Sophos: The Biggest Security Risk Is You

As social networking has merged into the mainstream over the last 12 months, the question of sharing information online has become a growing cause for concern – particularly in the enterprise. Sophos’s survey reveals that reports of malware on social networks went up 14.8 percent between April and December 2009, and phishing attempts increased by nine percent during the same period.

Social Networking Fears

Despite this, however, Cluley believes that it would be short-sighted of businesses to turn off social networks. “I think social networks are here to stay,” he said. “I think rather like email and the web – no one today would cut them off and say we’re not going to use those because they’re too risky. You really need social networks to keep up with your competitors, who will be using the social networks to be closer to their customers.”

Cluley recommends that, rather than giving everyone free access, companies could restrict how long people spend on social networks, and manage what sort of information they share. People also need to be educated about the consequences of putting their details online.

“One of the ways in which they make money is sharing your information,” he said. “It’s their business model to do that, and you need to understand what they’re about before you begin to commit and put your information up on the web.”

But despite the constant warnings about the dangers of social networking, people around the world continue to expose themselves and make mistakes online. This brings Graham Cluley to his main point – that the fundamental problem is the exploitation of the person that sits between the keyboard and the chair; “the fleshy bit that keeps making mistakes”.

The Human Element

“However many operating system updates we get or patches we get for different pieces of software, humans are still going to make mistakes,” he said.

One of the common consequences of the “fleshy” problem is data loss. However, Cluley suggests that, in many cases, there are technological solutions. “I’ve heard stories before of USB sticks being lost at the disco, after falling out people’s pockets,” he said. “If that data was encrypted it simply wouldn’t matter. Technology can also help you set a policy as to how data is moved around your network and off your network.”

But technology is not enough on its own. People also need to be educated about things like the secure disposal of old hardware and responsible use of photocopiers or laptops. They also need to be told things like, if someone asks for a certain piece of data, there is no need to give them the whole spreadsheet with every single column, including peoples’ names and addresses and bank account details.

According to Cluley, this is exactly what happened a couple of years ago, when Her Majesty’s Revenue and Customs (HMRC) lost a number of CDs containing private information on thousands of people. “They hadn’t actually wanted the bank account information, the people that had requested the information, it was simply that the person who put it on CD was too lazy to wipe those columns,” he explained.

The solution, therefore, is a combination of technology and education. “I don’t want us to give up on the humans,” said Cluley. “We can’t utterly rely upon them, but we can try and remain inventive about how we remind them about the importance of some of these issues.”