Incident Response, Network Security, TDR

To Facebook or not to Facebook?

Updated Wednesday, Feb. 4, 2009 at 10:08 a.m. EST

Threats associated with Facebook have made headlines recently, but more than half of the respondents to a recent survey said their organization does not have a policy on using the social networking site.

Sixty-one percent of 127 IT security professionals recently polled by security firm nCircle said they have not instituted a Facebook usage policy.

But due to the ubiquity of social media sites such as Facebook, there is high potential for employees to accidentally release intellectual property or discuss confidential company information, Andrew Storms, director of security operations for nCircle, told Tuesday.

“The bottom line is that most of the information you put in social networking sites become public," Storms said. "The general guidelines should be that if you put information on a site, it's best to assume it's public. And once it's public it's almost never removed."

Social network sites also pose other concerns to an organization, Chenxi Wang, a principal analyst at Forrester Research, told Tuesday in an email.

Facebook, for example, has many applications written by third parties and the security of these applications is often unverified, allowing them to potentially spread malware, she said.

According to the company's developer site, applications must protect users' data.

Besides the security implications, Facebook also could pose a loss of productivity and bandwidth, Wang said.

Facebook, though, also provides benefits to an organization, Wang said. They could use the site to advertise, as a recruiting tool or to perform informal background checks on prospective employees.

Facebook also is useful for collaboration and group communication, without the need for a physical infrastructure, Wang said. Many companies actually are conducting business meetings on Facebook.

But companies need to have a Facebook policy in place, she added.

“You should have a policy to regulate it," Wang said. "Depending on your business, your policy can be very restrictive to very liberal."

She recommend a group-specific policy, meaning that certain groups, such as marketing and human relations, may have access to Facebook, but other groups might only have limited access.

Web-filtering products can enable companies to customize settings about who can access Facebook -- and when.

As far as banning Facebook altogether, both Wang and Storms feel that is too drastic a position to take.

“Cutting it off altogether will deter young workers from joining the company and discourage existing workers who may enjoy the use of Facebook at home or other organizations,” Wang said.

A Facebook spokesman said in an email to that the company takes the security of its users seriously and plans to continue to invest resources in staying ahead of security threats. 

“Enterprises can further limit exposure by making sure employees run up-to-date browsers with phishing blacklists and anti-virus software,” the spokesman said. “ Also, the enterprise has a captive audience and an opportunity, and perhaps even an obligation, to educate employees on security best practices.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.