Do you MySpace? You know your kids do–and chances are that a good percentage of the twenty-somethings at your company do too. And that’s a potential problem that not enough security managers are paying attention to.
Steve Patton, security architect with a financial services organization, spends a good amount of time investigating social networking sites and cautions enterprises that while your intellectual property might not be leaked to MySpace, Facebook or Friendster, your company’s reputation could be at stake.
“Most of the corporate work being done there area is in the area of policy and prohibition,” Patton told me this week at Black Hat. “ ‘You should not use these things at work; you should not talk about work on these sites.’ It’s not very effective. It’s helpful for the person who wants to do the right thing, not so for the person who doesn’t.”
Social networking numbers are staggering–it’s been reported MySpace has anywhere between 90 million and 180 million registered profiles. Patton likens the exercise of data mining social networking sites to social engineering. Profiles are rich with personal information: school history, work experience, blogs, photos, comments and more. It’s terrain you likely cannot ignore much longer, especially if your employees are ranting on their blog about work issues, linking to unsavory sites or posting illicit or damning photos.
And with the emergence of targeted attacks against companies, even down to the departmental or individual level, any reconnaissance is valuable to an attacker. The problem for security managers, Patton said, is balancing the demand for access to social networking with security and corporate well-being.
“It’s definitely becoming an issue where younger workers are expecting access while at work,” Patton said. “Corporate managers are finding they have to get firmer with corporate policy.”