This post is the last in a series of three addressing recent social media surveys. If you recall, last week we discussed the findings of a new survey conducted by TELUS and the Rotman School of Management. That survey concluded that an outright ban on social media usage increased a business’ risk for cyber intrusion by approximately 30 percent. (A New Twist on Business Security – Banning Social Media Can Increase Security Breaches?) Well, as you may know, there really is no definitive answer to the question of how much access employees should be given to social media. Case in point, another study conducted in July 2011 by Ponemon Institute, a research firm, and Websense, Inc., concluded that as a company’s social media usage increased so too did the firm’s risk for viruses and malware. Don’t these two surveys appear to conflict?
The Ponemon study, as reported in Bloomberg Law, Facebook, Twitter Increases Companies’ Security Risks, found that more than one-half of the businesses surveyed reported an increase in cyber-attacks as a result of employee’s usage of social media networks. Approximately, 25 percent of the companies experienced a 50 percent increase in attacks. What drove the results of the Ponemon and Websense survey? The global study reported that as social media usage played a larger role in a business’ practice, many organizations found themselves ill-equipped to deal with the accompanying security risks. Researchers discovered that only 35 percent of the firms worldwide had a social media usage policy in place, and of those with a policy, only 35 percent enforced it.
“A lot of the organizations still didn’t have an acceptable use policy,” said Larry Ponemon, chairman and founder of Ponemon Institute. Of those businesses with a usage policy in place, Mr. Ponemon told Bloomberg Law that “a policy that isn’t vigorously enforced isn’t meaningful.” As co-author Norah Olson Bluvshtein noted about social media training (only 27% reported conducting social media training to employees) in her post New Statistics on Social Media At Work – Who’s Using It and Is It Effective? – employers still have a long way to go on implementing appropriate and effective policies.
How did most of the attacks reported in the Ponemon study occur? The study found that the attacks were “socially engineered driven“ – Bloomberg called it the “click-trick.” What does that mean exactly? Patrick Runald, a researcher at Websense, Inc., explained that users may be enticed to click on a video pop-up, for example, “which takes you to a page off of Facebook, where they trick you into downloading something.” With the download comes cyber viruses and malware.
So, do the surveys really conflict? No, not really. The Ponemon study simply confirms that a workforce which does not understand the dangers beneath the surfaces of many legitimate social media network sites poses a great risk to the business’ IT safety. As we discussed last week (A New Twist on Business Security – Banning Social Media Can Increase Security Breaches?) a workforce educated on the importance of cyber security and adherence to legitimate social media usage policies remains the best alternative to protect a business’ IT future. Not just a companywide review of the company’s cyber security policies, but a discussion with the employees of how, why and where the security breaches occur. A demonstration of how things like the “click–trick” work in the cyber-world, and that the malicious packages are simply waiting for the uneducated worker to download its viruses or malware.
We may sound a bit like a broken record here, but we have often preached that sound social media policies, a workforce educated about the importance of cyber security, and vigilance in the appropriate use of social media will put a company’s security risks in check. I believe the two studies discussed support this important point.
What do you think? Drop a line and let us know.
Leave a comment
Teresa is the Chair of Fredrikson’s Non-Competes and Trade Secrets Group, and an MSBA Certified Labor and Employment Law Specialist. She counsels business clients on risk management and policy development relating to employee use of technology, and also litigates their business and employment disputes. Teresa trains, writes and lectures extensively on legal issues arising from business use of technology and social media.