My friend was likely the victim of some kind of Facebook hijacking, where his account was used for goodness knows what. He felt (and was) helpless to respond, which is terrible at the personal level. But it got me thinking about the businesses that are on Facebook. Organizations are increasingly relying on Facebook as a communications and promotions vehicle. Indeed, many companies' Facebook pages are as sophisticated, if not more so, than their own websites. Companies are pumping more and more time and money into a platform over which they have little control. Of course, with the growing use of cloud-based applications, a dearth of autonomy is nothing new, but Facebook brings with it some unique circumstances in terms of how it's being used by companies and what recourse (if any) they have should something go wrong.
What's a company to do?
I spoke with Andre Eaddy, director of cybersecurity portfolio services at Unisys, who said that companies need to realize that Facebook was built originally for personal use and acknowledge that the kinds of service level agreements (SLAs) and security we take for granted in most of the apps used in the enterprise are lacking with Facebook and other public social networking platforms. "There is always risk in operating on public Internet sites that you don't command complete control of, and that's really what you're doing when you're working with social media sites," Eaddy said. "It's incumbent on organizations to evaluate the impact social media will have on their overall risk profile."
[Posting blogs, videos, and websites is easy; creating compelling content is not. Check out 10 Tips For Creating Killer Social Content.]
Eaddy provided some tips for companies looking to tighten the controls they do have.
1. Develop acceptable use policies around social networking on both personal and business Facebook pages, and communicate them on a regular and ongoing basis. "This is important because it gives the company an opportunity to lay the foundation and groundwork for how they want their staff to interact with these sites, and also provides guidelines for the staff and gives them an opportunity to present what's acceptable to communicate on the site," said Eaddy.
2. Educate users. As with communicating acceptable use policies, employee education should be a regular and ongoing function. Getting social security settings just right is challenging, and Facebook is notorious for making changes that affect those settings without much, if any, warning. Users should be educated on the security and privacy settings that should be in place now, but they also need to know that settings can be overridden if Facebook makes a change on its end. Social networking security and privacy settings aren't just a set-it-and-forget-it thing, and they aren't completely in the purview of the company IT department. "There is a certain level of responsibility on the part of end users," said Eaddy.
3. Take action quickly if there is a compromise. Anytime a company believes its presence has been compromised, the first thing they should do is take steps to mitigate the damage, said Eaddy. "With Facebook, for example, you want to reach out to that organization immediately and tell their security department that there's a problem. The organization can then take steps to secure the site, whether that's bringing it down or securing passwords so that you can begin to take control of the site again."
4. Don't share passwords, or, if you do, be careful when you share passwords. Sharing passwords is a security no-no akin to the apocryphal password written on a Post-It note stuck to the monitor. With that said, Facebook does not currently allow the use of multiple profiles (with separate credentials) on a page, so companies that have several people monitoring and posting to a single site often use a single set of credentials. If that is the case, use of the credentials should be limited. Companies should also change the password if an employee with access leaves the company. To get around this problem, companies can also make use of third-party applications such as HootSuite that enable companies to have multiple contributors to social profiles without sharing passwords.
5. Insist that people to go against their nature--sometimes. You're a global company. Someone posts on your wall, "Hey, Company X. Attached is a great article about your presence in Japan." What PR or marketing professional wouldn't be tempted to open the attachment? Don't, says Eaddy. "Make sure people understand what constitutes risky behavior," he said. "Everything from links forwarded to you by "friends," attachments that they might send, specific activities that they might suggest you engage in. ... That's risky behavior on Facebook."
How are you securing your company's presence on Facebook? What does Facebook lack that you wish it had? Please share your insight below or write me at firstname.lastname@example.org.
Security professionals often view compliance as a burden, but it doesn't have to be that way. In this report, we show the security team how to partner with the compliance pros. Download the report here. (Free registration required.)