Blog Post

Biggest Danger on Social Networks Isn't Hackers, It's Dumb Employees

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

Today we got one of several surveys designed to strike fear into the hearts of corporate IT managers, noting that socially oriented Web 2.0 sites are now a premier target for hackers. The report, from The Secure Enterprise 2.0 Forum, says sites such as blogs, wikis and social media sites were hacked in 21 percent of the cases reported in the first quarter.

The study, which noted that Web 2.0 is a new category, detailed the hijacking of the MacRumors Twitter account to falsely trumpet that Steve Jobs had died, as well as several celebrity email and twitter account hacks. It’s scary stuff, but while social media may be a growing target for hackers, the biggest danger to a company still comes from the damage a few stupid employees can create while using the sites.

For example, the two 30-something Domino’s employees who made a video “prank” showing them stuffing cheese up their nose likely had a farther-reaching impact than a hacked Twitter account promoting misinformation that can later be proved false. Or what about the Comcast (s CMCSA) employee, who in 2006 showed up on YouTube after falling asleep on a customer’s couch while on hold for tech support? Or, in my personal experience, the snarky comment of a Time Warner Cable (s TWC) PR executive on Twitter that Time Warner Cable had to back away from.

So while malware, spreading disinformation, and even phishing are huge issues, the most detrimental of these are less common. The survey doesn’t break out the types of incidents within each category, but I imagine phishing happens more often in the 5 percent of hacks targeting financial sites, while disinformation and information leakage are the top hacks associated with social media. That means that instead of hackers, employers should still worry more about their employees showing up on YouTube or blasting a client (or its home city) on Twitter.

Major Categories of Attacks in Q1 2009


16 Responses to “Biggest Danger on Social Networks Isn't Hackers, It's Dumb Employees”

  1. Social media can become another platform for disgruntled employees to spread rumors about the company they work for.

    But I feel ultimately such employees do no good to their reputations as well. Who will like to trust such a guy with a job in his company? As is the norm, every good thing has a bad side to it as well and thankfully the weeds get driven out pretty quickly…


  2. Vipul Suri

    I think there is a very thin line between what should be an external communication and what should be internal. The best idea is to provide complete information about Company’s communication policies.

    Working at Adobe helped me learn about this in a significant way as the management helps their teams to learn the effective way of communication to the outside world where they are involved.

    Stopping the use of facebook etc will not help much considering the way we work today, it should be more sorted out at training rather than blocking employees visiting these websites.


  3. April

    The bigger question is, what should employers do about it? Social media is here to stay, and more and more people are destined to get involved in it. The only solutions hinted upon here involve blocking access….
    As a communications professional, I think employers would do well not to prohibit participation in social media by their employees. That’s just asking for trouble. Sure, go ahead and block Twitter and Facebook from employees’ computers…for all the good that will do you. It might help with that pesky “productivity loss” statistic, but unless you can control what employees do on their *own* time with their own computers and mobile devices, all you’ll do is make them more determined to have a voice. (Employees don’t take kindly to “big brother” employer techniques, and the forbidden fruit always tastes the sweetest, anyway.)
    My recommendation is make your policies clear about who can officially speak for the company and who cannot, and about what kind of information is shareable and what is proprietary. Educate workers in how to participate responsibly in social media, whether or not they intend to talk about their work. And by all means, ensure they know the consequences of failing to follow guidelines.
    One final note to employers: If your employees love coming to work, are fully aligned with and informed about the company’s goals, and engaged in the company’s culture and mission, I’d warrant the risk of harm from their forays into social media is very slim. In fact, those employees are your greatest advocates. So when your external image or brand takes a hit from a disgruntled or misinformed worker, look to thineself first–You’re not doing your job as an employer, and you have an even bigger* internal* communications problem.

  4. Rodnet – I think you nailed it. The big threat is not robotic DDOS attacks launched from the secret hacker headquarters in Bulgaria, the big threat is the clueless exec who uses his wife’s birthday or name as his password or the luckless soul who leaves roadmap.ppt or salaries.xls on a microSD card in a phone left in a taxi in Manhattan. If I put on brown overalls and got a rolling trashcan I could probably get into just about any company here in Silicon Valley and go up and down the rows in cubeland filling said trashcan with laptops, thumb drives and other stuff and nobody would say a word. Sometimes security seems like worrying about dying of some rare and exotic form of cancer when the house is on fire and a pissed off crackhead with an Uzi and a bloody machete is wanting my wallet. Cover the basics first, then worry about the corner cases.

  5. Interesting comment:
    “…while social media may be a growing target for hackers, the biggest danger to a company still comes from the damage a few stupid employees can create while using the sites.”

  6. adamjackson

    Makes total sense. I’ve personally seen situations where a hack is resolved and maybe the CEO has to make a statement how the company is beefing up security on their systems but most of the situations involve an employee who tweeted or blogged something that, to them, seemed trivial and day to day stuff.

    Soon, that blog post cost the company millions of dollars.