UK organisations are getting to grips with using social media but their marketing and IT departments are still...
far from aligned, according to the Information Security Forum (ISF).
"The marketing side is relatively easy but few - if any - organisations have joined that up with their IT security concerns," said Steve Durbin, vice-president of sales and marketing at ISF.
Most organisations underestimate the time, energy and cost that goes into using social media effectively and securely, he said.
Managing a brand online through social media requires multidisciplinary skills, said Adrian Davis, principal research analyst at ISF.
"This is why some US companies are starting to appoint highly paid social media executives who are dedicated to the role and have the right skills," he said.
Social media is an extremely attractive target, especially considering one in 13 people in the world uses Facebook, which presents a huge marketing opportunity, said Davis.
Organisations are also under increasing pressure internally to use social media. Roughly one third of employees use at least one social networking site, he said.
"For this reason it is difficult to disallow or ignore. The key is enabling staff to use social media to the best advantage, but in a secure way to avoid harm to them and their organisations," said Davis.
Malware, phishing and spam on social networks all increased in the past year, with 40% of over 1,000 users polled by security firm Sophos reporting malware incidents, up 90% from 2009.
The threats of social networking include system overload, malicious code infections, disclosure of business information, legal liability, eternal attack and intimidation, but all these can be managed to mitigate the threat, he said.
Organisations can deploy appropriate technical controls, revise internet usage policies to encourage good practice and educate their users about the risks and how to avoid them, said Davis.
"The most important of these is education. If users understand how the threats work, then they know how to be safe," he said.
One of the challenges, however, is that not all IT security professionals in businesses are good communicators and educators, and this needs to be addressed, said Davis.
Individuals within organisations need to be made aware of their responsibility for data, he said, and they need to realise that, once data is in the public domain, they essentially lose all control over it, and it could be used for criminal purposes.
"Businesses need to have a grown-up conversation with their employees about social media and encourage them to think before posting, and to ask if they are in doubt," said Davis.
Supporting security awareness is one of the goals of the ISF, he said, and the organisation is working on an easy-to-follow guide to promote good cyber citizenship, that is due for publication in mid-2011.