It’s well known that many employees have taken their social networking addiction to their offices. While loss in productivity is the biggest concern resulting from this trend, IT departments are quickly realizing that security is also an important issue.

Sophos conducted an online poll among system administrators last February, with 709 respondents from various companies. Asked whether they thought that employees’ activity on social networking sites endanger corporate security, two-thirds (66%) of them agreed this is a serious threat. With good reason, as popular sites like Facebook, MySpace, LinkedIn and Twitter seem to be the new favorite target for hackers. A third of the respondents said they have been spammed on social networking sites, while 21% have been the victim of targeted phishing or malware attacks.

Basically, it’s the same tricks, different media. According to the report, “A typical method of attack is for hackers to compromise accounts by stealing usernames and passwords – often using phishing or spyware – and then, use this profile to send spam or malicious links to the victims’ online friends and colleagues.”

Despite the dangers, Sophos doesn’t believe in imposing total lock downs (that is, banning all access). They argue that whatever barriers you install, employees will find a way to open up holes, in turn compromising security all the more. Instead, Sophos is recommending the following strategies:

- Educate your workforce about online risks – make sure all employees are aware of the impact that their actions could have on the corporate network
- Consider filtering access to certain social networking sites at specific times – this can be easily set by user groups or time periods for example
- Check the information that your organisation and staff share online – if sensitive business data is being shared, evaluate the situation and act as appropriate
- Review your Web 2.0 security settings regularly – users should only be sharing work-related information with trusted parties
- Ensure that you have a solution in place that can proactively scan all websites for malware, spam and phishing content

It’s interesting to note that in the survey, 7% of system administrators who limit access to social networking sites admitted to doing so without knowing why. Just following orders? Then that’s a glaring communications breakdown. How will employees understand and cooperate with policies when even the enforcers aren’t sure why they’re doing what they’re doing?

The full report can be accessed here.