Product News

Find out about our new product features, the latest platform changes, and discover company announcements before anyone else.

Risk Management

Stay up to date on third-party risk management best practices and techniques, and learn about new regulations for third party risk.

Security Research

Keep up with research around the biggest data breaches, malware infections, IoT risks and all the latest news in cybersecurity.

What Social Enterprises Should Know About Cyber Security

Anne Field
Contributor

2014 was, of course, quite the year for revelations about cyber attacks and data breaches at major companies like Sony , JP Morgan Chase , Home Depot HD -2.13%, and a host of others. But there also have been a lot of incidents at NGOs and government agencies, according to Alexander Heid, chief research officer of SecurityScorecard, a New York-based firm that analyzes clients’security vulnerabilities.

And that’s something social enterprises need to pay special attention to, he says.

The reason, according to Heid, is the weakest link approach used by many cyber criminals. Hackers look for the easiest route to infiltrate a bigger, more secure company or organization, and that often is going through a smaller supplier or other enterprise doing business with it. A massive Target TGT -0.46% breach–it happened in 2013, but we kept hearing about in 2014–occurred because the perps were able to hack into an Internet-connected heating, ventilation and air conditioning system from a third-party vendor. It’s not unusual for such smaller enterprises to have access to the systems of their big clients for administrative and support purposes, making them prime entry points for hackers who want to infiltrate the larger organizations.

Where do social enterprises come in? Social ventures working with NGOs and government agencies, according to Heid, seem like perfect targets for hackers looking for an entry point. “Social enterprises might not be the targets, but they might have high profile associates who are,”  says Heid. “Quite simply, they can be used to get into these other organizations.”

What to do? Protective steps aren’t particularly different from what any other company should do, according to Security Scorecard CEO Alexandr Yampolskiy. They range from never using default passwords  to immediately adding patches to systems as soon as they become available. Companies also have to educate employees about up-to-date security awareness steps. That means the usual suspects, like not opening up an attachment from someone you don’t know, as well as issues that have arisen in the social-media age. People who receive a message on Facebook or other social media networks are more likely to click on a link in a message than in an email, according to Yampolskiy. “People click on social networks because there’s an element of trust,” he says.

Old Methods, New Actors - 419-style Business Identity Theft Scams Hit LinkedIn
New wave of credit card fraudsters opt for in-store pickup option