Social networks such as Facebook, LinkedIn and MySpace make security administrators nervous about malware, phishing, security threats and data leaks-just not enough to stop using social networks themselves. Symantec found that 70 percent of security administrators use social networks despite concerns over data leakage, malware and productivity loss.
Most security pros like social networking sites-at least that's what
Symantec found in a survey of security administrators in Europe
and North America.
was conducted earlier in 2008 and ran for about three weeks.
Responses were gathered from 87 security admins belonging to organizations both
big and small. What Symantec found was that although 77 percent of respondents were
concerned about the security risks of their end users using social networks, 70
percent of the security admins themselves use social networks.
Their top concerns were lost productivity-53 percent-as well as data leakage
and malicious code attacks, which were reported as a concern by 48 and 43
Despite these concerns, 72 percent reported they don't block social
networks. Sixty-seven percent have no company policy on social networks, and
only 20 percent of those are working on one.
That doesn't mean no one is talking about the security of social networks.
Quite the contrary-earlier in August, for example, Sophos warned of an attack
spreading via Facebook, and attacks targeting MySpace were openly discussed at
security conference in Las Vegas.
Still, there was a lingering sense among the security administrators in the
Symantec survey that social networks were just another attack vector, and
enterprises should not overreact to security
"There is a concern that [attacks over social networks are] inevitable; it's
just one more delivery mechanism," said Kevin Haley, director of product
management for security response at Symantec. "Users are already using
these social networks and they're going to be in one form or another part of
the business experience.
"What I think is important is the education of users," Haley continued.
"Just like we had to educate users that they shouldn't click on
attachments [in] e-mail from somebody they didn't know ... there's just some best
practices that we're going to need to teach end users around these tools so
that they better protect themselves."
Not everyone is taking a passive approach to social networking in the
workplace, though. According to a recent study by consulting company
Challenger, Gray & Christmas, 23 percent of survey respondents blocked
social networking sites altogether.
Whether or not a company bans Facebook, MySpace or any other social
networking site comes down to what it deems an acceptable risk-should it be
very worried about confidential information leaking out over such a site,
for example. Perhaps one thing implied by the Symantec study is that there
is awareness among security administrators that part of security is enabling
business processes, not simply blocking them in response to perceived threats.
"I've been thinking a lot about the quote, 'The
safest computer is [one] you bury underground, you cover it with
concrete and then probably no one will ever be able to break into it,'" Haley
said. "But you don't get a lot of use out of the computer then."