Facebook: A Tempting Danger Zone for Businesses
A new study from security research firm Sophos finds that malware and spam attacks delivered through social networks rose significantly in 2009, and Facebook is perceived as the most dangerous social net of them all. At the same time, however, many businesses see social networking as a prime marketing tool that they're hesitant to ignore.
02/02/10 10:16 AM PT
Social networking sites are a threat to online security, and Facebook is the worst offender, a report from Sophos states.
The number of businesses hit by malware and spam attacks through social networks rose by 70 percent in 2009, the report found. More than 72 percent of businesses believe employees' behavior on social networking sites could endanger security.
The issue of social networks is rife with contradictions -- although social networking sites help malware authors spread their attacks rapidly, they have also been instrumental in spreading knowledge of disasters and political turmoil worldwide.
Facebook's attitude is typical of the dichotomy plaguing the issue. On the one hand, it has tied up with McAfee to improve users' security; on the other hand, company cofounder Mark Zuckerberg has recently stated that he thinks the desire for privacy online is fading.
The Sophos 2010 Threat Report
Over 2009, companies widely adopted social networking techniques such as blogs and social networks like Facebook and MySpace to connect with customers and spread the latest company news or product offerings to the public, according to the Sophos report.
About 2 percent of all online clicks in 2009 through 4,000 Cisco Web security appliances were on social networking sites, Sophos found. Facebook alone accounted for the majority -- 1.35 percent. "The business world would be foolish to ignore such a high level of activity and such a potentially lucrative resource," the report reads.
However, that lucre comes at a cost: 61 percent of respondents to a survey Sophos conducted in December 2009 believe that Facebook is the worst security threat of all the social networking sites. More than 72 percent of the respondents to Sophos' survey believe that employees' behavior on social networking sites could endanger the security of their business.
Social network logon credentials have become as valuable as email addresses because people are more likely to open a message when it appears to come from a friend, Sophos warned. People should be wary of what information they post on social networking sites, Sophos said.
Creatures of Light and Darkness
Like just about everything else, social networking sites are a mix of bad and good elements. Although they can constitute a threat to security, they also provide valuable outlets for business to connect with their customers. Salesforce.com and Google both allow application developers using their platforms to create Facebook apps, for example.
Further, social networks are often leveraged for the greater social good. Facebook and Twitter, for example, were instrumental in raising awareness of the outcome of the Haiti earthquake and in efforts to raise funds for that disaster.
Twitter and Facebook were also instrumental in disseminating knowledge of the Iranian election in May of 2009; the Iranian government clamped down on some social networking sites prior to the election, sparking protests from the opposition.
On the other hand, many Facebook users have been scammed when they responded to fake emails from friends asking for financial help, a common grift used by Facebook hackers.
Facebook is itself torn by the contradictions. On the one hand, it's working hard to improve users' security. "We work regularly with others across the industry to identify and respond to potential threats to our users," Facebook spokesperson Simon Axten pointed out. "We're constantly working to improve our systems and processes." That work includes teaming up with McAfee to integrate a scan and repair tool into Facebook's own security processes.
However, social networking sites are fighting an uphill battle. "Security is an arms race, and our teams are always working to identify the next threat and build defenses for it," Axten told TechNewsWorld.
On the other hand, Facebook CEO Mark Zuckerberg stirred up a hornet's nest recently when he said, in effect, that the importance of online privacy online is fading.
The contradictions around social networks in general, and Facebook in particular, are perhaps best summed up by independent security researcher Gadi Evron in a post on Trend Micro's Dark Reading blog: "Facebook, by its nature, is one of the worst security menaces ever created," he wrote. "But its security team is top-notch."
Oh, Squishy Humans
Social networks have become so woven into the fabric of our lives that many businesses now face a distinct disadvantage if they turn a blind eye to them or forbid staff to access them. "Not only will your workers circumvent your block and participate surreptitiously, but also your competitors will sneak an advantage and get closer to your customers," Graham Cluley, senior technology consultant at Sophos, told TechNewsWorld.
His suggestion: Companies need to secure their users' computers, educate their staff to use social networks more securely, and lobby the social networking sites to implement better security.
"Implement a solution that scans every Web page and link that your users click on," Cluley explained. "Run security awareness seminars that explain how different kinds of attacks work on social networks."
However, technology can only provide a basic level of protection. "The weak point isn't the technology. It's the squishy human sitting in front of the keyboard or the touchscreen," Cluley said. "If attackers can fool users into believing that they are the users' Facebook friends, many people will find themselves victims of social networking attacks."