Most security pros like social networking sites-at least that’s what Symantec found in a survey of security administrators in Europe and North America.
The survey was conducted earlier in 2008 and ran for about three weeks. Responses were gathered from 87 security admins belonging to organizations both big and small. What Symantec found was that although 77 percent of respondents were concerned about the security risks of their end users using social networks, 70 percent of the security admins themselves use social networks.
Their top concerns were lost productivity-53 percent-as well as data leakage and malicious code attacks, which were reported as a concern by 48 and 43 percent, respectively.
Despite these concerns, 72 percent reported they don’t block social networks. Sixty-seven percent have no company policy on social networks, and only 20 percent of those are working on one.
That doesn’t mean no one is talking about the security of social networks. Quite the contrary-earlier in August, for example, Sophos warned of an attack spreading via Facebook, and attacks targeting MySpace were openly discussed at the Black Hat security conference in Las Vegas.
Still, there was a lingering sense among the security administrators in the Symantec survey that social networks were just another attack vector, and enterprises should not overreact to security risks.
“There is a concern that [attacks over social networks are] inevitable; it’s just one more delivery mechanism,” said Kevin Haley, director of product management for security response at Symantec. “Users are already using these social networks and they’re going to be in one form or another part of the business experience.
“What I think is important is the education of users,” Haley continued. “Just like we had to educate users that they shouldn’t click on attachments [in] e-mail from somebody they didn’t know … there’s just some best practices that we’re going to need to teach end users around these tools so that they better protect themselves.”
Not everyone is taking a passive approach to social networking in the workplace, though. According to a recent study by consulting company Challenger, Gray & Christmas, 23 percent of survey respondents blocked social networking sites altogether.
Whether or not a company bans Facebook, MySpace or any other social networking site comes down to what it deems an acceptable risk-should it be very worried about confidential information leaking out over such a site, for example. Perhaps one thing implied by the Symantec study is that there is awareness among security administrators that part of security is enabling business processes, not simply blocking them in response to perceived threats.
“I’ve been thinking a lot about the quote, ‘The safest computer is [one] you bury underground, you cover it with concrete and then probably no one will ever be able to break into it,'” Haley said. “But you don’t get a lot of use out of the computer then.”