At a time when many banks are finally easing up their social media policies for employees, at least one security firm is warning that the social media profiles of bank staffers are providing valuable information to those seeking to do banks harm.

Bank websites are well-protected from attempts to break in and compromise accounts, but it is more difficult to protect the universe of sites that surround them, not to mention the computers of users and vendors that have access to them. A critical and often overlooked area that can make a bank vulnerable is employees’ social media pages, Joram Borenstein, VP of marketing with financial crime, risk & compliance company NICE Actimize told Bank Innovation.

“There are a lot of different soft underbellies for midsize to large institutions,” Borenstein said. “Employees themselves are being targeted, and it’s not unusual for an FI to have 10,000 employees, let alone 50 or 100.”

The social media profiles of employees — from cafeteria workers to corner-office executives — are largely public and can offer valuable information to hackers.

“Social media leads to knowledge about employees’ access to sensitive networks, and even who their friends are,” Borenstein said.

It’s often easier to go after an employee than to try and overcome a firewall, Borenstein said. “Who at Bank XYZ has access to sensitive information? Using social media, you know what events they attended, what attachment might they be likely to click on?”

Rather than breaking into an employee’s account, Borenstein said, “Perhaps it’s easier to build an infected website. There are multiple ways of tricking people into reading emails, visiting a site, and infecting their machine. Links in social media, too, can mask an infected website.”

A criminal can build up his knowledge about, say, a bank executive, dummy up an email with information he thinks is likely to interest the individual into clicking a link, and once he does, it’s game over. When the user visits an infected website, a so-called drive-by download can take place invisibly in the background. The computer is infected and the user probably doesn’t know it.

Additionally, many users access social media on mobile devices. (More than half of Facebook’s traffic is now said to come from mobile.) This brings its own set of challenges. “Mobile security is in its infancy. How mobile devices may be compromised is poorly known.”

Concern over the security of social media reared its head at a recent credit union conference, where one executive said, “We were on the cusp of relaxing staff access to social media sites before the conference. Now, if anything, we’ll be tightening down access to social media sites.”

Tightening access is one strategy to minimize risk. Or companies can simply “not let employees have their own social media pages,” as one attorney in the space recommended recently. (Limiting employees’s speech on social media can itself be a tricky legal matter.)

Borenstein recommends a more gradual approach. “You have to embrace the problem in a responsible way.” He said. “You need to conduct training,” and this training should involve your risk people as well as your information security people. Banks seem to have only recently reached a place of comfort regarding social media.

Strategies for engaging customers have matured, regulations are emerging to define the space, and products are being created to manage social media channels in a regulated environment. But banks’ official social media profiles are not the problem. It’s easy enough to forbid rank and file employees from spending time on Facebook during work hours, but what about executives? And what about when employees go home? Can they really be forbidden from creating social media accounts that might keep them in closer touch with children and grandchildren? And what about sites liked LinkedIn, which employees may have been encouraged to join and fill out profiles on at one time?

With so much information freely flowing around the internet, how can banks plug all the holes? “You can put your finger in the dyke only for a certain amount of time, “Borenstein said. It seems banks’ risk and security teams have some work ahead of them — what else is new?