Rebecca Herold, an attorney, professor and consultant known as the "Privacy Professor," said the worst part of all this is that "Facebook changes their privacy settings and sharing algorithms so often that it is hard for even privacy pros to keep up."
"If you've allowed someone access to your data, there is nothing to stop them from copying and sharing it elsewhere -- there are ways in which their settings will override your settings," Herold said. "Every person should post only information that they would not mind the entire world seeing."
Still, the connections Facebook brings to people also bring irresistible benefits to commerce. Those benefits -- such as 18 million people "liking" a brand's page after learning their friends had done so -- make it practically mandatory for enterprises to be on Facebook if they want to compete.
And security experts say it is useless to try to prevent employees from being on Facebook anyway. Chester Wisniewski, asenior security adviser at the security vendor Sophos, said public social networks like Facebook are "not a good choice for online collaboration, as you have no guarantees of privacy or how sensitive information will be handled."
But, he says if a company tries to block Facebook, Twitter or other sites, "employees will simply grab their iPhone, Android etc. and do what they wish, where you don't have any oversight."
[Joan Goodchild goes in-depth: Facebook may be scary, but we love it anyway]
So, is it possible for an enterprise to exploit the advantages without being damaged by the risks?
No public site can be made airtight. But Wisniewski says it is possible to minimize risks, by "educating employees on appropriate use of social media and allowing it on your network where you have some ability to monitor if sensitive company information is being shared inappropriately."
Herold agrees, saying that "with millions of apps being used by the public to stay in touch with companies, completely cutting off access is simply not an option."
Given that reality, she said, "More companies are allowing certain groups of workers, or all workers, access with mitigating controls -- tools such as data leak protection (DLP), encryption, heuristic malware detection, intruder prevention and detection tools."
But even that, Herold said, cannot address "the problematic and complex architecture within which Facebook is created and shares data. Technology alone will not work."Ã'Â So companies need to update their information security and privacy policies to cover social media, she said.
Rafal Los, chief security evangelist at HP software worldwide, said: "Enterprises can reduce risks with a combination of traditional security to combat known threats with an enterprise security intelligence platform which integrates advanced correlation, deep application analysis and network-level defense mechanisms to detect malicious activities, misuse and accidental disclosure through the use of social media."
Sign up for Computerworld eNewsletters.