Facebook Security Best Practices

Contact Information

Facebook presents a number of pre-set options for privacy settings: Everyone, Friends of Friends, Friends Only, Recommended and Custom. We do not recommend using Facebook's Recommended setting, which presents a large amount of sensitive information as public. Instead, choose the Custom option and click the "Customize settings" option in the menu.

Once in the Customize Settings menu, in many cases the option to not show information to anyone — to select "Only Me," in other words — is not plainly visible. To make something visible to "Only Me," you have to select "Customize" from the drop-down menu and then choose "Only Me" from the pop-up window that appears.

Privacy settings: Sharing on Facebook — customize settings

Things I share

Option Sophos recommends Why?
Posts by me (default setting) "Only Friends" Personal information can be published on your wall by yourself and others, therefore it is unwise for it to be viewable by the wider Facebook community. For this reason, you should not allow networks to view your wall.
Posts you make to your wall can now vary in security on a post-by-post basis (see the "Status updates and posted items" section), but we recommend you set the default option to "Only Friends."
Family "Friends Only" With information you choose to disclose on Facebook, even if you lock down your profile to entirely Friends Only, you have to remember that there's always a chance that one of your friends may have their account compromised. Information about your family, relationships and interests are rich targets for someone socially engineering an attack against you.
Interested in and looking for
Bio and favorite quotations
Website "Only Friends" (at most) Publishing your personal website address is less of a privacy risk than revealing other contact information, providing other private information is not listed on the personal website itself.
Religious and political views "Only Friends" This information may be sensitive, depending on what you posted. Unless you want a potential employer knowing this information, be careful what you post and who you allow to see it.
Birthday "Only Me"—though it's best to not enter this information at all As this is key information in identifying you, not only should you not show your birthday, you should not enter your birth date information into Facebook at all. Should your account be compromised—or worse, should there be a Facebook data breach—you do not want this information falling into the wrong hands.
Edit album privacy for existing photos "Friends only" for all albums Your privacy settings for "Photos and videos I'm tagged in" and your photo albums are not linked, meaning you need to set your album privacy separately from your general photo settings. Just as with your photo and video tags, don't share your albums with anyone outside of your friends.


Things others share

Option Sophos recommends Why?
Photos and Videos of Me "Only Friends" (at most) Photos, videos, posts and comments should only be shared with friends, not with wider networks on Facebook. If pictures or posts may be posted that you think may be embarrassing to you in the future, then tag this option to say only you can view them and ask yourself what can be done to prevent such material being uploaded onto the Internet in future. If you are not comfortable with material appearing on your resume or job application, don't post it online.
If a friend's account is compromised and you have wall postings enabled to friends, this leaves you open for a potential phishing attack. Most people enjoy the interactivity that friend wall posts provide, but always be wary of any links friends may post to your wall (especially if the message doesn't sound like something they'd normally write).
Can comment on posts (Includes status updates, friends' Wall posts, and photos)
Friends can post on my Wall
Can see Wall posts by friends


Contact information

Option Sophos recommends Why?
Mobile phone "Only Me" Users completing their profile on Facebook should ask themselves whether it is appropriate or necessary to tell other Facebook users their contact details. Facebook allows users to opt-out of entering this personal information, and as Facebook allows friends to contact each other via Facebook it's not necessary to know someone's real address or phone number. If they really are a friend they should know where you live and what your phone number is! And if a friend really can't remember they can always contact you via Facebook and ask you. It's then up to the user to decide whether they feel comfortable sharing that information, and if their friend has a valid reason for asking.
Remember: It is not necessary to post your email address on Facebook as you can send a message to friends with the Facebook system itself.
Other phone
IM screen name
Email address(es)