A survey conducted recently found that businesses are experiencing a 70% increase in spam and malware attacks from social networks in the last year.

Over half of the 500 companies received spam via a social network, and more than one third experienced a malware infection from one of these sites.

The perception is growing among businesses that social networks are a risk of more than just employees wasting time.  Most companies either take a blanket allow or deny approach to social networks but apply no other measures to address the larger risks that these websites expose them to.

Spam and phishing are rampant on the most popular networks such as Twitter and Facebook.  For all the attention paid to email security for businesses, often very little is given to the messaging capabilities of social network sites.  Clicking on a malicious link in a Twitter message is no different to the same link delivered via email.  From the spammer’s perspective the deliverability rate of their messages is much higher on social networks than it is for email.

These attacks continually come to light in the media.  Twitter has notified some users that they may have been subjected to a phishing attack and has forced them to update their passwords to ensure their accounts are not misused.  This reactionary step is the closest thing to protection that can be achieved on an unmoderated medium like Twitter that has no entry requirement other than a working email address, and exposes a rich API that is perfect for spam automation systems.Facebook has partnered with a security vendor to offer free 6 month trials of internet security products to prevent user computers from being compromised.  This places the responsibility for Facebook security on the user and is an opt-in offering only, which will mean minimal uptake.

Other vendors are offering their own products that claim to protect from social networking risks.  As a point solution these might be effective, although they currently support only one or two popular services.  For businesses the cost and administrative overhead does not scale well.

Deploying a special product to a fleet of desktops to combat a subset of the risks of being online will not be an attractive option for large environments.  These organizations look for unified threat management systems that can be more easily deployed and centrally administered, and can operate at key network locations such as web proxy servers rather than at individual computers.

Security against spam, phishing and malware is just one important part of social networks.  Another significant issue is that of privacy of personal information.  Facebook recently changed its privacy policy to expose all personal information as public, a reversal of its previous “private by default” stance.  Employees are not often careful with what information they share on social networks, that can be valuable to an attacker for use in social engineering.

Professional social networks such as LinkedIn encourage the exposure of employee names and position titles as people build their network of contacts.  Security experts have proposed that social networks may have played a part in the recent Google hack, as the attackers compromised the accounts of low level employees in order to gain access to those who had the higher levels of access they needed to make a successful intrusion.

Email spam, though it constantly evolves, is a relatively well understood and manageable threat.  Social networks are a relatively new threat that most businesses are only just becoming aware of.  Protection strategies need to be expanded beyond just the email server and firewalls in order to deal with these new threats.