What are the dangers of using Facebook, other social networking sites?

Ken Munro discusses the dangers associated with allowing employees to access social networking sites such as Facebook, and explains how corporations can avoid these risks by monitoring the information placed in employee profiles and using email filters.

Should we allow our staff to use social networking sites? Some people say they are dangerous but I can't see how. Can you explain the dangers of using Facebook and other social networking sites?

There's nothing wrong with using Facebook, other than the potential impact on working time, but that's not a security matter! The issue is in how your staff configures Facebook, and what information they place on it.

A few tips to pass on to your staff on the dangers of using Facebook:

  • Don't allow anyone that isn't part of your network of 'friends' to see your profile.
  • Don't allow non-friends to see your friends. Why? I could easily impersonate one of your friends, fake a new profile, and send you an invite. You accept, thinking a genuine friend has created a new profile, then I'm in your network of friends and can see your profile.
  • Think about what information is in your profile. What would be useful in stealing your identity? Date of birth, address, email address, employer, interests. why does this type of information need to be on your profile? Everyone that knows you is likely to know this information already! Those who don't know you don't need to know it.
  • The two main dangers of Facebook are that an identity fraudster could steal your identity, or a hacker could compromise your business by compromising one of your staff. This might be achieved by coercion (dodgy photos of work nights out?) or by using the information they disclose to set up a compromise of their laptop or PC.

One word of advice for the employer -- if you do allow Facebook access at work, block Facebook email using mail filters. At least then you don't have the problem of staff using work email addresses for Facebook. This simple step will then prevent the hacker from making the link between the user and the company they work for.

Read more on Privacy and data protection