Facebook for business: know the risks

Facebook for Business

Facebook is an essential tool for businesses of all sizes. It’s a great way to reach customers, with a personal feel that you can’t get from a corporate website. It can provide calls to action, ads and promotions, a messaging service and a showcase for products and services, reaching up to three billion users across the platform – without them having to step outside of a familiar service.

At the same time, creating and operating a Facebook presence can bring hazards you might not be aware of. Last year, for example, a bug in Facebook’s code temporarily exposed the accounts of the admins behind Facebook business pages. Private details of the official Banksy page were posted online, as well as those of a host of global political figures. Facebook quickly fixed that bug, but incidents like this raise the question of just how private and secure your business page actually is.

First, the good news: Industry experts agree that Facebook is a net positive for businesses. “The privacy concerns that apply to individuals don’t really apply to businesses,” explains Paul Bischoff, privacy advocate at Comparitech. Unlike individual users, he argues, businesses want exposure and, for the most part, sharing more information is always better.

Natalie Howells, group head of marketing at business growth agency SpiderGroup, agrees. “Being on Facebook means people can learn about your business and buy from you right where they’re already hanging out,” she says. “The privacy issues are, naturally, a concern to business users, but they’re outweighed by the significant advantages of reaching people where they already are.”

“As long as a business is aware of the potential privacy concerns – and, of course, the privacy of their userbase,” says Steven Jupp, CEO at business intelligence outfit High Impact Office, “the benefits certainly outweigh any privacy issues.”

What could go wrong?

There’s a clear consensus: your business ought to be on Facebook. At the same time, it’s important to be aware of what the issues are, and what you’re entrusting to Facebook when starting your business page.

“There are obviously many details that Facebook will collect during sign-up and daily operation,” Jupp says. “A business is effectively signing away anything they are publishing within their page or shop. But in the light of things, they would very likely do the same on their own website.”

“Businesses don’t need to give up any information that they don’t want to when creating a page,” adds Bischoff. “And they only need to give up financial information if they want to run ads or boost posts.”

A bigger privacy concern is Facebook Messenger. “If you use Messenger to communicate with customers, Facebook can access those messages,” Bischoff points out. Facebook says that chats sent through Messenger aren’t used for advertising, but elsewhere it’s made clear that these communications aren’t private: “As with other parts of Facebook, we collect information from Messenger primarily to provide the service, improve the product experience, and keep people safe and secure.”

Then there’s the small matter of giving Facebook a non-exclusive, transferable, sub-licensable, royalty-free worldwide licence to publish your content. This isn’t as dramatic as it may sound: Howells points out that the licence only applies until you remove your content. “However, removed content may still be stored in Facebook’s backup files, and this could be a deal-breaker for some businesses,” she says.

According to Camilla Winlo, director of consultancy at data protection and privacy specialists DQM GRC, privacy issues can often arise from a lack of understanding of the relevant data-protection guidelines. The ICO’s guidance on direct marketing advises businesses to collect individual contact preferences for email, SMS, post and telephone marketing, but doesn’t explicitly specify social media as a channel.

Consequently, warns Wilco, “many businesses don’t collect social media preferences, and assume they are covered by consent to marketing by email or SMS, or not necessary at all”. The ICO has issued separate guidance on social media marketing but Wilco says that, in her experience, many marketers are not aware of it and don’t comply with it.

Another question to consider is what information you might be unwittingly giving away in the course of operating your Facebook page. One potential source of data leaks is Facebook’s Business Manager tool (recently re-branded as Business Suite). As Steven Jupp explains, “the Business Suite allows a company to ‘bind’ its CRM, WhatsApp and Instagram accounts to its page”. The benefits of this are obvious, but “Facebook can see the conversations and the data stream between the page and the connected apps – and an attacker could too, as this continues with any apps that the page may bind to, or that a company may develop itself on the Facebook platform.”

Nor is it easy to audit exactly what information Facebook is holding that could be relevant to your business, as it accumulates data in two different ways. “First, it collects data in an explicit and obvious manner,” says Winlo. “For example, I might add my phone number in the relevant field in my personal profile. But secondly, it can collect data in a less obvious way. For example, a business might upload my email address and my phone number to Facebook so they can advertise to me.”

While Facebook has improved its transparency over the years, Winlo says it’s still “very difficult to truly understand what information it collects and processes, and what the risks associated with that might be”.

