Investment banks and other Wall Street firms have embraced Linkedin as a professional social media site network with their peers, recruit talent and even set themselves up for their next job.
But think again. According to cybersecurity experts, finance and IT professionals who share every detail of their professional lives in their LinkedIn profiles are opening the door for computer hackers to target individuals in their companies.
“On Linkedin, I could in five seconds find out 10 email addresses. And I could have a good idea what their user name is and if their passwords are simple, I can take guesses,” commented Steve Schoener, VP of Technology at Eze Castle Integration, a provider of IT services, technology and consulting firm to hedge funds and investment firms.
The concern is that hackers are using social media to target individuals directly to figure out their passwords through trial and error, and attempt to gain access to applications or corporate systems. “We see social engineering [through] Twitter, Facebook and Linkedin. They’re looking at telephone and email contact. They’re looking at corporate structure information, who reports to whom, who’s in charge of special projects and acronyms they use and building that knowledge of how we talk at work,” said Dave Ostertag, global investigations manager at Verizon Business. “Now with the board an senior level managers and the staff ,enjoying Facebook, Twitter, it’s a lot easier for the bad guys to data mine information that makes it enticing for a user to be targeted and click on an email,” said Karl Smith, Head of Cyber Security Assurance Services at BT.
Companies need to train their employees to recognize social engineering and to report that to security staff, said Ostertag. They also need to report what projects or business units they are being asked bout or what specific data. As a precaution, some companies are starting to use honey pots — fictitious identities. “There might be particular titles or business units that someone is looking for information on,” he said. “You create that identity as the contact person, suggested Ostertag.
[SEC Loosens Social Media Stance: Beware of CEO Tweets at 2 AM ]
Another idea is to simply put less information into the Linkedin profile. People have a tendency to describe their role in tremendous detail and discuss all of their past jobs, said experts. But experts suggest, there is security in obscurity.