Social-networking spam hit business hard in '09

Businesses were hit by a 70 percent rise in malware from social networking sites last year, according to a Sophos survey.

Lance Whitney Contributing Writer
Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.
Lance Whitney
2 min read

A survey of 500 companies found a 70 percent jump in spam and malware attacks via social networking sites in 2009, according to a new report from security firm Sophos.

Facebook topped the list as the perceived riskiest of the major social-networking sites, followed by MySpace, Twitter, and finally LinkedIn.

The Sophos survey included asking companies about the security risks of the top four social-networking sites. Sophos

The Sophos report (PDF) said that more than 50 percent of the companies surveyed were spammed through a social-networking site last year and that 36 percent were hit by malware from such a site.

The danger to businesses from social-networking malware is especially high. Most of the companies surveyed expressed concern that the actions of their employees on a site like Facebook could put sensitive corporate data at risk.

It's not just the users at fault, though. Sophos laid some blame in the hands of the social-networking sites themselvesl. Many Web 2.0 sites have focused more on bumping up market share than on protecting customers, according to Sophos. And although companies like Facebook have started putting more effort into combating cyberthreats, they're also contending with a huge and growing population of users.

"The truth is that the security team at Facebook works hard to counter threats on their site--it's just that policing 350 million users can't be an easy job for anyone," Graham Cluley, senior technology consultant for Sophos, said Monday in a statement. "But there is no doubt that simple changes could make Facebook users safer. For instance, when Facebook rolled out its new recommended privacy settings late last year, it was a backwards step, encouraging many users to share their information with everybody on the Internet."

Although LinkedIn was seen as the safest of the top four social networks, it's not without its share of risk. The more "inside" information that a cybercrook can gather about a company, the more vulnerable that company becomes. And LinkedIn can be a prime source for revealing details about a business.

"Sites like LinkedIn provide hackers with what is effectively a corporate directory, listing your staff's names and positions," Cluley said. "This makes it child's play to reverse-engineer the e-mail addresses of potential victims."

Businesses have been hesitant to block social-networking sites as they've become valuable tools for keeping in touch with customers and colleagues.

Almost half of all the companies surveyed now allow employees open access to Facebook, compared with just 13 percent a year ago. The trick, Sophos said, is not to ban social networking sites but to secure and monitor them to minimize their risks.