Warning: Social networking is a huge risk to your company.
That's the conclusion of a report released Monday from IT security company Sophos, which found that the number of firms suffering attacks through social media jumped 70 percent between 2008 and 2009. Boston-based Sophos polled 502 companies worldwide for what it's dubbed its "Social Security" survey, part of its Security Threat Report: 2010.
About 57 percent of respondents said they have received spam messages via virtual communities, a 71 percent rise from 2008.
About 36 per cent of users claimed they have received software worms, viruses or other malware through the sites, a 70 per cent leap. (Sophos counted 50,000 variants of existing viruses in 2009, almost twice as many as in 2008.)
Not surprisingly, 3 out of 4 surveyed fear that employees' everyday activity on social networking sites exposes their business to danger and makes sensitive corporate data vulnerable.
Companies often can't block social networking sites because they've become a vital part of marketing and sales strategies. Nearly half of firms allow employees unfettered access to Facebook – a 13 percent rise from 2008 – although 1 in 3 firms has blocked Facebook entirely.
Those surveyed fingered Facebook as the biggest security risk, with 60 percent naming it the top threat. MySpace took 18 percent of the vote, Twitter 17 percent, and LinkedIn, 4 percent.
Everyone knows "you'll find more bad apples in the biggest orchard," Sophos senior technology consultant Graham Cluley blogged of Facebook, whose 350 million users make it the largest online social networking site. (Facebook last month partnered with Internet security company McAfee, offering users free six-month subscriptions to its security software and ordering those who are the victims of cyberattacks to cleanse their computer with a new free tool before logging in again.) But Cluley cautioned companies to keep an eye on LinkedIn, which provides hackers with what is effectively a corporate directory.
'Targeted attacks against companies are in the news at the moment, and the more information a criminal can get about your organization's structure, the easier for them to send a poisoned attachment to precisely the person whose computer they want to break into," Cluley wrote. Thanks to LinkedIn's listings of staff names and positions, it's "child's play to reverse-engineer the email addresses of potential victims."
Sophos's figures echo those released last week from a McAfee study, which warned of the growing threat of cyberattack on critical systems. Both reports come as companies are feeling particularly vulnerable: In December's high-profile Operation Aurora, hackers targeted employees (and their social networks) from Google, Adobe Systems, and two dozen others, hunting for ways to infiltrate the companies' computer systems.
The report also put companies on notice that Koobface – the notorious worm whose name is a Facebook anagram – is evolving and becoming ever-more sophisticated. In 2009, the worm automatically could create bogus accounts complete with pictures and personal information, then befriend strangers, earning access to their details. Antivirus software maker Kaspersky Lab last year concluded that attacks on social networks were 10 times as effective at spreading malware than email, thanks to the false sense of security users feel when they see messages that appear to be from people they know.
Sophos senior security adviser Chet Wisniewski told the San Francisco Chronicle: "Social media provides criminals with an opportunity. When I get a message on Facebook from my wife and I see a link, I'm going to click it."