For companies and its employees, social media allows new ways to communicate with customers and colleagues. Vast amounts of information are being exchanged in social media. Information is a highly valuable asset, and therefore questions concerning information security become increasingly important. Companies are becoming increasingly worried about information security in social media, but so far, this issue has not been studied. The present research closes this gap by studying the information security challenges social media represents for organizations. The research was conducted as a qualitative case study; eleven information security managers have been interviewed. The study has three main findings. First, challenges arising from employees actions or unawareness in social media (especially reputation damage) seem to represent bigger threats to information security than threats caused by outside attacks. Second, the confusion of private and professional roles in social media represents an information security risk, and distinguishing between these roles becomes more difficult the higher an employee's position in the company. Third, communication with employees and colleagues represents an information security challenge especially when communication is not steered by the company. Implications for research and practice are discussed.