Press Releases

INFOSECURITY LONDON, Stand G50 - IT security and control firm Sophos has revealed the results of its latest research into cybercrime's new frontier, social networking. A recent Sophos poll* revealed that 63 per cent of system administrators worry that employees share too much personal information via their social networking profiles, putting their corporate infrastructure - and the sensitive data stored on it - at risk. The findings also indicate that a quarter of businesses have been the victim of spam, phishing or malware attacks via sites like Twitter, Facebook, LinkedIn and MySpace.

With social networking now part of many computer users' daily routine - from finding out what friends are up to, to viewing photos or simply updating their online status - Sophos experts note that unprecedented amounts of information is updated every minute. Frequent use of social networking sites makes them a prime target for cybercriminals intent on stealing identities, spreading malware or bombarding users with spam.

"The initial productivity concerns that many organisations harboured when Facebook first shot to popularity are giving way to the realisation that there are more deliberate and malicious risks associated with social networking," said Graham Cluley, senior technology consultant at Sophos. "As cybercriminals choose to exploit these sites for nefarious purposes, both innocent users and companies are finding themselves in the firing line. But until users wise up to the dangers, and firms begin to take precautionary measures to combat these threats, then the situation will intensify."

Sophos research confirms that although one third of organisations still consider productivity issues to be the major reason for controlling employee access to social networking sites, the threat from both malware and data leakage is becoming more apparent with one in five citing these as their top concerns.

Cyber-attacks: a new frontier

Sophos experts note that four of the most popular social networking sites - Facebook, MySpace, LinkedIn and Twitter - have all experienced their fair share of spam and malware attacks during 2009, all designed to compromise PCs, or steal sensitive information. From traditional 419 scams that aim to fool users into sending money to foreign destinations under the ruse that a friend is in trouble, to malware disguised as Facebook error messages, cybercriminals are using the same old techniques, but pushing them out via social media.

A typical method of attack is for hackers to compromise accounts by stealing usernames and passwords - often using phishing or spyware - and then, use this profile to send spam or malicious links to the victims' online friends and colleagues. Sophos research reveals that one third of respondents have been spammed on social networking sites, while almost one quarter (21 percent) have been the victim of targeted phishing or malware attacks.

"We're seeing more incidents of unwanted adverts and malicious links being spammed out, particularly to Facebook users, from their friends' compromised accounts," continued Cluley. "Although social networking sites are going some way to mitigate threats to users - activating pop-up windows to confirm if a user really wants to visit that external link for example - unfortunately it's just not enough. Organisations need to incorporate defences into their IT security policy, and a key part of this is to educate individuals to choose strong passwords and to take good care of them to prevent cybercriminals taking over online accounts which could provide an entry point to the IT infrastructure."

Total lockdown is not necessarily the answer

With social networking behaviour firmly ingrained in many employees' daily routines, Sophos experts predict that users will continue to share information inappropriately, putting their identities - and potentially the organisation they work for - at risk. Similarly, as long as users keep falling for social media scams, the fraudsters will continue to exploit social networks, commandeering identities to steal information and spread more attacks. However, banning social networking in the workplace outright may be a rash move - one that could cause more harm than good.

"The danger is that by completely denying staff access to their favourite social networking site, organisations will drive their employees to find a way round the ban - and this could potentially open up even greater holes in corporate defences," explained Cluley. "Let's not also forget that social networking sites can have beneficial business purposes for some firms too, giving them the chance to network with existing customers and potential prospects."

"In short, social networks are here to stay so it's important for businesses to find a practical way to work with these sites, not against them," concluded Cluley. "By adopting a more holistic approach - including investment in greater security and control solutions, as well as offering comprehensive user education - organisations will be better equipped to deal with social networking risks."

Top five tips to combat social networking perils

In order to help business and users stay safe in the face of social networking, Sophos has put together the following advice:

• Educate your workforce about online risks - make sure all employees are aware of the impact that their actions could have on the corporate network
• Consider filtering access to certain social networking sites at specific times - this can be easily set by user groups or time periods for example
• Check the information that your organisation and staff share online - if sensitive business data is being shared, evaluate the situation and act as appropriate
• Review your Web 2.0 security settings regularly - users should only be sharing work-related information with trusted parties
• Ensure that you have a solution in place that can proactively scan all websites for malware, spam and phishing content

* Sophos online poll, 709 respondents, February 2009.

Disclaimer: Please bear in mind that this poll is not scientific and is provided for information purposes only. The comments expressed on this page are those of a subsection of poll participants, and not necessarily those of Sophos. Sophos makes no guarantees about the accuracy of the results other than that they reflect the choices of the users who participated. Sophos reserves the right to edit participants' comments for the purposes of clarity, brevity and decency. Sophos reserves the right not to publish the comments of all participants.