, said Stacy Parker, managing director of Blu Ivy Group in Toronto.
When an organization becomes the target of a negative social media attack — whether by a hacker, a disgruntled employee or even just Internet “trolls” — multiple issues start to arise, she said.
“One is employee engagement. When there starts to be a lot of social media negative press, immediately employee engagement drops. Their confidence in their own employer immediately will drop. Once you have a decline in employee engagement, you have a decline in your productivity… And, at the same time, the (social media) attention will impact customer trust.
“It takes a long time to rebuild that trust.”
That’s why it’s so important to regularly monitor social media accounts, said Parker, so any issues can be caught and addressed immediately.
“There needs to be at least one person that regularly, on a daily basis, even hourly basis, engages with the social media channels that you select,” she said.
That’s especially important because when there is a hacking incident or other attack, the response time from Facebook and Twitter can really vary, said Nunnikhoven.
“It’s a challenge for them so it depends on a case-by-case basis. All of the major social media sites take these issues seriously, and they tend to address it quickly. The problem is, what can they do about it and what should they do about it?” he said.
“In the event of an attacker, and the EatSleepRide (hacking) is a good example, the first thing the attacker did was change all the contact information to their own. So how do you as a service provider differentiate between… the attacker who has an illegitimate claim and the original account owner who has a legitimate one? There’s no way for them to easily say, ‘This is legitimate.’ Maybe it’s a beef between two business owners — maybe it’s not an attack.”
One of the simplest ways to deter hackers is to set up two-step verification on your accounts, said Nunnikhoven — that way, even if the password is stolen or compromised, there is an additional layer of security.
Of course, you also want to create strong passwords that are hard to guess, he said — and be cautious of who they are shared with, said Kruck.
“One key area where companies have a blind spot is admin access by their digital marketing agencies or external consultants who use that access regularly to post or moderate content,” he said.
“With such a high degree of staff turnover both inside the marketing team and at external agencies, the risk of access breaches here is really high.”
Developing a uniform, consistent policy on who is allowed to speak for the brand on social media, and implementing social media training for staff is also important, said Kruck.
“(And) institute a security and compliance platform that provides visibility and control for security and governance that pulls together all the key stakeholders that touch digital marketing strategy — HR, legal, IT and executives.”
Also, consistently monitor the output on your accounts so you can react quickly if something does happen, said Nunnikhoven.
It’s important to be proactive because even though hacking is not often officially reported, instances really are on the rise, he said.
“There’s a big disconnect between how many times it’s reported and how many times it actually happens,” he said. “But… we are seeing these types of attacks on the rise.
“The economics are in the favour of the attacker. It takes them little effort to attack 100 businesses, and that attack and that takeover of that social media presence could be devastating to a small business if it’s driving a large amount of their revenue.”
© Copyright Canadian HR Reporter, HAB Press. All rights reserved.