Unfettered tools compromise social media security, challenge IT

Social media security involves a Pandora's box of challenges for IT pros tasked with protecting sensitive data.

Social media tools now are vulnerable to the same types of security problems -- phishing, malware and spam attacks -- as email. Those social media security issues open businesses up to new vulnerabilities that IT administrators must manage.

Enterprise IT struggles to balance data security and regulation oversight with the need to use social media tools, which commonly are overseen by another department. In many cases, the tools employees use are unsanctioned.

"The biggest worry companies seem to have right now is brand reputation," said Alan Webber, an analyst with Altimeter Group LLC, a research firm based in San Mateo, Calif. "But companies aren't paying attention to the potentially serious risks. Why hack into a computer system when you can social engineer someone's password or important company information?"

Over the next few years, Webber believes the threats from social media hacking -- whether it comes from social engineering or other methods of breaking into a system -- will eclipse the threats businesses face elsewhere. The risk to social media security could be particularly high if social media is overseen by the marketing department without IT involvement.

Data compromised when social media security is lacking

Much like cloud storage and file syncing services, social media tools open companies to security risks, especially from employees who use the same passwords and usernames for personal and work applications. Plus, people tend not to delete their accounts once they switch from one service to another, making those passwords easy targets for hackers.

The recent security breach at Dropbox and the hacks of Major League Baseball's FaceBook page, Reuters blog platform and Twitter accounts all demonstrate the need for strong, unique passwords that are different for work and personal accounts, said Tim Brown, chief technology officer at CSID, a software security vendor based in Austin, Texas. "One small hack relates to other accounts and systems. IT needs to make sure the information that is most important and most lucrative is the stuff we're protecting," he said.

CSID mandates multi-factor authentication for passwords as an added precaution whenever that feature is available for social media and cloud services. The company also tries to understand which data and information would be valuable to bad guys, and to make that a security priority. "IT often smears peanut butter across the whole sandwich, when it comes to security" Brown said. "For example, sales data isn't overly important because people can find that anywhere, but the information on our five million customers needs to be protected. So does [intellectual property]. We wouldn't want anyone to talk about that on social media."

Social media security policies critical

There's very little proactive control over the information that can potentially leak from employees, Brown said. That means IT must be vigilant about what they can control, such as secure passwords, education, training and specific policy use.

Managing social media security is akin to parenting a teenager, said Carol Rozwell, an analyst with Stamford, Conn.-based research firm Gartner Inc. "The more IT says 'No,' the more employees will test the limits of what they can and can't do on social sites." If organizations allow the use of and access to Facebook, Twitter, Google+, LinkedIn and other services, the best IT can do is make the company strategy clear, educate employees about the potential security risks and stay vigilant, she said.

A recent Altimeter Group study suggests that 80% of U.S. companies officially have a Facebook presence, and slightly less than half of them are on Twitter. Those numbers become much higher, however, when you factor in the number of employees who personally use various social media services at work, Altimeter's Webber said.

"Almost every company has a policy," Webber said. He nevertheless was surprised to learn that those policies weren't updated frequently enough for the rapidly changing social media market, and many companies don't back their policy up with robust training or education.

The best approach is to provide employees with training for using social media "that is very specific to their job role" and to help them understand why the policy is important for protecting themselves and their company, Gartner's Rozwell said. Policy and education are important, because unlike email, which has tools for monitoring appropriate communication, the tools for IT pros that are designed and dedicated to mitigating the risks involved with social media are vastly immature, she said.

Dig Deeper on Enterprise mobile security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

12 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Are you concerned by the lack of security in social media?
Cancel
The Major league baseball security breach stemmed from.a simple question asked to WHOI.edu to clarify their use of MLB meaning Major league Baseball or Main logic board....while I was signed into an anonymous account......I also posed the question to ask.com asking why WHOI.edu would show me as logged in when I do not own an account.
Cancel
Currently watching benchwarmers and it seems to be referencing this conversation.
Cancel
I am all for access to friends and family but to have to give every application full access to your information is just crazy.

With the point-to-point technology/VPN we have available, I would think that is where Facebook/linkedin/google would head to alleviate the anxiety over privacy concerns that are in both the private and corporate worlds.
Cancel
First, we have to come to grips with the fact that Social Media's purpose is to not enable people or companies - It is to harvest data on an incredibly grand scale. Facebook is a 'poster-child' because it has earned its place; It is the most onerous offender that is somehow not listed as a malware site.

It isn't just the data you knowingly provide them, either. Run a simple no-script plugin in your browser and a connection monitor - You'll be able to see just how often Facebook tries to siphon off what you are looking at, where you are going, what you are doing, etc. online.

Does your company REALLY need to have a social media presence? Take MLB, for instance - Our society is so saturated by the sport; Who is going to suddenly become aware of it on Facebook? What is there to gain? The potential downsides illustrate considerable risk - It is just begging for a PR black-eye. Nevermind the information they are gaining from your company as it is used.

It's time to stop following the hipsters and tragically uninformed, and start listening to some IA folk.
Cancel
The recent hack of LinkedIn accounts and the ever changing face of Facebook "security" is definitely cause for concern.
Cancel
Many types of security breaches around. Not only hacking type, but also collecting people for illegal works/jobs.. Social media is a very nice platform for people acting illegal and hard to clean them..
Cancel
The risks that are inherent in social media channels presently is akin to swimming in shark-infested waters. It is only likely going to get more dangerous (with some major fallout happening sometime soon) before proper measures are implemented by both the providers and customers to prevent and avert further disasters to confidential data and information.
Cancel
I feel we're fighting a losing battle though... the responsibility for securing the corporate data is firmly placed at the feet of the administrators, with employees taking very little responsibility for their own role in protecting information. This, to me, appears to be an educational issue, one that needs to be addressed at a management level, not just an IT level. There needs to be some kind of consequence for the employee in place should corporate data be exposed in this way.
Cancel
Does Social Media really have a place in business. I have not been able to detect any meaningful benefit of social media other than circulating news about the company within the existing client base. After 2 years of use of facebook, we still only have 2500 likes when our client base is over 65000! As far as staff accesing social media at work, this is an uncontrolled abuse of company time.
Cancel
users don't have any awareness of the risks. Functionality is what counts. Unlike in the past, where a virus would produce signs in a device, now hackers don't make their presence noticeable, so users don't see anything wrong, and it is more difficult to convince them that something can be wrong.
Cancel
I see weak password problem as major issue, but do we have to burden the end user with task of coming up with complex passwords? I know their has to be a better way.
Cancel

-ADS BY GOOGLE

SearchNetworking

SearchTelecom

SearchUnifiedCommunications

SearchSecurity

Close