Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Advice on reducing corporate social networking risks

Sophos : 29 April, 2009  (Technical Article)
Sophos examines the risks to businesses of social networking and provides advise on how to use the technology as a business tool whilst minimising the risks associated with it
IT security and control firm Sophos has revealed the results of its latest research into cybercrime's new frontier, social networking. A recent Sophos poll revealed that 63 per cent of system administrators worry that employees share too much personal information via their social networking profiles, putting their corporate infrastructure - and the sensitive data stored on it - at risk. The findings also indicate that a quarter of businesses have been the victim of spam, phishing or malware attacks via sites like Twitter, Facebook, LinkedIn and MySpace.

With social networking now part of many computer users' daily routine - from finding out what friends are up to, to viewing photos or simply updating their online status - Sophos experts note that unprecedented amounts of information is updated every minute. Frequent use of social networking sites makes them a prime target for cybercriminals intent on stealing identities, spreading malware or bombarding users with spam.

'The initial productivity concerns that many organisations harboured when Facebook first shot to popularity are giving way to the realisation that there are more deliberate and malicious risks associated with social networking,' said Graham Cluley, senior technology consultant at Sophos. 'As cybercriminals choose to exploit these sites for nefarious purposes, both innocent users and companies are finding themselves in the firing line. But until users wise up to the dangers, and firms begin to take precautionary measures to combat these threats, then the situation will intensify.'

Sophos research confirms that although one third of organisations still consider productivity issues to be the major reason for controlling employee access to social networking sites, the threat from both malware and data leakage is becoming more apparent with one in five citing these as their top concerns.

Sophos experts note that four of the most popular social networking sites - Facebook, MySpace, LinkedIn and Twitter - have all experienced their fair share of spam and malware attacks during 2009, all designed to compromise PCs, or steal sensitive information. From traditional 419 scams that aim to fool users into sending money to foreign destinations under the ruse that a friend is in trouble, to malware disguised as Facebook error messages, cybercriminals are using the same old techniques, but pushing them out via social media.

A typical method of attack is for hackers to compromise accounts by stealing usernames and passwords - often using phishing or spyware - and then, use this profile to send spam or malicious links to the victims' online friends and colleagues. Sophos research reveals that one third of respondents have been spammed on social networking sites, while almost one quarter (21 percent) have been the victim of targeted phishing or malware attacks.

'We're seeing more incidents of unwanted adverts and malicious links being spammed out, particularly to Facebook users, from their friends' compromised accounts,' continued Cluley. 'Although social networking sites are going some way to mitigate threats to users - activating pop-up windows to confirm if a user really wants to visit that external link for example - unfortunately it's just not enough. Organisations need to incorporate defences into their IT security policy, and a key part of this is to educate individuals to choose strong passwords and to take good care of them to prevent cybercriminals taking over online accounts which could provide an entry point to the IT infrastructure.'

With social networking behaviour firmly ingrained in many employees' daily routines, Sophos experts predict that users will continue to share information inappropriately, putting their identities - and potentially the organisation they work for - at risk. Similarly, as long as users keep falling for social media scams, the fraudsters will continue to exploit social networks, commandeering identities to steal information and spread more attacks. However, banning social networking in the workplace outright may be a rash move - one that could cause more harm than good.

'The danger is that by completely denying staff access to their favourite social networking site, organisations will drive their employees to find a way round the ban - and this could potentially open up even greater holes in corporate defences,' explained Cluley. 'Let's not also forget that social networking sites can have beneficial business purposes for some firms too, giving them the chance to network with existing customers and potential prospects.'

'In short, social networks are here to stay so it's important for businesses to find a practical way to work with these sites, not against them,' concluded Cluley. 'By adopting a more holistic approach - including investment in greater security and control solutions, as well as offering comprehensive user education - organisations will be better equipped to deal with social networking risks.'

In order to help business and users stay safe in the face of social networking, Sophos has put together the following advice:

1. Educate your workforce about online risks - make sure all employees are aware of the impact that their actions could have on the corporate network

2. Consider filtering access to certain social networking sites at specific times - this can be easily set by user groups or time periods for example

3. Check the information that your organisation and staff share online - if sensitive business data is being shared, evaluate the situation and act as appropriate

4. Review your Web 2.0 security settings regularly - users should only be sharing work-related information with trusted parties

5. Ensure that you have a solution in place that can proactively scan all websites for malware, spam and phishing content

Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo