Is Facebook use in the enterprise too risky to allow?

With an outright ban on social sites nearly impossible, companies need a strong security regime and staff training, say experts

It is not news that Facebook, the behemoth of social networking, is less than aggressive about protecting the personal privacy of its 900 million users. But even relatively savvy users may not be aware of how much of their information is collected, how it is used and how little control they may have over it.

And with millions of workers now using social networking in their professional as well as personal lives, those privacy risks extend in a very big way to the enterprise.

Consumer Reports, which released its annual report on Internet privacy and security last week, devotes an entire section to "Facebook and your privacy." Its findings may not surprise most CISOs, but will likely be unsettling all the same.

More than 150 million Americans use the site, with that number increasing daily. And in exchange for helping people do things like stay in touch with family and friends, find old classmates, share photos, organize around interests and causes, promote their businesses and learn about the tour schedule of their favorite band, Facebook collects and distributes vast amounts of sensitive personal information. It is one very prominent example of Big Data.

[See also: 4 tips for Facebook from security and privacy experts]

CR notes Facebook CEO Mark Zuckerberg's claim in a blog post last November that, "We do privacy access checks literally tens of billions of times each day to ensure we're enforcing that only the people you want see your content."

But CR does a reality check on the claim: "Facebook gets a report every time you visit a site with a Facebook 'Like' button, even if you never click the button, are not a Facebook user, or are not logged in."

"Even if you have restricted your information to be seen by friends only, a friend who is using a Facebook app could allow your data to be transferred to a third party without your knowledge," CR writes.

That information includes visits to pages about health conditions or treatments, which would interest insurers; announcements about attending an event, which would interest burglars; and information about sexual, religious and racial/ethnic affiliations, intimate relationships and even drug use, which would interest potential employers.

ITWorld's Dan Tynan reported last week on how many of the more than 500,000 games, puzzles and quizzes on Facebook exist mainly for the purpose of, "sucking data out of your account."

Some of those apps violate Facebook policies, but Tynan notes that the enforcement of those policies can be lax, at best. And while there is now a Chrome plug-in called Privacy Score from Privacy Choice that rates how each app treats your data, that score is largely based on the policies published by the apps and tracking companies, which can also have credibility problems.

Rebecca Herold, a professor and consultant known as the "Privacy Professor," said the worst part of all this is that "Facebook changes their privacy settings and sharing algorithms so often that it is hard for even privacy pros to keep up."

"If you've allowed someone access to your data, there is nothing to stop them from copying and sharing it elsewhere -- there are ways in which their settings will override your settings," Herold said. "Every person should post only information that they would not mind the entire world seeing."

Still, the connections Facebook brings to people also bring irresistible benefits to commerce. Those benefits -- such as 18 million people "liking" a brand's page after learning their friends had done so -- make it practically mandatory for enterprises to be on Facebook if they want to compete.

And security experts say it is useless to try to prevent employees from being on Facebook anyway. Chester Wisniewski, a senior security adviser at the security vendor Sophos, said public social networks like Facebook are "not a good choice for online collaboration, as you have no guarantees of privacy or how sensitive information will be handled."

But, he says if a company tries to block Facebook, Twitter or other sites, "employees will simply grab their iPhone, Android etc. and do what they wish, where you don't have any oversight."

[Joan Goodchild goes in-depth: Facebook may be scary, but we love it anyway]

So, is it possible for an enterprise to exploit the advantages without being damaged by the risks?

No public site can be made airtight. But Wisniewski says it is possible to minimize risks, by "educating employees on appropriate use of social media and allowing it on your network where you have some ability to monitor if sensitive company information is being shared inappropriately."

Herold agrees, saying that "with millions of apps being used by the public to stay in touch with companies, completely cutting off access is simply not an option."

Given that reality, she said, "More companies are allowing certain groups of workers, or all workers, access with mitigating controls -- tools such as data leak protection (DLP), encryption, heuristic malware detection, intruder prevention and detection tools."

But even that, Herold said, cannot address "the problematic and complex architecture within which Facebook is created and shares data. Technology alone will not work." So companies need to update their information security and privacy policies to cover social media, she said.

Rafal Los, chief security evangelist at HP software worldwide, said: "Enterprises can reduce risks with a combination of traditional security to combat known threats with an enterprise security intelligence platform which integrates advanced correlation, deep application analysis and network-level defense mechanisms to detect malicious activities, misuse and accidental disclosure through the use of social media."

Herold says she did a social networking privacy and security training class to a large hospital system in January where she covered the actions individuals should take when using the sites, to protect information.

"By including how individuals are personally affected, and not just focusing on the organization, those taking the training were able to see why taking security and privacy steps online is important," she said.

Copyright © 2012 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations