Tampa, FL and Galway, Ireland – 4th Mar  2014.  What are some of the threats to your network security from social media and should you cut off your employee’s access to social media sites? How can SMB owners or IT guys protect the network security of the company? SpamTitan recently sponsored a survey by Osterman Research of 157 companies with an average of 1,470 employees as to perceptions about and experiences with malware.  Here we look at a couple of observations drawn from that report related to social media.

Perception of Social Media Threats

The survey shows that 14% of malware infections over the period November 2012-November 2013 were via social media and other interactive and collaborative type sites (i.e. Web 2.0).  The graph below presents the results.  As we can see, web surfing and social media are closely related in terms of the risks associated.  Web surfing is the number one method by which companies are infected, social media platforms draw victims in.

How do companies perceive the risk-versus-benefit of social media?

More than half of the companies surveyed regard the leading social media sites to be legitimate business applications.  This should mean they should not cut off access, because people might need those sites for their work. 

Among the companies that consider these sites useful some have nonetheless written guidelines or implemented technology to these block these sites include:

  • LinkedIn 21%  
  • YouTube 36%
  • Facebook 40%
  • Twitter 45%
  • Skype 47%

As you can see, in the case of LinkedIn and Skype, some of these companies have cut off their access, yet they deem them useful.  This suggests that their security policies and business policies do not line up.  Contrast that with YouTube and Twitter where companies have not cut off when they should not.

Network Security issues with Social Media in the workplace.

The major security threat with social media is the same as with spam email:  people’s curiosity, their sense of trust, and a lack of adequate security training. People have a tendency to trust these sites, because they are so well-known, considered reputable and people are not always aware of the dangers there. Plus there is the presumption to trust someone you know or someone who knows someone you know, which is how spammers gain access to post links on your wall. In security circles, the underlying issue is called "transitive trust." The average popular website links to all sorts of sites and services, with the typical home page featuring lots of third-party links. Each of those links could potentially be used by hackers for malicious intent. Your website or service is only as secure as its weakest link – literally!. Transitive-trust hacking is not new. It occurs every time a banner ad running on an innocent website ends up linking to a malicious malware laden website.

The concept was considered in Clara Shih’s book ‘The Facebook era’  although a heavily business focused book it is very readable and supported by credible research.

She writes: Consider this example of transitive trust: In trying to reach Graham, I discover that we both know Kelly. Because Kelly trusts me, and Graham trusts Kelly, Graham is more likely to “transitively” trust me if Kelly provides a warm introduction or I at least mention Kelly when reaching out to Graham. Not actually knowing me himself, Graham doesn’t trust me as much as he trusts Kelly, but … I don’t need him to trust me just yet. All I need is to get my foot in the door, and my product, service, or personality hopefully can do the rest. I just need a chance to be heard. 

Transitive trust is not a new concept; in fact, it is how human beings have been making important decisions since the dawn of civilization. The challenge in the past was about discovery. I might have had to ask a lot of people before I found someone who knew Graham well enough to provide an introduction. Social networking sites bring transparency and efficiency to discovering mutual ties.

Facebook and LinkedIn encourage you to friend or make contacts with people who you do not know directly.  They do this if you give them access to your email contacts plus they match you up with people who have a common contact with you on their site.  This way hackers can gain access to post message on your wall.  Twitter does not have this problem, as you cannot post tweets directly on someone else´s wall.  However anyone can post tweets and direct them to hashtags (#), which is where your employees would find them as they read about different topics.

LinkedIn and Twitter shorten the URLs you post there.  As they do this, they say they check for malware. For example, when they block a site, LinkedIn says: “This link has been reported as participating in malicious behaviour or abuse. Facebook also says they scan for malware, but that did not prevent the Zeus virus from infecting users on their site last year.  This virus waits until you visit a bank website and then steals your user id and password.  If that person is your company financial controller or bookkeeper, that could be a big problem.

What about security issues relating to apps?

One of the inherent weaknesses with Facebook is that the apps that you install there can have access to post links on your wall.  So they can post seemingly harmless links to infected sites without the user knowing that. Your Facebook friends will then see that link.  Facebook has too many apps to scrutinize each carefully.

Finally, whatever defences you put in place, such as blocking sites completely or selectively blocking categories of sites – these are not going to work when people are using their own devices outside your network.  They can infect their tablet or smartphone and then send that out in company mail inadvertently with a web email client or when they attach via VPN and use their mobile device to send company.

Wrapping up, one can deploy technology and improve security training to help mitigate the risks of social media.   But it is probably not a good idea to cut off access to social media, as most business, news, and culture is or has moved online and people need to be able to gain access to that for work. Security is the most important focus area for business and IT decision makers in the context of their email and web solutions. Because of the significant potential for malware and other threats to impact organizations as they enter through corporate email systems, web applications, and social media tools – and the enormous potential for financial and other damage they can cause – decision makers must focus heavily on the specific solutions that will be employed, whether these solutions will be part of an integrated suite of solutions or implemented on a best-of-breed basis, and the models that will be used to deliver them.

Download our full whitepaper outlining the latest research on Best Practises in Email, Web and Social Media Security.