IT Pros Lack Tools to Protect Enterprises From Employee Social Media Use

IT professionals consider social media as a positive business tool within the enterprise, but they were concerned they didn't have the right technology and policies to deal with the dangers, a recent report found.

The "Global Survey on Social Media Risks" from the Ponemon Institute released Sept. 29 surveyed 4,640 IT and IT security practitioners across the globe on the problems organizations face with increased use of social media. While respondents said they believed social networking technology played an important role within the organization, 63 percent agreed, or strongly agreed, that these tools represented a serious security threat to their organizations. Only 29 percent said their organizations had the necessary controls in place to mitigate or reduce the risks.

The biggest risks came from employees downloading malicious apps. This could take the form of employees downloading an instant messaging client that had malware embedded, or installing apps on social networking sites that trick users into downloading malware on the system. A little over half, or 52 percent, of respondents said their organizations had experienced an increase in malware attacks as a result of employees using social media. About 27 percent said the attacks had increased by more than 51 percent.

"The challenge they face is how to ensure the use of social media vehicles does not jeopardize the security of their organizations' networks," Ponemon Institute wrote in the report. Respondents were also concerned about the lack of controls on what employees could post online as well as the fact that employees could be exposed to inappropriate data. Malware and data control weren't the only negative aspects of social media, the survey found. Respondents cited diminished employee productivity and excessive usage of Internet bandwidth as other issues.

Employees are using social media tools more often for non-business purposes than business, purposes, the report found.

More than half, or 65 percent, of respondents were unsure if the organization had an acceptable use policy for social media, or said the policy was not enforced. While 44 percent said there was a lack of governance and oversight, 43 percent felt other security issues took precedence. Another 41 percent said there were insufficient resources to monitor policy.

About 85 percent of respondents said it was acceptable to use social media tools to communicate within the company and 55 percent felt it was acceptable to use the technology to communicate outside the company. More than half felt social networking could be used as an email or texting channel. The survey used the word "friends" instead of "colleagues" or "business partners."

"Based on this response, we believe organizations consider social media a positive tool for encouraging collaboration and building internal relationships," the report's authors wrote.

Unacceptable use included downloading and watching videos during the workday or downloading apps and widgets from social media sites. Only 23 percent said videos were acceptable and 8 percent thought widgets were not a problem. Only 11 percent said it was acceptable to post "uncensored content" on social networking sites and another 11 percent said the same about posting to uncensored blogs. A mere 6 percent of respondents felt all the above activities were acceptable within the enterprise.

Security vendor Websense sponsored the study. Websense said the "dynamic social Web" requires real-time content security to analyze information as it is created and consumed. Signature and fixed-policy Web technologies such as antivirus do not provide appropriate threat protection, the company said in the report. About 73 percent of the respondents identified secure Web gateways as an important way to reduce social media threats.

Organizations need to understand the social media risks by creating a risk assessment, the Ponemon Institute recommended. Employees need to be educated about how their social media usage could affect the company and create a comprehensive policy on what constitutes acceptable usage.

Survey participants had an average of 10 years experience in the field, and more than half held positions at the supervisor level or higher. Approximately 42 percent of the participants worked in organizations with more than 5,000 employees.