Within the past year Osterman Research completed a major study on the costs and benefits of social media, co-sponsored by Commvault and McAfee (2011, June). They recognized the importance of the media for some organizations given the “sheer numbers” of people engaging in the various platforms, and the opportunities for channel build-out, market visibility, and enhanced market value from such engagement. They also pointed out the increased potential for injection of malware into corporate systems via social media channels and encouraged companies to specify explicit policies for employees on whether or not employees are authorized to engage in social networking under the auspices of the corporate umbrella.
With respect to the “sheer numbers” they note that:
- Facebook had 687.1 million users in June, 2011;
- Linked-in had 70.2 million unique visitors worldwide in March 2011;
- Twitter had 175 million accounts by February, 2011.
Carol Huang (2011, June 6) has argued that, because news media are using these platforms effectively they have become an important source of real-time international news both for major news networks, and for specialized news feeds. In some circumstances, especially during the various uprisings in the Arab world, the social media feeds have been one of the only ways to obtain real-time information on what has been happening on the ground.
But, as Osterman Research argues, with social media usage comes very specialized threat vectors. For example, the Koobface Worm targeted Facebook, Twitter and MySpace and was used to recruit unprotected MS OS computers to a peer-to-peer botnet. A similar threat for the Mac OS was the Boonana Worm, first reported in October 2010. Bugat was a ZeuS-like piece of malware that “delivered a large-scale phishing attack against Linked-In (2011, June, p. 3).
A number of different vulnerabilities in the bring-your-own-device (BYOD) enterprise network are introduced through these social media platforms. Importantly, entire networks can be compromised by worm-like malware that is introduced on a single end-point in the network. There are also other risks to intellectual property protection and/or risks to the release of confidential or sensitive information that come from industrial espionage-type malware like, for example, Flame.
Impacts to data integrity can be significant; especially if the malware variant corrupts data or applications on the infected network.
To counter this threat, some companies are identifying specific personnel within public relations or marketing channels to manage this outreach. The more security conscious firms are placing the outreach personnel’s’ computers in a de-militarized zone (DMZ) to avoid network infection if social media outreach personnel do come under attack.
Other firms that deal with especially confidential or sensitive data are prohibiting it entirely.
Still, some firms, especially those classified as small and medium enterprises (SMEs) have no explicit policy. These firms are especially vulnerable to malware infection events and/or subject to mixed messages being disseminated into the public domain. Some of these messages may not conform to corporate branding objectives and are potential to reputation damage as a result.
What does your company do?
References
Huang, C. (2011, June 6). Facebook and Twitter key to Arab Spring uprisings: report, The National. Retrieved from http://www.thenational.ae/news/uae-news/facebook-and-twitter-key-to-arab-spring-uprisings-report
Osterman Research. (2011, June). The risks of social media and what can be done to manage them. Black Diamond, WA: Commvault & McAfee.
