Social Networking Security Risks

  A string of articles have just been released regarding what most CSOs and security professionals have known for over a year. Namely that visiting social networking sites increases organizational security risks, and sometimes dramatically. Another aspect of the insider threat is growing fast.

 Government Technology Magazine just ran a story entitled: Visiting Web 2.0 Sites Increases Organizations' Security Risks  Here’s a description of the problem from their article:   

"Social networking sites such as Facebook, YouTube, Craigslist and Wikipedia, as well as Web services such as eBay and Gmail, enable self-publishing and high interaction between users through blogs, RSS feeds, podcasts and other technologies. These sites attract huge numbers of visitors, making them extremely attractive to hackers.

Moreover, the same technologies that invite user participation also make them easier to corrupt with malware such as worms that can shut down corporate networks, or spyware and keystroke loggers that can steal company data. Further, with the ability to post photos, video and audio recordings to sites, employees can inadvertently "leak" confidential company information."

The BBC just did an extended article on these cyber dangers entitled: Cyber thieves target social sites

 Their take: "It is remarkable that people use social networking websites to publish details about their lives, loves, jobs and hobbies to the entire world that they would not dream of sharing with a stranger in a bar," he said.   

 And yet, the BBC ends their article with mixed advice.

There were a lot of benefits to using social networking sites, said Mr King and the downsides should not put people off using them. "It's about trying to manage risk rather than avoid risk," he said.

The arguments go from one extreme to the other. Many “Smart Managers” tell us to learn to live in this new world, since Generations Y and Z will demand this type of access at work. Check out this article: Working with Generation Y and Z

"While Generations Y and Z will prove a challenge to manage in the workplace it’s important to focus on what they have to offer any business. As businesses evolve to reflect the needs of the people and their consumers, it will be these employees who are plugged in to the social climate around us. Yes, changes to the status quo will be necessary but with the right work environment these brilliant minds will flourish and take your business with them."

On the other hand, many security sites tell us to “Just Say No” to social networking sites:

The vast majority of online polls call for banning or limiting social networking unless they are being used for a spefic business need. See: The Daily Poll: Should Employers Block Social Networking Sites?

In November 2007, Dark Reading reported that half of companies block social networking sites.

Barracuda Networks' poll gauged the top two reasons businesses had for enforcing employee Web surfing restrictions overall: virus or spyware prevention (70 percent) and employee productivity drain (52 percent). Companies cite bandwidth concerns (36 percent) and liability issues (28 percent) as further justification for restricting employee Internet access.

"Businesses are increasingly applying content-control mechanisms to protect their networks and maintain maximum organization productivity," said Dean Drako, president and CEO of Barracuda Networks. "With the changing face of the Internet, companies need the flexibility to continuously monitor and customize Internet policy enforcement while providing their employees optimum use of the Web."

So that's the current problem. But what’s much harder to address are the potential solutions. More on that topic later in 2008.