Access to Social Networking Sites Increases the Risk of an APT

If you are reading this blog, you should also peruse Jim Duffy's blog on the Network World site about the security behavior of young adults. Jim highlights a Cisco research study that reveals the callous indifference young people have for workplace IT and security policies.

When I read Jim's blog, I had to jump in with some ESG Research supporting the Cisco research. In a recent research survey of 244 security professionals working at U.S.-based enterprise organizations (i.e., more than 1,000) employees, ESG asked security folks whether they agreed with the following statement: 'I believe that employee access to social networking sites (e.g., Facebook, Twitter, etc.) increases the likelihood of an APT or other type of sophisticated attack.' Twenty-five percent of security professionals surveyed "strongly agree" while 53% "agree." I don't have to mention which segment of the population is most active on social networks.

In many cases, security professionals are doing something about this risk - 59% of organizations restrict access to specific components of social networking sites (i.e., games, file sharing, video uploading, etc) while 50% completely block social networking site access for employees. Industry revenue supports this data as application controls from vendors like Check Point, Juniper, and Palo Alto Networks are selling like hot cakes.

So security professionals recognize a risk and to their credit, they are implementing security controls to fill this hole. Unfortunately, this isn't enough. As the Cisco research (and Jim Duffy's blog) indicate, young workers feel a sense of cyber entitlement so they are willing to violate organizational policies or circumvent controls in order to get their social networking fix.

There are a few fundamental problems here:

1. This data demonstrates a complete lack of knowledge and training. Our schools are simply ignoring or under emphasizing on-line safety which should be a basic part of K-12 education. These kids simply don't understand the danger.
2. Young adults are not the only ones who don't get it - business and executive managers need further cybersecurity education and accountability.
3. We as a society are too willing to dismiss these activities as just kids being kids. Unfortunately, this places us all at risk.

Like it or not, we need broader education, defined policies, real enforcement and accountability. Security and business professionals should assume that young employees are going to violate security policies regularly so we need to counter this behavior with strong controls and zero tolerance.

Studies have proven that new drivers are far more likely to get into automobile accidents than experienced drivers, so there are specific policies (i.e., graduated driver's licenses) and controls (i.e., high insurance rates) to address these risks. We need to recognize the same types of risks around the on-line behavior of young adults and address them in a similar manner.

You can read Jon's other blog entries at Insecure About Security.