Infosecurity

Social media security risks exposed

By Robin Hicks | 8 February 2010

Twitterers with Facebook pages and LinkedIn accounts beware. The volume of spam and malware sent via social networking sites increased by 70 per cent last year, with MySpace, LinkedIn, Facebook and Twitter all falling victim to rising levels of malicious activity in 2009. Of them all, Facebook poses the biggest risk to security, according to a survey by cyber security firm Sophos.

View photos

Related Articles

• New email security solution unveiled
• Data security of Singapore schools exposed
• Using same password poses major security risk: Sophos

Related Categories

• INFOSECURITY

From this Section

• NEWS

Paul Ducklin, Head of Technology for Sophos Asia Pacific warned FutureGov readers that even well meaning social media users are prone to making mistakes which can lead to companies or governments “getting egg on their faces”.

“Organisations are worried about what about might go wrong for them even when employees are talking about their own interests with their own friends in their own time,” said Ducklin. “Our work and home lives are increasingly intertwined, so there is always the risk that individuals might - with the best intentions - leak nuggets of information about their work and their workplace which social engineers could pounce upon and abuse.”

Ducklin pointed to last year’s revelation that the head of the British Secret Intelligence Service had personal information about himself and his family exposed via his wife’s Facebook account as an example of how social media can leave even the most secure organisations vulnerable to cyber attack.

“One of the biggest risks is from insiders,” said Ducklin. “I’m not talking about ‘the enemy within’ (that’s another issue altogether), but about the inadvertent mistakes of well-meaning insiders who give away what they see as harmless information which nevertheless gives cybercriminals an attacking wedge into the organisation.”

So how to tackle the problem? Ducklin noted that a blanket block on the use of social media networks at work would not be an effective first measure. “Staff will continue to use social networking sites at home, and are likely to discuss work-related matters anyway, simply because they are telling part of their life story online,” he said.

“Much better is to prevent staff using potentially risky sites from high-security parts of the network, while allowing ‘reasonable’ use of social media sites elsewhere - with guidelines which clearly explain what you mean by reasonable.” He suggested that the approach of the US Marines, which banned the use of social media on critical parts of the network which represents an “unreasonable risk” last year, was a good way of finding “sensible middle ground”.

The public and private sectors should make the issue of data security part of their staff induction programmes, so that no-one is in any doubt about what is safe and what is not, he added. “Consider making the practise of IT security an HR function, so that everyone is involved. Regularly re-brief your staff on good behaviours - which will help protect them at home, too.”