Few companies enforce social networking security policies, says survey

According to a survey from Sophos Plc, employees are sharing too much personal information on sites like LinkedIn and MySpace. More importantly, many enterprises are not making an attempt to control the use of social networking sites.

Employees are sharing too much personal information on social networking sites, and putting their corporate infrastructure and data at risk as a result, according to an online poll conducted by antimalware security company Sophos Plc.

For more Infosecurity Europe 2009 news

Get the latest news and interviews from the conference floor. Check out our live coverage of Infosecurity Europe 2009.
The company ran the survey in February and received responses from 706 system administrators.

The results showed that 63% of respondents were concerned about information being too freely shared on social networking sites, and that a quarter of the businesses represented had been the victim of spam, phishing or malware attacks via sites like Twitter, Facebook, LinkedIn and MySpace.

Yet, according to the survey, nearly half of the companies made no attempt to control usage of those sites, and where social networking policies and controls were in place, the prime motivation was to avoid wasting time. Only 8% blocked social networking for fear of malware, and another 8% said they blocked usage because of data leakage concerns.

Graham Cluley, senior technology consultant at Sophos, noted that LinkedIn, a business-centric social network, was the least of the sites likely to be blocked. "For some reason, it is perceived differently and is most likely to be allowed, even though much of the information in it – such as people joining a new company -- could be used for spear phishing attacks."

Don't miss need-to-know info!
Security pros can't afford to be the last to know. Sign up for email updates from SearchSecurity.co.uk and you'll never be behind the curve!
Cluley advised companies to monitor usage of social networking sites, and to put in some controls or policies, for instance limiting usage to break times for some workers, and giving access outside those hours only to those who need it for their work.

Proper Web filtering should also be in place to prevent users from downloading malware and falling prey to other scams such as phishing, he said.

Read more on Hackers and cybercrime prevention