Study: Social-media use puts companies at risk

Companies that allow employees to use social networks face a range of risks, including malware, lack of control, and brand hijacking, according to a new study from ISACA.

Lance Whitney Contributing Writer
Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.
Lance Whitney
2 min read

Employees who dabble in social networking both on and off the job could expose their companies to a variety of risks, according to a study released Monday by the ISACA.

Malware, brand hijacking, lack of content control, noncompliance with rules over recordkeeping, and unrealistic expectations of Internet performance were the top five social-media risks to businesses identified by the ISACA in its study "Social Media: Business Benefits With Security, Governance and Assurance Perspectives" (PDF).

A global organization focused on the security of information systems, the ISACA found that since access to sites like Facebook and Twitter doesn't require any special hardware or software, employees can easily bypass the security guidelines and safeguards set up by the IT, human resources, and legal departments. But that ease of use combined with a lack of awareness on the part of the employees can open the door to various threats.

The study discovered that specific behaviors on the part of employees often lead to different risks. Using personal accounts to convey work-related information can hurt a company's reputation, while spending too much time with social networks on the job can create a lack of productivity.

Though businesses may be tempted to turn off the tap on social networks, the ISACA feels that such sites do serve a valuable marketing function. Toward that end, the group believes companies should focus their efforts on educating employees on the proper use and expectations of accessing networks like Facebook and Twitter.

"Historically, organizations tried to control risk by denying access to cyberspace, but that won't work with social media," Robert Stroud, international vice president of ISACA, said in a statement. "Companies should embrace it, not block it. But they also need to empower their employees with knowledge to implement sound social media governance."

Toward that end, the ISACA suggests that companies develop policies and set up training sessions to educate their workers about the use of social media. Such policies and sessions should cover the personal use of social networks on the job, the personal use outside the workplace, and overall business use.

Formerly known as the Information Systems Audit and Control Association, the ISACA provides businesses with research, certifications, and other resources on information systems assurance and security. The organization focuses on IT issues related to risk management, IT auditing, and and regulatory compliance. The study on social media was designed as an educational resource for IT professionals who work in security, governance, and assurance.