News

Unfettered tools compromise social media security, challenge IT

James Furbush

Social media tools now are vulnerable to the same types of security problems -- phishing, malware and spam attacks -- as email. Those social media security issues open businesses up to new vulnerabilities that IT administrators must manage.

Enterprise IT struggles to balance data security and regulation oversight with the need to use social media tools, which commonly are overseen by another department. In many cases, the tools employees use are unsanctioned.

"The biggest worry companies seem to have right now is brand reputation," said Alan Webber, an analyst with Altimeter Group LLC, a research firm based in San Mateo, Calif. "But companies aren't paying attention to the potentially serious risks. Why hack into a computer system when you can social engineer someone's password or important company information?"

Over the next few years, Webber believes the threats from social media hacking -- whether it comes from

    Requires Free Membership to View

social engineering or other methods of breaking into a system -- will eclipse the threats businesses face elsewhere. The risk to social media security could be particularly high if social media is overseen by the marketing department without IT involvement.

Data compromised when social media security is lacking

Much like cloud storage and file syncing services, social media tools open companies to security risks, especially from employees who use the same passwords and usernames for personal and work applications. Plus, people tend not to delete their accounts once they switch from one service to another, making those passwords easy targets for hackers.

The recent security breach at Dropbox and the hacks of Major League Baseball's FaceBook page, Reuters blog platform and Twitter accounts all demonstrate the need for strong, unique passwords that are different for work and personal accounts, said Tim Brown, chief technology officer at CSID, a software security vendor based in Austin, Texas. "One small hack relates to other accounts and systems. IT needs to make sure the information that is most important and most lucrative is the stuff we're protecting," he said.

CSID mandates multi-factor authentication for passwords as an added precaution whenever that feature is available for social media and cloud services. The company also tries to understand which data and information would be valuable to bad guys, and to make that a security priority. "IT often smears peanut butter across the whole sandwich, when it comes to security" Brown said. "For example, sales data isn't overly important because people can find that anywhere, but the information on our five million customers needs to be protected. So does [intellectual property]. We wouldn't want anyone to talk about that on social media."

Social media security policies critical

There's very little proactive control over the information that can potentially leak from employees, Brown said. That means IT must be vigilant about what they can control, such as secure passwords, education, training and specific policy use.

Managing social media security is akin to parenting a teenager, said Carol Rozwell, an analyst with Stamford, Conn.-based research firm Gartner Inc. "The more IT says 'No,' the more employees will test the limits of what they can and can't do on social sites." If organizations allow the use of and access to Facebook, Twitter, Google+, LinkedIn and other services, the best IT can do is make the company strategy clear, educate employees about the potential security risks and stay vigilant, she said.

A recent Altimeter Group study suggests that 80% of U.S. companies officially have a Facebook presence, and slightly less than half of them are on Twitter. Those numbers become much higher, however, when you factor in the number of employees who personally use various social media services at work, Altimeter's Webber said.

"Almost every company has a policy," Webber said. He nevertheless was surprised to learn that those policies weren't updated frequently enough for the rapidly changing social media market, and many companies don't back their policy up with robust training or education.

The best approach is to provide employees with training for using social media "that is very specific to their job role" and to help them understand why the policy is important for protecting themselves and their company, Gartner's Rozwell said. Policy and education are important, because unlike email, which has tools for monitoring appropriate communication, the tools for IT pros that are designed and dedicated to mitigating the risks involved with social media are vastly immature, she said.