The situation gets even more complicated when staff connect their personal accounts to the business. “Staff cannot be required to connect their personal accounts, but they may choose to, in order to help customers to identify and connect with or locate them,” says Winlo. “This may enable Facebook to draw conclusions about the business, based on what it knows about the staff.”

Bischoff advised caution when it comes to tagging employees or customers in posts or photos, so as not to expose them to unnecessary attention. “Be sure to ask employees before tagging them,” he says.

The more the merrier

According to Paul Ducklin, principal research scientist at Sophos, for most firms with a presence on Facebook the biggest risk arises from giving too much access to too many people. “If you aren’t careful, you’ll end up with literally dozens of people, at all levels of responsibility and experience in the company, wired up to your company account 24 hours a day,” he says.

This may help to keep posts and responses lively and frequent, but it also greatly expands the potential for lapses in security or judgement. Some of these employees may be using the Facebook mobile app, which keeps you logged in all the time; others will be storing the company credentials in their browser for easy access.

“If any one of those people gets their phone stolen, has their browser hijacked, makes an honest mistake, or simply decides to post something controversial, that’s your page saying it, loud and clear, to the whole world, right there under your company brand,” Ducklin warns.

And don’t think it can’t happen to you. As Jupp warns, “Facebook is a wild west with regard to hijacking of people’s accounts – and a hijacked team member, especially of a high security rank, can cause leakages of data and other attacks on both staff and clients.” Anything at all that has been used in the Business Suite could be exposed.

Facebook cover

The first step towards protection is limiting access to your page. “Stick to people who need access for their job roles, and manage the access you give each person,” suggests Howells – which, of course, is good security sense for any online resource, not just Facebook. Similarly, “make sure that removing access to Facebook, and any other accounts, is part of your employee off-boarding process so that ex-staff members can’t continue to access the account or any private groups you have set up.”

Don’t go too far in restricting access, though: Facebook reserves the right to ban or block individual users at any time, so CyberSmart’s Jamie Akhtar recommends you create more than one administrator. In this way, “if a personal account is shut down for any reason, you have a second profile that can still access your page”.

On top of that, remember standard practices such as basic password hygiene. “Often a page manager will use the same password for both the Facebook account and the admin login on their website,” Jupp notes. “That could lead to a data leak, or the complete hijack of an associated site.”

Ducklin recommends that, before you “go corporate” on Facebook, you plan out “which apps will be granted access; which individuals will have passwords allowing them to post; what the official company rules of engagement will be, so no one has to guess; what sort of 2FA you are going to use; what privacy settings are right for your corporate account; and who’s going to be responsible for regularly reviewing the list of logged in users and authorised apps in Facebook itself.”

Ad-matching and surveillance

A big reason why businesses love Facebook is that it’s one of the best-performing options for advertisers, outperforming Google on average cost per click, cost per action and conversion rate. “From a business perspective, the benefits are clear,” says Winlo. “And from my personal perspective, Facebook advertising has led me to discover some of my favourite small brands that I would not have found otherwise.”


From zero to hero: The path to CIAM maturity

Your guide to the CIAM journey


However, the methods it uses to so effectively match ads to customers are controversial. Facebook creates detailed profiles of users, based not only on what they do while using the site, but on their interactions with other sites too. “These profiles are created, in essence, by following you around everywhere you go and monitoring everything you do,” Winlo explains. “That’s known as ‘pervasive surveillance’, and it’s about the most privacy-intrusive thing it is possible to do.

“People have a human right to privacy, and pervasive surveillance violates that right,” Winlo adds. “In 2013, the Internet Engineering Task Force described pervasive surveillance as ‘a technical attack’ on the internet, leading to RFC 7258, which says that internet protocols should be designed to mitigate the risk of pervasive surveillance wherever possible.”

Of course, few businesses will let that stop them from taking advantage of such a powerful tool. The standard justification is that anyone who uses Facebook has implicitly accepted pervasive surveillance as the price of entry; notably, Apple’s recent changes to iOS inhibit Facebook’s ability to track individuals without their express consent.

As Winlo points out, however, privacy campaigners would argue that “Facebook’s whole approach is fundamentally unlawful, and that any advertiser choosing to make use of their platform is benefiting from the fruit of the forbidden tree.”

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.