December 17, 2010

2011 Predictions: Social Media – A Business Enabler and Vector for Data Loss and Search Poisoning

Patrik Runald

Everyone is talking about social media in the workplace. Organizations are adopting it at a rapid pace, looking to take advantage of the huge benefits social media offers. McKinsey recently released astudy illustrating the adoption and benefits of social media. ReadWriteWeb just posted the 10 Ways Social Media Will Change in 2011, a good look at the advantages of communicating over the social Web. However, there is one area both of these pieces miss entirely and, in fact, is one of the biggest challenges CISOs and CSOs are facing in 2011: The security of social media.

Here’s what we know: Attacks using social media are already prevalent and will increase in 2011. Cyber criminals will continue to enjoy the social media playground. 

Our own statistics show that 13 percent of all Web traffic is going to Facebook and this number continues to increase as more and more business use social media as a means for marketing, recruiting and even training. Without the proper security measures and policies in place, the social Web can quickly turn from a gold-mine opportunity to a serious data risk.

Why? Because businesses today are four times more likely to experience a data breach over the Web, than email.  For example, employees will inadvertently post confidential corporate data to social networking sites or click on an infections link – compromising an entire system. On the flip side, cyber criminals are taking advantage of user generated content on social media sites. For example, in 2011 we’ll see cyber criminals:

  • Manipulate social media search algorithms to trick users into visiting fake brand and celebrity pages and increase exposure to malware. While the algorithm is harder to manipulate than traditional search sites, as these social networks become an increasingly large destination portal for all things, we believe that the manipulation is likely in the coming year. Yes, SEO poisoning will move to the social Web.
  • Steal user’s social network credentials. If you think of the social Web as an increasingly relevant portal for all information, these credentials become more valuable. While it is a broad user issue, it will become increasingly targeted. It’s very reasonable to anticipate that the bad guys will look to selectively steal the social media credentials of high profile users to push their links and drive followers and fans to traps on the Web.
  • Send Web spam directly to social network users. We’ve already seen this to a certain degree and can only expect it to increase in the coming year.
  • Post Web spam as comments or responses on user’s profiles and blogs. Comment spam is likely to stay at the same amazingly high level, but more of the spam will be used to send malicious links.
  • Capitalize on the reputation of social networks to host malicious user generated content. You electively select who you friend and follow, so an inherent degree of trust is placed in their content. This is the ultimate goal for the bad guys, exploiting the “trust factor” on the social Web to manipulate users into clicking.

In today’s world, turning off access to Facebook and Twitter is simply disruptive to a business. You can no longer ignore the enormous value that the social Web brings to the enterprise. Those that do will run the risk of being perceived as an industry laggard or worse - losing a critical segment of an emerging market. While at the same time, we simply cannot turn a blind eye to growing security risks associated with this dynamic Web platform. In order to embrace social media, businesses need to find a way to employ three key aspects of effective enterprise social networking: safety, productivity and compliance. Stay tuned for further Insight on this topic from one of my colleagues at Websense. In the interim, we’ll be posting a few more predictions for 2011. If you’d like to read up on our recap of 2010, please visit www.websense.com/content/threat-report-2010-introduction.aspx

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.