Should we allow our staff to use social networking sites? Some people say they are dangerous but I can't see how. Can you explain the dangers of using Facebook and other social networking sites?
There's nothing wrong with using Facebook, other than the potential impact on working time, but that's not a security matter! The issue is in how your staff configures Facebook, and what information they place on it.
A few tips to pass on to your staff on the dangers of using Facebook:
- Don't allow anyone that isn't part of your network of 'friends' to see your profile.
- Don't allow non-friends to see your friends. Why? I could easily impersonate one of your friends, fake a new profile, and send you an invite. You accept, thinking a genuine friend has created a new profile, then I'm in your network of friends and can see your profile.
- Think about what information is in your profile. What would be useful in stealing your identity? Date of birth, address, email address, employer, interests. why does this type of information need to be on your profile? Everyone that knows you is likely to know this information already! Those who don't know you don't need to know it.
- The two main dangers of Facebook are that an identity fraudster could steal your identity, or a hacker could compromise your business by compromising one of your staff. This might be achieved by coercion (dodgy photos of work nights out?) or by using the information they disclose to set up a compromise of their laptop or PC.
One word of advice for the employer -- if you do allow Facebook access at work, block Facebook email using mail filters. At least then you don't have the problem of staff using work email addresses for Facebook. This simple step will then prevent the hacker from making the link between the user and the company they work for.
Related Q&A from Ken Munro
Ken Munro reviews how to secure USB flash drives in the enterprise. Continue Reading
Expert Ken Munro explains why the iPhone's lack of encryption features has kept it from being a reliable enterprise device -- for now. Continue Reading
Even though employees are told over and over again to not give out their user names and passwords, it doesn't always work. Expert Ken Munro explains... Continue Reading