Block Social Media, Get Pwned
At least, that’s the conclusion of a study from Telus and Rotman. (You might need this link instead)
A report in IT security issued jointly by Telus and the Rotman School of Management surveyed 649 firms and found companies that ban employees from using social media suffer 30 percent more computer security breaches than ones that allow free use of sites like Facebook and Twitter.
Counterintuitive? Maybe, but it makes perfect sense when you consider how hooked most of us are on social media, say the study’s authors.
Rotman professor Dr. Walid Hejazi says employees banned from social networks often download software onto company computers allowing them to circumvent firewalls and access forbidden sites. Those programs let employees to tweet on the job but also create security gaps hackers are happy to exploit. (“Being hacked? Your social media policy might be to blame“, Morgan Campbell, The Star)
A quick skim indicates that this study is based on a survey of Canadian companies which received 649 responses. Parts of the study are worrisome. (For example, their classification of breaches types shows 46% had “Virus/Worms/Spyware” but only 9% had “bots,” and 20% had “phishing/pharming” while only 5% had “social engineering attacks”) However, it seems plausible that organizations know that they’re hacked, and that organizations know if they have a social media policy, so the conclusion of a correlation or even causation may be reasonable. At the same time, it may be that there’s a causative effect of security conscious organizations having both better intrusion detection activity and social media policies, or organizations that are more likely to be hacked having more social media policies. I’m going to tentatively discount those hypotheses because the Verizon DBIR tells us that most organizations don’t detect their own hacks.
I also wanted to comment that a great many companies publicise their social media policies, and it’s probably possible to re-do this study with DatalossDB data.
I haven’t read the study in any detail (really!) but since it confirms my biases I decided to blog it early. Those biases include thinking that Angela Sasse’s “personal compliance budget” idea has a lot of explanatory power. Thanks to Bob Blakely for the pointer.
My kneejerk thought on the briefest of glances is this correlation may be related to organization type and size. For instance, most of the breaches in what data I can see appear to be against public (arguably bigger) and government (arguably stringent) orgs. I would imagine those same orgs are more targeted, have a larger attack surface, and also have the more rigid social media policies. Those larger orgs probably also will know they’ve been hacked.
I imagine smaller orgs are more lenient with social media.
Just a really quick gut kneejerk.