How to perform a Security Audit on your Facebook Personal Profile
Facebook has come a long way in terms of keeping you safe online and giving you a range of options to protect your privacy. The problem is that is that the settings are overly complicated and difficult to keep track of. This post is really about getting you started on these settings and on the importance of doing a monthly security audit.
Set aside an hour each month to go through these settings and you'll be reducing any nasty surprises and avoid the unfortunate consequences of being hacked or being the subject of a practical joke.
I'll be going through doing a security audit with Facebook personal profiles and not Facebook pages. However, if you do manage a Facebook page, make sure all your admins run a security audit on their personal profiles each month. There are serious issues here, because your page could be compromised by the security settings of one of your page's administrators. In an ideal world you would have two Facebook accounts- one for personal use and one for business. That way a business can have clear guidelines on the security settings for all accounts. Unfortunately it is not possible to use more than one account (i.e. one account for personal use and one for business) - this goes against Facebook's community guidelines.
I'll be writing another post specifically on doing security audits for Facebook pages.
Monthly Personal Profile Audit
The first time you do the security audit, it can seem a little overwhelming. However, don't worry- it isn't as bad it looks and it is definitely worth it! You'll get more and more used to it each time, and after the first audit you'll find that there will be less to change since you will have done the bulk on the first audit.
Make sure you bookmark this page and come back to it each month. Make a reminder so that you won't forget (Google Calendar is great as it can send you a reminder by text and/or email)
1. Password Audit.
Can you remember when you set your Facebook password? Have you ever changed it? You can find out these answers by heading on down to the account settings in Facebook. This can be found by clicking on the arrow to the right of the home tab on the far right of the blue bar, or you can find it by clicking here.
Having a strong password is absolutely vital. It's also really important not to use the same password more than once. You could use a password method, but I'd highly recommend checking out a password management tool like Last Pass- this way you can have a very complicated password for Facebook without having to remember it. For more information why your password is not safe, check out my previous article on the subject.
2. Always use https
If you are relying on a wireless network for your internet connection you really should enable SSL for all the sites you connect to. This means that any information you send or receive from a website is encrypted. Unfortunately not all sites offer SSL, but Facebook does, and you should enable it right now! To do so, click on the security link on the side menu and tick the box in secure browsing.
For more details on how to keep safe online (particularly if you regularly use public wifi networks) have a look at my 10 tips to Make Your Computer More Secure.
3. Login Notifications & Approvals
This is optional, but it may be something you want to enable. Login notifications can be sent by SMS and/or email whenever you log in. That way, if you receive a notification when you haven't logged in, you'll know that something isn't right and a potential security breach has occurred.
Login approvals would normally be something I'd highly recommend. It uses a technique called "2 step authentication" which asks you for a password every time you log in from a new device. Unfortunately it only works if you don't delete cookies on your browser. If you don't delete your cookies on a regular basis then do feel free to use Facebook's login approvals. If not, I'd recommend using LastPass and their 2 step authentication.
4. Your Recognized Devices
Audit your recognise devices and remove any that you don't need. A recognised device is any computer, tablet or smartphone that has connected to Facebook and been added as a recognised device.
5. Active Sessions
Remove any active sessions from Facebook that you don't need. You may be surprised by the number of devices that are logged into your Facebook account. I certainly was! I had 12 active sessions which included 2 Android phones, an iPad, 3 computers and more. These sessions don't necessarily mean completely different devices, it could mean the same computer but a different browser, or a different location. Generally I'd recommend closing all the sessions except for mobile devices that you can vouch for. Make sure you check each session carefully and if in doubt close it.
6. Do not Track Plugins
Did you know that Facebook tracks your movements across the internet? You might be fine with this and see it as a way for Facebook to "enhance your experience". 😉
Until a "Do not Track" standard has been introduced on websites, the only other option is to use a browser setting or extension. Google Chrome should have a "do not track" setting by the end of 2012, but in the mean time there are plenty of extensions that do the job for you. My recommendation is Facebook Disconnect.
7. Friends audit
Who are you friends with? Are they who they say they are? Are you happy to share with them?
Everyone has different criteria for who they accept as Facebook friends. Some of your friends could be mere acquiescences or perhaps even some that you haven't met. Go through your friends list and make sure you are happy with the people you share with. You should also put your friends in relevant lists so that you only share the information you are comfortable with with certain of your friends, but we'll come on to that in a bit...
8. Email Security & Password
What would happen if your email account was compromised and hacked? Well, one scary thought could be them filling in the Facebook Password Reset form. If the hacker had access to your email account they could then potentially gain control of your Facebook account. Make sure you have a strong password for your email account and that it is different to your Facebook one. You'll also have to check your security questions, but we'll come to that later...
9. Facebook Lists
Did you know you can put your Facebook friends in different categories or lists? Although Facebook introduced lists back in 2007, it wasn't until smart lists were introduced in 2011 that they became truly useful. In a move that some called Facebook's answer to Google Circles, Facebook launched lists as a way to allow users to show different levels of content to different people.
If you put your close friends and family in the "close friends" list you can share things with them which you may not want to share with other friends or the public. For example, I share all my family photos including my children with close friends and I share all my photos with my friends. I am much more selective with what I share publicly You may have different thoughts on this, but as long as you are aware what you are sharing and with whom, then all is ok. To go to the lists page, click here.
