Employee use of Facebook while at work could have or broach upon some serious security issues not necessarily seen on the surface. The use of Facebook as a developers platform for all sorts of tools and applications that use and promote personal information should catch the attention of corporate security folks.

ZDNet’s Phil Windley correctly postulates about the potential problems and the potential Pandora’s box for secure and highly confidential corporate information (see Social networking needs identity delegation strategies)…

"Ever since Facebook opened its platform to outside developers, thousands of applications have been built on top of Facebook. Some have tens of thousands of users and have become part of the everyday experience for many Facebook customers. The viral nature of Facebook means that well designed applications spread like wildfire.

Many of these applications ask users to enter their credentials for some other service so that they can provide a Facebook interface. Unfortunately, users are all too willing to do that if the application offers even a small benefit. Often these applications use the user’s credentials to find the email addresses for the user’s associates in the service and invites them to start using it. 

Suppose, for example, that someone wrote a PeopleSoft application for Facebook (maybe someone already has) that worked through user credentials. When you set it up, it asks for your username and password in PeopleSoft and then authenticates as you and starts digging around. You get a nice dashboard widget of your PeopleSoft data on Facebook, the app gets a ton of data. 

In an age where more and more organizations are deploying single sign-on solutions across the enterprise this is downright dangerous. The credentials you give might be the key to everything including your 401K account and direct deposit access on the employee portal. Yipes!

You don’t think your employees would do this? After all, it’s against policy isn’t it? Think again. I found in some non-scientific surveying that people don’t equate typing their login credentials into a Facebook application with giving them to a co-worker or friend. You may want to clarify that before the trouble starts."

Not convinced?

Check out this story from Forrester’s Charlene Li who made an online purchase that was advertised to all her friends via her Facebook profile thanks to the Facebook Beacon application (see Close encounter with Facebook Beacon):

"Earlier this week, I bought a coffee table on Overstock.com. When I next logged into Facebook and saw this at the top of my newsfeed… (Facebook directly referencing the exact purchase, the exact product (a coffee table) with name and a link to the product, made by Charlene herself).

I was pretty surprised to see this, because I received no notification while I was on Overstock.com that they had the Facebook Beacon installed on the site. If they had, I would have turned it off.  

I used my personal email address to buy the coffee table, so I was puzzled why and how this "personal" activity was being associated with my "public" Facebook profile.  

Facebook Beacon is merely a small piece of script that allows the partner site to put a cookie on your  browser. So when I bought the table, an Overstock cookie was created, which then transferred the information to Facebook. Facebook then checks to see that the same browser is logged into Facebook, and shows the information. I'm not sure of all of the details, but I suspect that if I had logged into my "personal" Facebook account first (yes, I have two Facebook accounts and unless you know my personal email, you won't find my truly personal Facebook profile), that Overstock activity would have been logged to that Facebook profile."

I’m a big fan of Facebook, but it poses some serious security and privacy concerns for more than just individuals. Corporate IT and Security officials would do well to not only monitor Facebook activity, but to intimately know and understand the types of applications being used and developed for the Facebook community. 

Cavaet emptor (buyer beware).

Serena Software Adopts Facebook as Corporate Intranet

The Facebook Revolution

BOOKMARK THIS:

 Digg this     Post to del.icio.us     Post to Slashdot     reddit     

Facebook     StumbleUpon    Add to Technorati Faves

“There is no evidence that online networking sites are producing anything of real economic value,” said Theresa Wise, global director at Accenture’s digital media practice at a Broadband World Forum session in Paris.

“Big brands do not always lend themselves to social networking websites, as Web 2.0 users aren’t always receptive to them,” she added. “There is no evidence that these sites are monetizeable.”

Well, I take issue with Ms. Wise. Her guesswork may be applicable to some, perhaps even most corporations, but definitely not all.

Read my complete article “Little financial value in Web 2.0” (Content Matters)

Well, sort of... The headline in the SDA Asia magazine reads Serena Software Adopts Facebook as Corporate Intranet, but Serena is instead formally encouraging and scheduling time for employees to use Facebook at work:

"Serena Software is breaking out of the corporate mould by announcing today that its 800 employees around the globe will participate each week in a company-wide program called “Facebook Fridays,” which encourages employees to find fun and personal connections in the workplace.

Each Friday, employees are granted one hour of personal time to spend on their Facebook profiles and connect with co-workers, customers, family and friends. This initiative will start today and will be rolled out in 18 countries where the company has offices."

This is intriguing. Most corporations, up to 50%, are blocking the use of Facebook. Serena is pushing the opposite:

"Serena President and CEO Jeremy Burton who is an avid user of Facebook, uses it to keep in touch with employees, friends, and business partners from wherever he is in the world—in Japan visiting customers or racing cars at Laguna Seca. He wants to bring the benefits he gains from using Facebook to his company, and allow employees to have more fun combining their personal and professional lives and is doing this by making Facebook his company’s intranet—a place where employees can find everything from a list of company holidays to the CEO’s favorite movie.

Burton believes that colleagues who get to know one another on a more personal level will work together better. The company already has more than 50 percent of its global workforce on Facebook prior to the launch of Facebook Fridays.

Burton believes that colleagues who get to know one another on a more personal level will work together better. The company already has more than 50 percent of its global workforce on Facebook prior to the launch of Facebook Fridays."

Hmmm, I’m not sure I totally agree with Burton on this one. I have encouraged my own staff to join Facebook, and I personally established the Intranet Global Forum on Facebook, but I’m not sure that establishing a formal Facebook “day” to the work week establishes a work benefit. I’m just thinking out-loud here because I’m not certain that it doesn’t establish a work benefit… it just might.

Establishing a “Facebook Friday” might benefit an organization suffering from culture problems and it could boost sales in others… The thing is, call me a skeptic, but I wonder if this has more to do with "limmiting" time spent on Facebook (we want you to use Facebook! But only for one hour, only on Fridays).

What do you think? Post your comments below.

Please join us and become a member of the Facebook Intranet Global Forum.