For Small Businesses, Social Networking Poses New Security Risks

For about six hours on Tuesday, a small snippet of JavaScript code ran rampant among Twitter users. The code used a particular class of flaw to execute simple commands, including changing the color of the interface and posting itself to the users' followers. Victims only had to hover the mouse pointer over the text.

As social networks become more popular, such threats are becoming more common, taking advantage of the trust between users. No wonder, then, that more than a third of small and midsize businesses (SMBs) already have identified a social network as the entry point for a virus or Trojan horse infecting their corporate networks, according to survey released last week by Panda Security.

"Everyone has to worry about it, but small and medium businesses are most vulnerable," says Sean-Paul Correll, a senior threat researcher with Panda. "Either they don't have the needed expertise or they don't have the budget to hire the expertise."

Malicious code is not the only threat that SMBs are facing on the social networking front. Many companies are finding workers posting sensitive information on these sites without fully understanding the implications of the act. More than one company has leaked critical business information inadvertently to the press via social network postings.

"You can see the [news] article going up as the employee is tweeting," Correll says.

For SMB owners who may not have the technical chops of their younger workers, dealing with social networks can be particularly daunting, says Ian Moyse, channel director of Europe, Middle East, and Africa for security firm Webroot.

"The younger employees have grown up with it -- it's likely on their phone," Moyse says. "A lot of small business owners may not understand that this is going on."

But completely banning Facebook, Twitter, and LinkedIn often leads only to unhappy employees, who might still use the services through a smartphone or from home. Instead of trying to block such services, SMBs should work with their employees, Moyse says.

"Put some guideline in place for employees," he says. "If you don't talk to them about the rules, there are no rules."

Examples of more than 150 policies can be found online at Social Media Governance.

But training and enforcement are just as important as the policy itself. While 57 percent of SMBs claimed to have a formal social media policy in place, according to Panda's survey, nearly a quarter of companies had leakage of sensitive data through social networks and a third had a virus or Trojan horse enter through a social network.

"I think many companies wouldn't even know what a social-media governance policy would be, or what would be in it for that matter," Correll says. "Either the education program isn't there or the education isn't good enough."

Having the tools to monitor and enforce the policy is also important, experts say. In the past, companies focused on client-side software or an appliance for dealing with website use and monitoring. Now about 45 percent of companies use cloud services to enforce social networking rules, according to Panda's survey.

That's good news for SMBs, as such services require small or no upfront costs and less expertise to run properly. However, companies should make sure that they notify their employees -- both during training and in the written policy -- about how the company will monitor the use of social networks, says Chris Boyd, senior threat researcher with GFI Software.

"The company has to be up-front with the workers with what they are going to be doing -- what will they be logging and what they will not be logging," Boyd says. "There has to be a little give and take."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.