Many enterprises continue to lack security controls that address the threats posed by the use of social networks in the workplace, according to a new survey conducted by the Ponemon Institute.
More companies have formal policies offering guidance and setting requirements for how employees should be using social networks.
Lenny Zeltser, a SANS instructor and director at NCR Corp.
The new “Global Survey on Social Media Risks,” conducted by the Ponemon Institute and commissioned by security vendor Websense Inc., polled 4,000 IT professionals in 12 countries on the security technologies and policies used to protect against malware and other threats posed by the use of social networks in the workplace. While the threats are generally well understood, many firms struggle to address social networking security risks, the survey found.
Only 29% indicated their organization had necessary social networking security controls, and 76% identified antivirus and antimalware as the technology commonly relied on to reduce social media threats.
“Most respondents agree that the use of social media in their workplace is important to achieve business goal; it’s not just personal,” said Larry Ponemon, chairman and founder of the Traverse City, Michigan-based Ponemon Institute. “There’s a real struggle going on because policies are difficult to enforce and technology is seen as a possible business disrupter.”
Employees commonly check Facebook, Twitter and other social networks throughout the business day and some firms are concerned with the lack of productivity and the security risks posed by social networks. In addition, marketing departments rely on social networks to communicate with customers. Yet many threats exist. Cybercriminals use social engineering tactics to lure social network users into clicking on malicious links leading to attack websites. Fifty-two percent of those surveyed by the Ponemon Institute indicated an increase in malware attacks as a “direct result of employee use of social media.”
Data leakage is also a serious concern. Employees can inadvertently post information about company information such as meetings or technologies. Organizations have accepted social networking as an important communications tool for both personal and business reasons, said Lenny Zeltser, a SANS instructor and director at NCR Corp. The threats are understood fairly well, Zeltser said.
“They are accepting that these interactions will occur and are trying to provide some training and some guidance on how to do this safely and securely,” Zeltser said. “More companies have formal policies offering guidance and setting requirements for how employees should be using social networks.”
Zeltser said policy enforcement is difficult. Technologies exist to control Web interactions, and filter content, gateway antivirus and endpoint antivirus help address malware threats, but data leakage and brand damage is still a difficult threat to address, he said.
The Ponemon study found policy enforcement issues. About 65% of those surveyed indicated their organization does not enforce acceptable use or they said they were unsure. Social media is seen as one of a bevy of security risks to the enterprise, with 43% indicating other security issues were given a greater priority.
“There is a huge gap between social media enterprise adoption and protection,” Ponemon said. “But social media has emerged as an integral part of what people do so organizations are being careful not to upset their best employees and drive away younger talented individuals to competitors.”