Everyone loves to watch giants get attacked. The heat of the moment provides fantastic entertainment. Typically, the spectacle reveals some truth. However, we usually don't get a clear picture of everything that's happening until after the dust settles. Such is the case with Facebook.
Now that things have calmed a bit, those of us in the security industry who have been watching the saga unfold are learning some valuable lessons. Chief among these is that by making only a few missteps, any business can turn millions of humans into vulnerabilities that unscrupulous actors can exploit. In this case, a lone developer accomplished this with an app that users, and Facebook, regarded as harmless.
What were some of missteps Facebook made? It failed to arm itself with sufficient visibility over its environment. It had an ineffective early warning system. It didn't devote enough resources to user education and defense. And the social giant has been opaque about its business model and how it collects and monetizes members' data. While Facebook may currently be the one in the spotlight, it's vital to remember that it's not the only business that is failing to protect its users. These same oversights and problems plague most organizations today.
The 2018 IBM X-Force Threat Intelligence Index revealed that vulnerable humans, which it refers to as "inadvertent insiders" (aka insider threats) are responsible for exposing more than 2 billion records and causing 20% of reported security incidents. The Ponemon Institute estimates that this class of user is costing organizations more than $283,281 per incident annually. Some damages can't be measured in terms of dollars or records lost but by the impact they've had on world history. The Hillary Clinton campaign argues that attacks against vulnerable campaign insiders contributed to her 2016 presidential election loss.
The situation Facebook is in, along with findings like these, should be prompting security teams to evaluate just how vulnerable or protected the people in their organizations are. It should also be motivating them to find ways to "patch" any human vulnerabilities that exist.
What's a Social Network, or Any Business, to Do?
Facebook CEO and co-founder Mark Zuckerberg says the platform will make sweeping changes to curtail future abuses. Let's hope they work. If Facebook, or any organization, is serious about protecting its people, there are certain essential steps they need to take. Here are four that all organizations should take right now:
1. Gain visibility. Organizations need to get a grip on the behaviors of partners, customers, employees, and third-party application developers. To accomplish this, they don't have to resort to requiring anyone to adhere to intrusive monitoring practices that amount to surveillance and eavesdropping. To be effective, screen-shot captures, key stroke logging, and other invasive tactics aren't needed. There are a wide range of technologies available that Facebook or any company could choose from that will provide the visibility and intelligence needed to spot suspicious trends before they spiral out of control.
2. Enable early warnings. Many organizations have tools and technologies in place to notify them when suspicious behaviors take place. Many "early warnings" end up being false positives, which lead to alert fatigue. For early-warning alerts to truly have value, they have to be powered by technologies that understand behavioral context, know when events are normal or anomalies, and what the intent of observed actions are. A smoke detector is of little use if it doesn't have a siren that lets people in the facility it's protecting know when there's danger. Nor would it have any value if it "cried wolf" when there is nothing to worry about.
3. Educate and protect. Organizations that want to shield their users against bad actors need to invest in providing security and scam education to users. Studies suggest that with education, humans can reduce their susceptibility rates to scams by as much as 70%. To further protect humans, businesses may need to build in alerts that that let them know when they are about to engage with risky apps, click on questionable links, or get involved in dubious conversations. Access to a threat intelligence feed can also prove useful. The latest information about attacks in the wild will allow security teams to take proactive measures.
4. Be transparent. Had Facebook been up front with users about the fact that every bit of information they share is collected and analyzed for marketing and advertising purposes, then the 87 million users who were fooled may have thought twice before engaging with an app that was collecting personal information. Any organization committed to protecting its users against privacy and trust violations needs to be transparent about its data policies and business model. Users who understand how the businesses they engage with and work for use the data they generate and share will be in a better position to understand what types of online activities and behaviors are potentially harmful.
When it comes to vulnerabilities in the world of technology, our minds tend to focus on hackers exploiting weak computer code in order to gain access to systems and data. While this is certainly one example of how the vulnerability scenario plays out, history has taught us, and Facebook has highlighted, that it isn't the only one. By now, all businesses should be thinking about their human vulnerabilities and taking steps to protect them against scams and attacks that could compromise their personal privacy and lead to costly and embarrassing incidents.