According to Panda Security's Social Media Risk Index [PDF], one-third of small-to-midsize businesses have suffered a malware infection initiated through social media, with Facebook as the leading source. Malware threats once thought of as nearly extinct have made a rousing comeback in business environments, thanks to overly trusting social networkers.
Yet the biggest threat is probably the accidental data leak, wherein well-meaning employees tweet details of secret projects they're working on, "check in" to meetings between two companies on a verge of a confidential deal, or post status updates that mention internal problems at the company. It's not quite on the scale of, say, losing a prototype iPhone in a bar, but employee social media gaffes can cause your organization everything from public embarrassment to legal liabilities.
"I can't begin to tell you how many times companies come to us because they've discovered their employees were using social networks that compromised sensitive data," says Mike Logan, CEO of Axis Technology, a vendor of data masking products. "A P2P network or a social network like Facebook that collects info is pretty much the equivalent of digging a tunnel right into a company's data center."
In Proofpoint's seventh annual study of outbound communications security, conducted by Osterman Research in July, one in five organizations reported losing confidential or sensitive information via social networks -- a figure Osterman acknowledges is probably lower than the actual number. In the past 12 months, 20 percent of companies surveyed have disciplined employees for violating company policies on social networking, while 7 percent have terminated people for their actions on social nets.
It gets worse. If your employees post proprietary information on a site like Facebook, whose legal terms claim ownership over any data shared on its network, you may lose control over your company's intellectual property.
"It all boils down to what is written in the terms of service," says Carter. "These differ between the different social networks, which creates its own problems. Having proprietary data residing on a social network should absolutely create concerns for enterprises, especially if that data is not stored anywhere else. Enterprises should look at their record retention policies and not rely on Facebook, LinkedIn, or Twitter to store that data for them."
Taming the social network: Block social media at your peril
From an IT perspective, an understandable response to social media is to block it and forget about it. Depending on the survey, some 30 to 50 percent of organizations polled say they ban employees from using Facebook, Twitter, LinkedIn, and other popular social media sites at work. Simply add facebook.com and twitter.com to your list of forbidden URLs and get back to the real work at hand, right?
Wrong, says Palo Alto Networks' Bonvanie. Most companies are in denial about how much their employees are using social nets, as well as what they can do to stop it.
"You ask some IT people about social media and they'll say, 'Nobody's using Facebook on our network,' or, 'They can't use it because we're using IPS or URL filtering to block it,'" Bonvanie says. "In both cases, those IT people are completely wrong. We see massive penetration of social media in the enterprise."
How massive? Palo Alto Networks has detected Facebook use on 92 percent of the 347 enterprise networks it surveyed last spring. Twitter was detected on 87 percent of corporate nets; LinkedIn and MySpace, 83 and 82 percent, respectively.
When IT has taken steps to block access to Facebook and other social sites on the network, users invariably find a way around those barriers, says Bonvanie.