An increasing number of companies are treating their social media presence, and that of their executives, as assets that need to be protected by the IT security team.
In other words, social media security is a growing trend.
In the wrong hands or when spoofed, your social media tools can do significant damage before you even know what’s going on.
“CISOs are being challenged to think differently because they’ve been focused on technical risk in and of itself for so long. And now with this move to external social and digital platforms to drive major components of the business, they need to shift their thinking to also protect value, rather than just risk mitigation.”
That’s from Evan Blair, Co-Founder and Chief Business Officer of ZeroFOX, a cybersecurity company that has a fuzzy fox mascot and a clear mission: to protect your organization from cybercrime that involves social media.
I grabbed a few minutes of one-on-one time with Blair at RSAC 2018, and he made a case for his company’s strategy. See what you think:
[SecureWorld] The idea that social media and cybersecurity go together is gaining traction. Why?
[Blair] “I think it has to do with the growth of social media as a business platform. Social media has become a primary business application for so many businesses. I would argue it has become 'the' modern business platform. And it’s not a risk from the inside out, it’s a risk from the outside in.”
[SecureWorld] What do you mean by "risk from the oustide in"?
[Blair] “Here’s an example. I’ve talked to a few people here (at RSA) who say 'we’ve blocked social media,' which is a fading trend by the way, and my response is to ask a few questions. That’s interesting, does your marketing team use it? Well, yes. Okay, does your recruiting team, your HR team, are they using it? Well, yes, they do. Does your CEO have a LinkedIn presence? Well, yes. You’ve got an outside risk coming inbound, and the traditional security model of building a perimeter does not work in this case.”
[SecureWorld] So are you saying traditional cybersecurity is out the window altogether to secure social media?
[Blair] “You can leverage, which we do, the principle of security and analysis, the principle of triage and looking for TTPs, as well as identifying intent and all these things we’ve learned in mainstream security. However, you have to apply it differently. You have to sit out here and look backwards rather than sit in here and look outwards.”
And that’s exactly what ZeroFOX does. He shared stories about ZeroFOX discovering major CEOs being impersonated on social media, about how attackers are using social media for the equivalent of business email compromise and phishing, and how fake customer service accounts for brands are a significant threat to brands.
“With three of four companies offering some sort of customer service over social media platforms, that’s a significant risk,” he says.
Imagine a fake customer service rep acting like your brand, saying something racist, sexist,or politically charged, and before you know it, the comments go viral on social media and your organization’s reputation is damaged.
Or what about an imposter account selling your company’s trademarked goods or distributing malware using your good name?
To handle this, ZeroFOX has rapid response capabilities. It finds these malicious accounts and works directly with social media channels like Facebook, LinkedIn, Twitter, and others to get the accounts removed.
Lastly, I asked Blair (after he jumped down from the fox's arms) the same question I ask almost every cybersecurity company.
[SecureWorld] How did you come up with your name? And tell us about your mascot, too.
[Blair] "We started off as a company with a bad name. It was mispronounced all the time, including one time on national television. And we said, that’s it, get the troops together! Get pizza and beer, we need to sit down and war room this. And we sat there thinking of names. We wanted something easy to remember, and something with a mascot. We started with birds and ravens, those didn’t seem right. Then we settled on zero because we felt it was cool and a strong word and we decided to match it up with something else. When we came up with ZeroFOX, we typed it into GoDaddy and said, ‘Wait, that’s actually available?!?’ And so we took it. This was months before the hit song ‘what does the fox say?’ So in the end, it was a name of no real consequence that had to meet certain criteria, and ZeroFOX did just that."
So, in closing, it's important to ask one final question: What does the fox really say?
The fuzzy one at a cybersecurity conference says “Secure your social media because it is an asset.…”
Well, that’s actually just a guess.
Because we all know that foxes don’t talk.