How Facebook mucks up office life

Managing a workforce is already a challenging job; now Facebook and other social networks raise a host of sticky new situations.

1 2 3 4 5 Page 5
Page 5 of 5

The researchers haven't updated those earlier findings, but Evans says he suspects the results would be pretty similar. "If anything, the applications are getting more complex," he says. "And there is also an emerging model for third-party advertising networks embedded in applications, which has further privacy risks."

Facebook's policy does require application developers to delete user information after 24 hours, and, according to a Facebook spokesperson, the company has an enforcement staff to monitor compliance. Nevertheless, such wholesale acquisition of information illustrates the problem of retaining any kind of control over content you or your employees post.

And then there's the issue of how Facebook itself retains information posted by its users. The company stirred up a firestorm earlier this year when it made a change to its Terms of Service that gave the site ownership of all posted information, even after users had deleted their accounts. The immediate negative reaction forced Facebook to retract the policy and craft a new Terms of Service agreement, but again, it illustrates how volatile the data-ownership issue continues to be.

Security threats still apply

Part of the appeal of Facebook is that it offers an alternative to regular e-mail and its spam, scam, and phishing issues. If you get a message on Facebook, theoretically it's from someone you know, or at least a friend of someone you know. But that's changing, as scammers and malware distributors figure out how to adapt Facebook for their own ends.

One growing problem is with people pretending to be someone they're not. In January, for example, Silicon Alley Insider documented the efforts of a Nigerian scammer to convince a Facebook user to send money to him by posing as one of the victim's friends, whose Facebook account the scammer had managed to gain access to.

Similar approaches can be made without having to actually take over someone's account. A scammer could join a network or a group, for example, and start sending messages to everyone in the group. Since users are less suspicious of messages they receive on Facebook than they might be of an e-mail -- especially if the person on Facebook is part of their network -- they may be less guarded with their information.

Research by Sophos discovered that 41 percent of Facebook users "will divulge personal information -- such as e-mail address, date of birth and phone number -- to a complete stranger."

Even if such slips don't directly reveal information about a company, they can be useful in constructing a social engineering attack. The more bits and pieces of personal data about you and your staff a malefactor can acquire, the easier it would be for him to worm valuable company information out of them as well.

There have even been instances of Facebook being used as a way of distributing malware, says Argast. E-mails sent to Facebook groups or networks from apparent acquaintances have contained links to malware sites.

And last August, Sophos posted a warning about a message being left on Facebook users' walls urging them to watch a particular video. Clicking on the link took users to an outside Web page that urged them to download an executable to watch the movie. The executable turned out to be the Troj/Dloadr-BPL Trojan horse.

Should you ban Facebook from the office?

Many managers, faced with possible situations like these, might just throw up their hands and issue an edict: "No Facebook!" At least not in the office.

But the solution, Selvas says, isn't for employers to simply forbid employees from participating in social media; rather, they should educate workers not only as to what the dangers are, but on how to use the tools available on Facebook to control the propagation of information as much as possible.

He compares the situation with Facebook to the early days of e-mail. Remember when people would hit Reply All and then make a sarcastic comment about the boss's message? It took a while for people to develop proper e-mail etiquette, and similarly it will take a while for people to learn to navigate the perils on Facebook, Selvas says. Education can go along way toward making that happen. (See Social networks meet corporate policy, below, for some companies' internal guidelines.)

Bottom line? Facebook doesn't call for new principles, Selvas says, just smart application of the old ones. And the constant reminder that you and your employees are in public when you're on Facebook. As Selvas sums up, "Don't do anything on Facebook you wouldn't do in an airport."

San Francisco-based Jake Widman is a frequent contributor to Computerworld.

Copyright © 2009 IDG Communications, Inc.

1 2 3 4 5 Page 5
Page 5 of 5
Shop Tech Products at Amazon