• United States



How to Use Social Networking Safely: Tips From Security Pros

Jan 29, 20085 mins
CareersCSO and CISOPhysical Security

The business advantages of sites such as LinkedIn and Facebook are starting to outweigh the security and privacy risks, say Bill Boni and Howard Schmidt--but only if you follow a few rules

Howard Schmidt
Howard Schmidt was reluctant to hop on the social networking bandwagon–a byproduct, he says, of the paranoia he internalizes a security professional. Eventually, though, Schmidt–the one-time cybersecurity adviser to President Bush and itinerant CISO turned consultant–decided the positives outweighed the negatives. He joined not just one social network but three: Facebook, LinkedIn and MySpace.

“My response to those in the security business lamenting the existence of Facebook and MySpace is to ask them if they’ve ever been on it,” says Schmidt.

Bill Boni, too, took the social networking leap–with gusto. The long-time corporate vice president of information security and protection at Motorola, he has now racked up more than 500 connections on LinkedIn. For him, social networking is all about amplifying his effectiveness as a security executive. He says the site allows him to keep in touch with people and gives him an opportunity to tap into “additional sources of expertise.”

Despite the well-publicized security and privacy risks of social networking, both Boni and Schmidt say it’s possible to reap the benefits of social networking and stay safe at the same time. You just have to stay vigilant and be smart. Here’s their advice.

1. Do Your Homework.

Boni hesitated to join LinkedIn until he had adequate time and opportunity to research the site. Despite being recruited to join by numerous colleagues whom he trusted, he wanted to pass his own judgment first.

Before you join, talk to people you know and trust about their experiences with social networking. Different people have different comfort levels, which may dictate which site (or sites) you decide to join. For instance, LinkedIn contains mostly fields for resume-type information, while Facebook also asks about your politics, religion, and favorite books and movies (not that you have to answer). After reviewing each site, ask yourself which site you would benefit from most, what type of features you want and what type of information you are comfortable sharing. Schmidt notes that careful research also may help quell your anxieties and misconceptions about social networking.

2. Secure Your Settings.

The benefit of social networking is directly related to the openness of it, Schmidt says, so privacy and security can be tricky. But each site has various options, and you can decide how much or little you want or lock down your information. Profiles on any of the sites can be set as public or private–with a private profile being accessible only to those you are connected to or “friends” with.

You can also control various aspects of your profile on each site. Facebook, for instance, allows you to control who can contact you, who can find you in a search and what information they will find. You can also set up a limited profile for when you want to connect with someone but not share everything. On LinkedIn, where there’s less information that may be of privacy concern, you still can decide whether or not people are notified when you make changes to your profile and whether people whose profile you visit will know that you (or someone at your company) has been there.

Bill Boni, Motorola
3. Be Careful Who You Link To.

The implicit risk in a sharing site is that it’s open to anyone who follows the terms of use, says Boni. “That means [in addition to all the good people],” he says, “there could be members of organized crime, criminal undergrounds, or people with malicious intent lurking on there.” That’s why it’s crucial to control who you allow into your network.

If you receive a link request from someone on claiming to know you through another connection or “friend,” check with that connection to make sure the request is legitimate. Don’t accept someone who you don’t know or haven’t checked out. “This is a tool that can make people more productive and effective,” Boni says, but only “if it’s balanced with common sense and a healthy skepticism about unsolicited communication received from unknown parties.”

4. Avoid the TMI Trap.

As pro-social networking as Boni and Schmidt are, both say that you are your own worst enemy online, and the risk is always there that you will disclose too much information. “Some people aren’t fully cognizant of the fact that what they put up there is going to be exposed to all kinds of people,” says Schmidt.

Adds Boni, “People need to be skeptical and cautious when leveraging these networks. There are lots of things people shouldn’t tell others, but they do anyway.” And that, he says, can lead to social engineering and elicitation–when someone uses what they know about you to try to learn something about you or your company that’s better not disclosed.

That’s why Boni says he won’t disclose anything of real concern to him. “It’s my responsibility to exercise reasonable judgment when I decide what information I want to disclose,” he says. Boni sees his account on LinkedIn strictly as a way to help him do his job better–and as a result, he only provides information related to his professional self.

Schmidt, on the other hand, sees an advantages in blurring the personal and professional lines. Because of MySpace, he realized that one of his CEO colleagues was an avid fisherman, as is he. Another friend turned out to be an amateur photographer–so is Schmidt. “It helps you build trust and a better understand of who they are, which enhances your business relationship,” he says. And that’s the whole idea.

Staff Writer Katherine Walsh can be reached at