SMBs Weigh Security Risks of Facebook, Social Networking
These days, small organizations with limited marketing dollars are faced with increasing pressure to open up their doors and enable access to sites such as Facebook, Twitter and other social networking tools.
But with the increased publicity and access come untold privacy, productivity and security challenges. And while organizations in all market segments suffer, the cash-strapped, resource-bereft SMB usually gets hit the hardest when incidents arise.
A Symantec "2011 Social Media Protection Flash Poll" found that the typical organization experienced nine social media incidents — such as an employee posting confidential information on his or her profile. Of all the surveyed organizations, 94 percent suffered negative consequences, including damage to their reputation, loss of customer trust, data loss and lost revenue.
Meanwhile, social media incidents have cost the average company $4 million over the past 12 months, according to the study. While many larger organizations could swallow those costs, a price tag in the millions could be devastating to a small- or medium-size business, with the worst-case scenario that includes shuttering operations completely.
As such, social media has lately become the conversation du jour with their SMB customers, many solution providers say. And hands down privacy concerns top the list of SMB challenges. The free marketing and publicity allowed by Facebook and Twitter often networks serves to backfire when ill-informed employees slander the organization or disclose damaging information online.
"You get customers where half their staff is tweeting or putting out posts of stupid stuff during the course of the day, and someone who is a friend of a friend finds it," said Carl Mazzanti, vice president of eMazzanti Technologies, a Hoboken, N.J.-based solution provider. "Your most private conversation is now the conversation of everyone. You can't retract it—it's done."
Perhaps not surprisingly, the Symantec study found that the top three social media incidents all revolve around privacy concerns, with 46 percent experiencing employees haring too much information in public forum, 41 percent suffering loss of exposure of confidential information, and 37 percent increasing their exposure to litigation.
Those privacy issues could include anything from disparaging the company in a Facebook rant and unintentionally revealing embarrassing personal information, to deliberately disclosing confidential company information that could damage the company's reputation or arm its competition.
"For example, if someone posts ’My work sucks, I can't wait to get out of here!" on their status, other people who know that person will immediately identify that company as not a pleasant place to be," said Richard Hyde, , sales director for Whitehall, Penn.-based EZMicro. "Worse yet, they may be a mutual friend with the owner of that company—talk about raising some eyebrows on employee morale!"
Meanwhile, productivity is another challenge facing the SMB, channel partners say.
Last year, workplace inefficiencies were listed as number one, followed by malware, data loss and viruses as the four top threats caused by insecure Web 2.0 applications, according to a June 2010 Ponemon Institute study titled "Web 2.0 Security In The Workplace."
And partners maintain that productivity issues are still top of mind. While larger enterprises can sometimes overlook lost productivity costs, SMBs often feel the sting of lost work time even when one of their members fails to pull their weight, simply due to the fact that employees generally have bigger overall responsibilities and are often required to perform multiple job functions, solution providers say.
"Productivity is the main concern," Hyde said. "Too many people get sucked into the lure of always keeping up with what's going on."
In addition, SMBs that enable Facebook and Twitter for part or all of the day are opening themselves up to a maelstrom of malware and phishing attacks, delivered via Facebook, Twitter and other social networking sites.
NEXT: Social Media Malware
A January 2011 Sophos study revealed that 40 percent of surveyed users have been sent malware such a as worms via social networking sites, representing a 90 percent increased since April of 2009. Meanwhile, two-thirds (67 percent) say that they have been spammed via social networking sites and 43 percent have been on the receiving end of phishing attacks—statistics have doubled respectively over the last two years.
Chester Wisniewski, Sophos senior security advisor, said that some of the most common scams circulating on Facebook include affiliate network schemes that lead users to malicious videos and attempt to get them to divulge personal information. In addition, users are also exposed to a myriad of malicious surveys which provide the scammer a commission for every click or completed poll. And recently, a social network worm called Palevo is rapidly spreading via Facebook chat messages from friends.
"The risk of getting malware for social media sites is certainly a real concern," Wisniewski said. "If you click on the wrong video or scam, it could install a keylogger or other malicious software that could steal your banking credentials or sensitive files. If SMBs are using Facebook and Twitter as marketing tools, someone guess or stealing your password from your account could also cause a loss of reputation with your customers."
Meanwhile, solution providers say many SMBs fail to address the security and privacy concerns associated with Facebook until it's too late, often due to a lack of awareness coupled with a lack of resources.
Solution providers say that more often than not, they find that SMB customers rely on legacy security infrastructure and outdated software and hardware, without solutions such as content scanning and filtering or any kind of data loss prevention technology. The legacy systems create a false sense of security while providing inadequate protection against potential cyber threats delivered over newer Web 2.0 applications.
"Many still use consumer routers with basic firewall functionality but no content-specific blocking and have no idea that it's possible to block specific sites or apps until we talk to them," said Daniel Duffy, CEO of Fresno, Calif-based Valley Network Solutions,
"We see far too many small businesses that come to us for service that have residential grade firewall for protection — this has always been a problem," Hyde said.
As such, Facebook can be used as an easy conversation starter to expose gaping security holes in a customer's network, which can ultimately facilitate upgrades or the sale and implementation of more comprehensive security infrastructure.
Specifically, VARs say that vulnerabilities created or exacerbated by Facebook give them ample cause to introduce more efficient or SMB-focused products with a higher ROI to their customers. These solutions include more sophisticated Web and content security products, and comprehensive antimalware and application firewalls, as well as affordable data loss prevention in some cases.
Relevant products include a plethora of business endpoint security solutions that directly target small businesses, such as Symantec's SEP 12 for SMB, as well as an array of unified threat management (UTM) devices, offered by SMB-focused vendors such as SonicWall, Watchguard and Fortinet, which house multiple security functionalities in one appliance.
NEXT: Privacy Concerns And Security Protocol
The growing privacy concerns pave the way to start conversations about eDiscovery or archiving software — solutions that can easily capture and retain data for future use in the event of a lawsuit. According to the Symantec survey, litigation expenses incurred from social networking incidents cost U.S. businesses an average of $650,361, while damaged brand reputation and loss of customer trust cost an average of $638,496. According to Gartner's December 2010 "Social Media Governance: An Ounce of Prevention" study, 50 percent of all companies will have been asked to produce material for social media Web sites for eDiscovery by 2013.
In addition, a big opportunity for SMB resellers exists around education and consulting regarding responsible use of social media as well as basic security best practices. Darrel Bowman, CEO of Tacoma, Wash.-based MyNetworkCompany.com, said that as part of his consulting efforts, he places a real dollar value attached to the lost productivity up front to the customer.
"The biggest challenge by far is education," Bowman said. "Identity theft, virus infection, malware infection, security breaches and privacy issues are all things which bring challenges to companies which allow the use of Facebook, Twitter and other social networking sites. Our challenge is to keep educating our clients and use these sites responsibly. "
For solution providers serving the SMB, initial conversations around social networking start by figuring out what their customers comfort level is around social networking sites.
Mazzanti said that up until recently, customers have fallen into one of two camps — those who wanted all social networking sites blocked altogether and those that allowed their customers to access everything on the Internet.
More often, customers who began to run into security and productivity issues with Facebook and Twitter chose to cut them off entirely, Mazzanti said. However, blocking social media is becoming increasing more difficult and business prohibitive.
"It's often a knee jerk reaction to say ’Let's block social media. We can block it and we'll be happy,'" said Greg Muscarella, senior director of product management for Symantec's Information Management group.
Nowadays, he said, blocking social media is often tantamount to building a wall between the business and the rest of the world. "If you try to block social media you have to effectively block the Internet," he said. "Your average company is trying to do doesn't have the luxury of building a walls between them and their company. The time for blocking social media has passed. Now how do we enable it in a sensitive way?"
Unwilling to fight an uphill battle, more and more SMB customers are rolling back their previous hardnosed stance and enabling social media access for their employees, VARs say.
"It started off when users were blocking it 100 percent. Then they were using it in their lives and it boosted employee morale. Then they realized they were using it for things like selling homes," Mazzanti said. "It's seen more of a business enabler than it has in the past."
Mazzanti said he is working closely with customers that want to keep employees happy by allowing them to access social networking sites, but blocking components of the site, such as third party apps and chat features that have no business value and P2P file shares that could potentially compromise the security of the company.
That middle ground now allows VARS to start conversations about creating viable Internet usage policies, which can entail anything from allowing access to social media sites at certain times of the day to blocking portions of social media sites, such as time-sucking apps like Farmville. Mazzanti said he's also helped customers realize and find business enabling uses for social media — such as screening candidates prior to job interviews.
"If you allow it, maybe they'll stay and be happy at their jobs. If you disallow it, maybe they'll be looking at their cell phone during the day," Mazzanti said. "That middle ground is really where it's been getting interesting."