17th September 2007
A great deal has been made of Facebook in the press of late, particularly around security of data and protection of brands. Here, Mark Dye , FSN's contributing editor, explores the dangers of social networking to business.

Facebook. You either love it or loathe it. And unless you've been hiding under a rock for the past few months you can't fail to have noticed the headlines it has been grabbing. Social networks are in fashion, meaning we're spending more and more of our working day online than ever before. Indeed, so strong is the phenomenon that I can only think of one person I know who has actually bucked this growing trend and deleted his Facebook account within the first three months.

"It's all a bit much," he said, "everyone knowing your business and every move you make."

I kind of admire him for doing this, but could it be that he's cutting himself off from a useful business tool here? I mean, the rest of us are hooked, so what harm can it be? We'll get to that later.

Now, there's a school of thought that these sites are good for business and developing relationships further. In some quarters companies are embracing them, and Facebook in particular, citing the fact that connections can be leveraged quite differently to existing sites such as LinkedIn.

The Facebook platform is undeniably addictive and clever use of feeds means users can keep up-to-date with 'friends' and associates wherever they are. Last month it had more than 30 million users and it's difficult to remember any site having broken down so many boundaries being between business and pleasure in an online scenario and perhaps this is where the real danger lies.

Even so, in some financial institutions, and certainly most banks, social networking sites are already banned. The same goes for web-based email. One employee of a boutique investment manager I spoke to referred to there never even having been a debate as to the dangers of such sites in the workplace – a ban takes care of that.

"Without doubt, a Swiss bank and the culture of client confidentiality makes it a firm no go," he said.

And he has a point. You can't really have a portfolio manager instructing his broker via hotmail to short a stock that he is about to sell a load of in a client portfolio can you?

"It's all about security of information and conflicts of interest," he adds. "There is an IM [instant messenger] function on Bloomberg though, which is used extensively. Indeed, Bloomy is a great social networking tool on that basis - it's easy to track people down if you know they use it."

Not all financial institutions and large businesses feel the same or adhere to such stringent procedures though. In fact, many are keen to promote dialogue between employees and contacts through sites like Facebook – take PR companies for instance. Donal Casey, security consultant at Morse, the business and technology consultancy, believes sites like Facebook can represent great personal and business opportunities, but says a balance needs to be struck in the way they are approached, offering education where necessary.

"Essentially businesses need to update their Internet usage policies to cover social networking sites, providing guidance to employees on the kind of information that can be shared safely, and what represents a threat," he adds. "Employees need to be aware of the audience that will have access to their posts and ensure they do not post anything they do not want clients, prospects or the wider business audience to see."

At a very base level, says, Tim Renshaw, VP, evangelism and field applications, TriCipher, the exposure isn't just between business and pleasure, but providing a robust set of details from across your life's surface area. "People complain and worry about what Google or other search engines may have about our lives," he says, "but no one seems to worry about what amount of direct personal data they are freely aggregating at social networking and related sites."

Fraud is one area where businesses are concerned. Detica, for one warns of 'determined criminals' who are assembling 'jigsaw pieces' of information on the net to penetrate corporate defences. It's easy to see why when you think of people disclosing job titles, email addresses and phone numbers on profiles and joining groups associated with their employer where commercially sensitive information and opinion may be exchanged. For instance, it's possible to type a company's name into the Facebook search engine and acquire an extensive list of employees and, in many cases, a full insight into their private and professional lives.

"Even the most innocuous information about a business — people and the departments they work for, day-to-day processes, jargon and codes — can be valuable stepping stones for persistent criminals who want to infiltrate corporate security by trickery and subterfuge," says David Porter, head of security and risk at Detica.

The point here is that we all need to be careful what we put online both in terms of what it says about us and the culture in which we work. After all, protecting the brand and corporate identity are two of the most important areas to businesses the world over today. Any potential damage to reputation as a result of such incidents can end up costing more than just a job.

Indeed, there have been several instances in the press where disgruntled employees have made comments about employers and their working environment, only to fall foul of these pretty quickly. It really is surprising just how many of us still leave the doors open to fraudsters and potentially embarrassing situations that could be easily solved by quickly adjusting a security setting or two.

Detica says it has even learned of cases where fraudsters trawl social networking sites for disgruntled employees in an effort to bribe or coerce them into giving out corporate information. One of the problems, according to Ri Pierce-Grove, an analyst at Datamonitor, is that social networks feel private, often lulling people into a false sense of security. "But, as people's private conversations collide with their public identities, there have been some shocks," she says.

These include students discovering that parents can log in to find out what they've been up to, while employees are finding that their bosses can, too. "Whenever you commit your thoughts to record, you run the risk that they will spread beyond your imagined, or intended, audience," she says.

Pierce-Grove suspects we haven't seen the last of these highly publicised mishaps as people learn to navigate through these new ways of self-presentation. After all, reconciling personal and professional identities in the same profile can be something of a challenge.

"People find both jobs and dates through social networks, but you don't write a resume the way you do a personal ad,' explains Pierce-Grove. "Some people choose to keep their personal and professional contacts quarantined in separate social networks, feeling that managing both sets of relationships through a single profile is unnecessarily difficult," she says. "For others, professional and personal identities can merge comfortably. Again, this is an area in which people are still building up a code of manners, or of best practices."

Common sense dictates that businesses should shy away from encouraging business level interactions on sites without real security practices and access controls even if social networks are becoming increasingly important to the way business is conducted as Pierce-Grove points out. Renshaw goes as far as suggesting that using such sites for business verges on stupidity. "Without proper identity mechanics for end-users, the environment is completely untrustworthy for anything beyond personal recreation and entertainment, in my opinion, from either a security or reliability standpoint," he says.

Wherever you stand on this as a company, social networks are here to stay and as Bob Ivins, executive vice president of international markets, Comscore, says, "It would appear that social networking is not a fad, but rather an activity that is being woven into the very fabric of the global Internet."

And while businesses are improving the ways in which they tackle online fraud, employees need to be aware of leaving vast 'paper trails' on the Internet.

"The bottom line is, you can't shred information in cyberspace," adds Porter.

"We aren't saying that individuals and businesses should stop engaging with social networking sites, but they must be extremely cautious, update their security policies and use the privacy controls available," he says. "Many people reveal things about themselves and their jobs to the entire world that they would not dream of sharing with a stranger in the pub. Remember, your virtual life has real-life implications too."