New Rules for Facebook Business Use

NEWS ANALYSIS: The latest Facebook data breach leaves business users in an uncomfortable position of how and whether to use the social network.

Facebook.security

The first word that comes to mind when considering last week’s breach of Facebook is “damn.” Meaning, in this case, that you’re damned if you do and damned if you don’t. Facebook has become a valuable tool for customer engagement, but as last week’s breach makes clear, the social network is also fraught with risk.

In the case of last week’s breach, what the hackers stole were access tokens, which might not sound like much, but which can be worse than simply stealing your login information. The reason is that many sites use a “Login with Facebook” feature that lets you use your Facebook credentials to access the site. These sites depend on access tokens, which, if you’ve logged in before, allow you to simply connect without logging in again.

This means that the hackers effectively had access to all of those sites. In fact, they may be able to access sites using your tokens even if you don’t use your Facebook login on those sites.

Facebook Presence for an Enterprise Can Be a Risk

But the Facebook breach has bigger implications for business users who represent their organizations on Facebook, or for organizations that have their own Facebook account. This is because the risks of a presence on Facebook can damage your organization’s reputation if you’re not careful. In extreme cases, the damage could be worse. This means that there need to be rules for business on Facebook. Here are some examples:

  • Do not assume Facebook is secure. Despite the company’s assurances, its record indicates that any information on Facebook is at risk of public disclosure. This is probably not an issue for most customer service uses, but not for anything beyond that.
  • Never believe that your Facebook account can’t be (or won’t be) compromised.
  • Don’t expect Facebook to come to your assistance. While the company does make global changes to react to security incidents, helping individual users can be problematic.

With those issues in mind, here are some practices to keep in mind:

  • Don’t use your Facebook login anywhere except Facebook. This may mean having to set up a special email address just for Facebook use.
  • Don’t use your Facebook password anywhere else. Have your password manager generate a unique password that’s hard to guess, and then have the password manager log you in.
  • Don’t fall for those offers to use your Facebook login on other websites. This is where those tokens come into play.
  • Use two-factor authentication for your Facebook account (and for your other accounts as well). It’s free, and it can help protect your account against credential theft.
  • Make sure you control access to the company account so that you can prevent unauthorized employees or others from posting as if they were speaking for the company.
  • Ownership of the company Facebook account belongs to the company. Your social media staffer shouldn’t be able to simply leave and take your followers.
  • Require that employees who post on behalf of the company know your social media policy and agree to adhere to it.

Of course, none of these steps will necessarily protect you if your information is taken in the next breach, but at least you can minimize the damage. For example, if you only use the Facebook login information on Facebook, then it won’t matter if it’s stolen, because the thieves can’t use it elsewhere. But even then, you should change your password from time to time.

A Lot of Good Reasons to Use Social Networks in Business

All of this is enough to discourage companies from using Facebook or other social media, but it shouldn’t. Facebook, Twitter and Instagram along with other such sites are effective and efficient ways to reach your customers. Your discussions and interactions with them can also help instruct others who have questions, and you can provide product and service information in a casual, non-threatening way.

But with that in mind, there are a few more rules:

  • Never use Facebook to accept personal information, payment information or anything else that can’t stand being completely public.
  • Never use Facebook or other media to make any future-looking statements unless you’ve already issued the press release. If you want an example of how bad that can be, just refer to Elon Musk’s $40 million tweet.
  • Never assume your competitors aren’t reading every word of your Facebook page.

If the Facebook breach has done nothing else, it has demonstrated that there’s a huge potential for security risks there, and you can’t just cruise along thinking that it’s a form of recreation. For your company, Facebook is a totally serious but highly effective tool.

The social network can be highly effective in providing customer support, provided you use it to make initial contact but then handle the details elsewhere. With Twitter you can take it to a DM. With Facebook, perhaps you can use Messenger.

Facebook can also be effective in introducing potential customers to your company and all of the things your company cares about. You can demonstrate products, show videos, even set up meetings for your sales department. Depending on the type of business you have, Facebook can be your primary face to the world, and it can be very good at that.

But like all powerful tools, you need to be careful how you use it.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...