Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/22/2010
04:32 PM
50%
50%

For Small Businesses, Social Networking Poses New Security Risks

Many SMBs could be infected before they can develop adequate policies, experts say

For about six hours on Tuesday, a small snippet of JavaScript code ran rampant among Twitter users. The code used a particular class of flaw to execute simple commands, including changing the color of the interface and posting itself to the users' followers. Victims only had to hover the mouse pointer over the text.

As social networks become more popular, such threats are becoming more common, taking advantage of the trust between users. No wonder, then, that more than a third of small and midsize businesses (SMBs) already have identified a social network as the entry point for a virus or Trojan horse infecting their corporate networks, according to survey released last week by Panda Security.

"Everyone has to worry about it, but small and medium businesses are most vulnerable," says Sean-Paul Correll, a senior threat researcher with Panda. "Either they don't have the needed expertise or they don't have the budget to hire the expertise."

Malicious code is not the only threat that SMBs are facing on the social networking front. Many companies are finding workers posting sensitive information on these sites without fully understanding the implications of the act. More than one company has leaked critical business information inadvertently to the press via social network postings.

"You can see the [news] article going up as the employee is tweeting," Correll says.

For SMB owners who may not have the technical chops of their younger workers, dealing with social networks can be particularly daunting, says Ian Moyse, channel director of Europe, Middle East, and Africa for security firm Webroot.

"The younger employees have grown up with it -- it's likely on their phone," Moyse says. "A lot of small business owners may not understand that this is going on."

But completely banning Facebook, Twitter, and LinkedIn often leads only to unhappy employees, who might still use the services through a smartphone or from home. Instead of trying to block such services, SMBs should work with their employees, Moyse says.

"Put some guideline in place for employees," he says. "If you don't talk to them about the rules, there are no rules."

Examples of more than 150 policies can be found online at Social Media Governance.

But training and enforcement are just as important as the policy itself. While 57 percent of SMBs claimed to have a formal social media policy in place, according to Panda's survey, nearly a quarter of companies had leakage of sensitive data through social networks and a third had a virus or Trojan horse enter through a social network.

"I think many companies wouldn't even know what a social-media governance policy would be, or what would be in it for that matter," Correll says. "Either the education program isn't there or the education isn't good enough."

Having the tools to monitor and enforce the policy is also important, experts say. In the past, companies focused on client-side software or an appliance for dealing with website use and monitoring. Now about 45 percent of companies use cloud services to enforce social networking rules, according to Panda's survey.

That's good news for SMBs, as such services require small or no upfront costs and less expertise to run properly. However, companies should make sure that they notify their employees -- both during training and in the written policy -- about how the company will monitor the use of social networks, says Chris Boyd, senior threat researcher with GFI Software.

"The company has to be up-front with the workers with what they are going to be doing -- what will they be logging and what they will not be logging," Boyd says. "There has to be a little give and take."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Could you pass the hash, I really have to use the bathroom!
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9892
PUBLISHED: 2019-05-22
An issue was discovered in Open Ticket Request System (OTRS) 5.x through 5.0.34, 6.x through 6.0.17, and 7.x through 7.0.6. An attacker who is logged into OTRS as an agent user with appropriate permissions may try to import carefully crafted Report Statistics XML that will result in reading of arbit...
CVE-2019-10066
PUBLISHED: 2019-05-22
An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6, Community Edition 6.0.x through 6.0.17, and OTRSAppointmentCalendar 5.0.x through 5.0.12. An attacker who is logged into OTRS as an agent with appropriate permissions may create a carefully crafted calendar appointment i...
CVE-2019-10067
PUBLISHED: 2019-05-22
An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6 and Community Edition 5.0.x through 5.0.35 and 6.0.x through 6.0.17. An attacker who is logged into OTRS as an agent user with appropriate permissions may manipulate the URL to cause execution of JavaScript in the context...
CVE-2019-6513
PUBLISHED: 2019-05-21
An issue was discovered in WSO2 API Manager 2.6.0. It is possible for a logged-in user to upload, as API documentation, any type of file by changing the extension to an allowed one.
CVE-2019-12270
PUBLISHED: 2019-05-21
OpenText Brava! Enterprise and Brava! Server 7.5 through 16.4 configure excessive permissions by default on Windows. During installation, a displaylistcache file share is created on the Windows server with full read and write permissions for the Everyone group at both the NTFS and Share levels. The ...