There are currently more than 160 social networking sites, including Windows Live Spaces, Bebo and Plaxo. Today, users are not only individuals, but also organizations, which presents a variety of risks.

Recently two Massachusetts towns suffered financial losses resulting from the use of social networking sites on municipal computers.

In one case, an infection called Worm.KoobFace penetrated a municipal network by tricking a Facebook user, who was accessing a personal Facebook page at work, into downloading a fake Adobe Systems Flash update. The fake update was actually a “worm,” which spreads by hijacking browser cookies associated with several social networking sites. The worm can use hijacked cookies to log into the compromised user’s accounts and send phony messages. It can also download other viruses and malware onto the user’s computer and steal other user passwords. This worm has been reported to steal social security and credit card numbers as well as banking passwords.

In this case, forensic investigations of the affected computer revealed a great deal of questionable personal activity. Multiple past and current threats were identified, one of which was transmitted via Facebook and targeted banking passwords. Computer security programs were compromised through a Trojan horse called Trojan.Vundo, which disabled critical elements of the computer’s firewall and security center.

The Federal Deposit Insurance Corporation recently released an alert to its members warning of the significant increase in fraudulent fund transfers. In the alert, it was noted that Trojan horse programs and other malware are being used to compromise account login information and circumvent online authentication methods.

Worms, viruses, and other malware penetrate the Internet on a daily basis, and their authors are becoming increasingly crafty in the use of social networking sites to steal information, identities and funds. But the theft of funds is not the only risk organizations face regarding the use of networking sites. Productivity, physical security, and reputations are at stake as well.

Productivity concerns

Internet addiction is growing in the United States, and many employees are accessing social networking sites via work computers and handheld devices while on the clock.

According to a recent Gallup poll, the average employee spends more than 75 minutes per workday using the Internet for personal purposes. As a result, the estimated annual cost to employers is more than $6,000 per employee.

A 2009 ethics and workplace survey conducted by Deloitte LLP, a worldwide business consulting firm, found that 21 percent of employees use social networking sites while at work.

Physical security should also concern employers, as Internet relationships can sometimes pose a risk to the safety of employees. Recently, a community college in northern California had to hire additional security personnel because a group of Facebook friends at the college decided to “unfriend” a colleague, which resulted in threats of physical harm.

Social networking sites are often used to comment negatively on internal workplace matters, which poses a reputation risk to employers.

In the Deloitte survey, 74 percent of employees responded that it would be easy to damage their employer’s reputation online. Twenty-seven percent said they do not consider the ethical consequences of posting comments, photos, and videos online. More than a third of the respondents admitted that they do not consider what their employers, colleagues, or clients think of their posted online content. Fifteen percent said that they would comment online if their employer did something that they disagreed with. This should be a concern for any employer.

Employment-related risks are also a growing concern. Many users of social networking sites are concerned that employers are visiting their accounts to access personal information to be used in the hiring process. This can lead to costly discrimination claims.

Mitigating risk

Many of these risks could be avoided by prohibiting the use of social networking sites at work. Unfortunately, 72 percent of the executives surveyed stated that their organization does not have a policy regulating the use of these sites by employees while at work. A slightly higher percentage of executives reported that their organization does not monitor the Internet activities of employees.

This is compounded by the fact that the majority of employees surveyed said that even if employers are monitoring their social network profiles or activities, they won’t change what they are doing online. They know it’s not private and have already made adjustments to their profiles.

To reduce risks posed by social networking activity, employers must develop comprehensive policies regarding the personal, professional and organizational uses of social networking sites. Policies alone, however, will not prevent potential losses.

Monitoring and blocking specific Internet activity is effective, but only when proper disciplinary procedures are in place.

Security updates are critical. Municipal computers should contain the most up-to-date protection from viruses and other malware. One effective strategy for reducing virus and malware infections is to require that all program updates on workplace computers be authenticated and performed only by authorized personnel. In other words, employees should be barred from performing the Flash updates and other software downloads that could result in infections if the update is not legitimate.

The explosion in the use of social networking sites cannot be ignored, and recent events should serve as a reminder that a great deal is at stake when these sites are used by employees.

If municipalities choose to create an online municipal profile, great care should be taken to ensure controls are in place to guard against misuse and abuse. Understanding the risks is key to avoiding becoming the victim of a preventable loss.

Robert Marinelli ( This e-mail address is being protected from spambots. You need JavaScript enabled to view it ) is the MIIA Member Services Risk Control Manager.