As most of us know, Facebook (FB) has become the top social networking site on the Internet. With over 400 millions users, it is also one of the world's most popular sites period. As this has become one of the primary ways many employees communicate, organizations need to address Facebook policies of if/how it can be used in your organization. Even if your organization bans FB, you still need to address FB as how employees use it in their personal lives can impact your organization. The more I've been using FB, the more I've learned just how complex it is. In fact, there are blogs dedicated to how to use FB securely, such as the excellent blog Social Media Security. As such I wanted to share what I feel are the top three FB security lessons. Keep in mind, I do not cover all the risks, you could probably write a book on the topic, as I'm sure others have. However as we have discussed in the past, the key to a good security awareness program is not flooding your employees with exhaustive information, instead focus on a few topics that have the greatest return on investment (ROI) for your organization. Too many awareness programs fall victim to the common mistake of trying to teach employees everything, which means you end up teaching them nothing.
- Passwords: One of the things I was suprised to learn from a presentation by FB security at a recent conference was how passwords are being harvested. Cyber criminals are now working on the assumption that many people use the same password for multiple accounts. Harvest a single login and password and you can now access that persons Twitter, FB, Gmail and other accounts. As such, FB security is seeing a growing trend where phishing attacks target generic accounts. A common attack is a phishing email telling the victim that their personal pictures have been found on a public website. When they go to the site, it asks them to create a login and password to access it. Cyber criminals harvest this information, then automate attempts to login to common accounts, including FB. Based on research done by FB, up to 50% of the victims are using the same passwords for multiple accounts. Lesson learned here, different passwords for different accounts, even if the password is different by just one character. If nothing else, make sure the passwords employees use for their personal accounts are not the same as their work accounts. Note: Within hours of posting this blog, it appears a member of Facebook's Board of Directors fell victim to something very similar and had their FB password compromised.
- Mugged In London: Even if your employees are protecting their FB password, others may not. A common tactic criminals will use is to compromise a FB account. Once compromised, they then post on the victim's wall, pretending that the victims has been mugged in a foreign city (often London) and need money wired as soon as possible so they can get home. Since the message is coming from a trusted friend, people often fall for this social engineering attacks. What the victims do not realize is their friend is fine, in reality the account is simply under the control of someone else. Tactics like this are also often used to spread malware (i.e. instead of sending money - click on this link!). Lesson learned, if messages seem odd or strange from their friends, their friends may not be in control of that account.
- Privacy: The power of FB is how easy it is to share your information with everyone. The challenge with FB is how easy it is to share your information with everyone. FB has developed a huge selection of privacy options to control who can access what information. The problem with this is the options are confusing, personally I can't figure them all out. In addition, FB privacy policies and controls seem to be constantly changing. Lesson learned here, unless you are a FB privacy guru I recommend your policy be if you don't want your mom or boss reading it don't post it. This is especially important for private or confidential company information.
Did I miss something, do you feel there is a FB topic that is more important then what we have above? If so let us know. Next posting is on how to use FB to promote your organizations awareness program.