After polling over 500 firms, Sophos reveals that 60% of those surveyed felt that Facebook was the biggest risk to their company's security. Following Facebook was MySpace (18%), Twitter (17%), then LinkedIn (4%). These numbers don't necessarily speak to the safety measures (or lack thereof) put in place by the social networks themselves, but rather highlights how much Facebook dominates our social interactions online. With 350 million users, Facebook's status as the world's largest social network has more to do with its ranking on this report than any of the security threats found on its site.

The report notes collected findings from Cisco Web appliances - popular security devices used in a number of corporations worldwide - that help to prove Facebook's popularity among business users today. Out of all website visits tracked by Cisco in 2009, 2% were to social networks. And out of that 2%, 1.35% were to Facebook alone.

The Risks

But what is it about Facebook that makes it a threat?

• Malware & Spam: While companies still cite productivity losses as a major concern (one-third block Facebook precisely for this reason), malware is increasingly considered the primary reason for blocking the site in the workplace. Since April of 2009, there has been a 70% increase in the number of companies reporting spam and malware attacks via social networking sites. Specifically, more than half reported spam via social networks and over one third reported malware. The report mentions how threats like the Koobface worm, the Mikeyy Mooney worms and others have made social network sites much more dangerous places than before.
• Employee Behavior: However, it's not just the malware and spam that makes the networks dangerous, it's how users behave when they encounter these risks. Of the firms surveyed, 72% believe that users' behavior could endanger security, up from 66% in April of last year. In other words, firms don't believe that their users are very Web-savvy, tending to fall victim to these sorts of threats and scams.
• Data Loss: Another danger of social networking sites is how users tend to over-share private information with others, not realizing how public that data may actually become. A great example of this faux pas was exhibited last summer when the wife of the UK's MI6 chief blew his cover by posting revealing details online. On a smaller scale, Facebook users may unknowingly reveal more details about a business's own private data, deals, or other insider-only knowledge than they should. Facebook's recent privacy changes only exacerbate this problem.

What Can Businesses Do?

Unfortunately for those in charge of enforcing corporate security, simply blocking Facebook and other social networks via URL is not a realistic solution anymore. The networks are often a large part of a company's marketing and sales strategies, notes Sophos, meaning they cannot be blocked outright. Instead, companies are encouraged to use a unified approach for mitigating threats that combines data monitoring, malware protection and granular access for their employees.

Although it's not noted in the Sophos report, there is no security measure in place today that can keep employees off social networks for good. Business users whose company restricts the use of these sites are nothing if not ingenious when it comes to finding a workaround. Anecdotally, we've heard reports of employees discovering that Facebook was still accessible via the mobile site or via SSL (https://) even when the main URL was blocked. Additionally, numerous employees have downloaded mobile apps on their unrestricted Blackberry handhelds or simply access the site on their personal mobile phones. And for the highly determined social networkers, there are always the Facebook proxies.

The real solution to the social networking security problem is to embrace sites instead of blocking them. Rather than being overly restrictive, companies would do better to make social networking policies a part of their corporate policy and procedure manuals, spelling out what is and is not acceptable within their organization. Left up to users, it's clear that for some, it's anything goes...and that's a danger most companies cannot afford.