10. Privacy settings
After not a few privacy blunders, Facebook updated their privacy settings by lumping them all in to a privacy settings section. It may be less complicated than before, but it does frequently confuse people. No wonder- there are a bewildering array of options. I'll go through each one for you...
a) For mobile apps without the inline audience selector
The Facebook website and the majority of Facebook mobile apps allow you to select the audience your post will go to. For example you could choose a particular status update to appear publicly or only to your close friends. For those apps that don't have this feature you will need to choose which audience you'd feel most comfortable with. For me, that means just friends with the exception of people I don't know that well. For this I've selected the Custom privacy setting. When you do this you get a pop up dialogue box:
I've selected content to be visible to friends (and not friends of friends), and I'm happy for friends of those I may have tagged to see the content to. I've also added people from my Limited Profile list to the "Hide this from" section.
b) How you connect-
- Only show timeline and lookup by email/phone for friends.
- Perhaps because I'm not that popular, I am happy to get Friend requests from everyone. That way if someone I know isn't currently a Facebook friend, they can send a request. If you frequently get requests from people you don't know, you may want to switch this to friends or friends of friends.
c) Timeline & Tagging
- Post to timeline.
Who are you happy to post directly on your timeline? My recommendation would be to select the "friends" option.
- Who can see what others post on your timeline?
For the majority of people this will be "friends" again. However, I've selected "custom" so I can select friends except those on my "limited profile" list.
- Review posts before they appear on your timeline?
I highly recommend switching this on. With this option switched off, all posts and photos from friends that have been tagged with you can appear on your timeline automatically. I prefer to review which posts & photos are tagged with my name.
- Who can see posts you've been tagged in on your timeline?
Again, I have selected "custom", but for the majority of people "friends" will probably suffice.
- Review tags friends add to your own posts on Facebook.
Again, I would switch this on, just so that I can control any tags that have been added to my posts.
- Who sees tag suggestions when photos that look like you are uploaded?
I'm not into Facebook's face recognition software. Call me paranoid, but I prefer to switch this off. I'm sure my friends can tag me if they want and if they see and recognise me in their photos. I'll still be reviewing the tag though! 😉
- Apps You use -
Do an app audit (be aware that some apps might be used for Facebook Pages). You'll probably be surprised how many apps are here, especially if you've never done a security audit before.
- How people bring your info to apps they use -
I'd recommend unticking all of these!
- Instant personalisation -
not available in UK. I would recommend unticking all of these.
- Public search -
Do you want to be in Google and other search engine results? (yes/no optional)
- Adverts shown by third parties -
"If we allow this in the future, show my information to no one." Recommended.
- Facebook Adverts - Pair my social actions with adverts for no one -
I'd recommend selecting "no one" for this. Do you really want to appear to be giving an endorsement to a Facebook advert on your friends' Facebook pages?
e) Limit the Audience for Past Posts
This is optional- this changes all your previous posts to your default privacy setting. This can be particularly useful when switching your profile to the timeline view. There could be an old post that is public that you really would be better keeping between friends!
Manage your subscribers and people you subscribe to. You can allow people who aren't your friends to subscribe to your public content. You may or may not be happy with this. If you are very careful with the content you share publicly then I think allowing subscribers is a good thing.
- Allow subscribers - optional
- Subscriber Search - optional
- Subscriber comments - Are you happy for subscribers to comment on your public posts? Have a think about what you are comfortable with. I've selected Friends of friends.
- Subscriber notifications. Do you want to be notified when a subscriber comments on a public post, or would you prefer just to be notified when a friend or a friend of a friend comments? Again, I've selected friends of friends.
12. Security Info
Finally, check your security info (questions, passwords and email). To do this, visit the security info page here. Check that the email addresses listed are still valid and are all secure. Check your phone number and make sure you have a difficult security question that would be difficult to answer by a hacker trying to reset your password.
Security Audit Services
Doing a security audit is a must for anyone using Facebook. It could stop your account being hacked, or from someone playing a practical joke on you by updating your status on your behalf!
It's particularly important if you are a business page administrator, as not doing a regular security audit could put your pages at risk.
If you are interested, my company, Select Performers, offers regular security audits for social networks including Facebook. We can offer stand alone audits or as part of our ongoing social media management plans. Contact me,visit Select Performers or phone us on +44 03333 442 400 to see how we can help.
So, have you been caught out by a Facebook security setting? Have you got any tips? As always, do let me know in the comments below!
Hi Ian, We’ve quoted you in our upcoming book with this post, but I was wondering if you had ever thought to update this as a lot of changes at FB make it difficult to follow at times (not your fault!)? Thanks to let me know.
Thanks so much. What is the book?
Yes, I do need to update this post. Thanks for the reminder!
Glad to hear! The book is Futureproof. It bows Sep 7 (futureproof.ly for more!) Will you let me know about the update? Many thanks.
Thanks, I will let you know. The book looks great, and co-written by Caleb!
Small world. Great guy – known him since uni days! 🙂
Thanks Ian. We’ll be doing a launch in London on Sep 12 (TBC). Want to come? Send an email to me!
Sounds great. Would love to have come, but not free that day. Happy to spread the word!
Now that we’re connected on LI, I will ping you with the details if you wouldn’t mind!
Do you know/do SXSW? Caleb and I are trying to get accepted to speak there!
Thanks (and if you can leave a comment it’s even better)!
Thanks, Minter. I’ve not been to SXSW, but would love to go at some point.
I’m speaking at Social Media Marketing World again next year. Will you be attending that?
I’ll definitely leave a comment there. Hope you get accepted!