Social media poses a silent but deadly risk to organizations as users adopt a generally relaxed approach to sharing personal and corporate data. IT pros are challenged to secure the constant flood of social activity on business networks.
"It's one of those necessary evils," says Dr. Amelia Estwick, program manager for the National Cybersecurity Institute at Excelsior College, of social networking. "Now, we can't imagine our lives without it."
But social media firms such as Facebook also are raising the bar with security, a move that could ultimately help promote better security practices on its platform. Take Facebook's announcement last month that it now supports physical keys based on the FIDO U2F security standard for stronger and more secure authentication of user accounts. Users can register keys to their Facebook accounts so when they log in, they tap a device plugged into their computer's USB port.
Brad Hill, security engineer at Facebook, acknowledges the need for stronger security on social networks and explains the company's recent efforts to drive change in the industry, specifically for login security and account recovery.
"Security is on everyone's mind right now, on social media, email, etc.," he says. "Everyone is looking for ways they can feel more secure in their online identities and the things they do online. We want to continue making security easier."
Social media's rampant growth, including that of Facebook, has basically opened the door for malware distribution, social engineering, data mining, and a flood of other security threats.
Evan Blair, co-founder and chief business officer at social media security firm ZeroFOX, explains how hackers are starting to take advantage: "That fundamental scale has created an interesting opportunity for cybercriminals because they can target or exploit virtually any individual, at any organization around the world," he continues. "Everyone is available; everyone is accessible on social media."
People place more trust in their social accounts than they do in email, Blair continues. We're taught to be wary of emailed links, even from those we trust, but we're quick to share personally identifiable information or click links on Facebook, Twitter, and Instagram.
"Because we have no baseline security, we're highly vulnerable to social engineering and spearphishing campaigns," he says, noting how the human interaction on social media drives users' trust in platforms. "The amount of information we share makes us a ripe target."
Companies like Facebook are recognizing the immediate threat to consumers and businesses and launching new initiatives to mitigate risk.
Facebook is a particularly appealing target for threat actors given the scope of its platform, explains Dr. Estwick. "The reason I see Facebook as a bigger problem is the amount of services it provides now," she says. "On Twitter, you send a tweet. On Facebook, you have Facebook Live, Instagram … I don't think users understand what they're getting themselves into when they create a Facebook account."
Facebook Fights Back
On January 26, Facebook announced its support for physical keys for authentication. Facebook's Hill explains how the physical keys make accounts "immune to phishing" because users don’t have to enter a code and the hardware provides cryptographic proof that it's plugged in. While users won't be required to install them, the keys are an obvious choice for people using social media for businesses.
"There's no way you can make a mistake," he says. "Attackers can't compromise it, you can't accidentally give your credentials away."
Further, users can employ the same key for several accounts including Google, Salesforce, Dropbox, and GitHub. Hill hopes by jumping in on this trend, Facebook will encourage users to adopt stronger security measures.
Shortly after it announced U2F security key support, Facebook shared a project with GitHub focused on account recovery. GitHub users can use their Facebook accounts for authentication as part of the GitHub account recovery process.
The idea is to give users an easier and more secure option to recover their accounts. Common methods like recovery emails, SMS messages, and security questions are viewed as both inconvenient and risky as more people go online, Hill says.
Users can set this up by saving an encrypted recovery token with their Facebook account. If they need to recover a GitHub account, they can re-authenticate to Facebook and the token is sent back to GitHub for verification.
"People will always forget their passwords or lose their phones, and we want to make sure they have ways to get into their accounts," says Hill. "Interconnecting networks offers a better option than centralizing things around one account or security questions. We know that stuff isn't secure."
Meantime, social media will continue to be a big target of attackers, ZeroFOX's Blair says.
"We will see more targeted attacks across social media," he says. "We already see a ton making headlines, but we're going to see more hackers targeting employees to gain access to corporate systems. That will continue to become a problem."
On the enterprise side, collaboration apps like Slack will pose a threat despite their intent to drive productivity. Organizations lack control over critical functions: what information is requested of them, which customers and partners join the app, how they engage.
Each social network will tackle the problem differently. Facebook has already started to ramp up its security game and anticipates other platforms will follow suit, experts say.
"We definitely have a huge audience; everybody uses Facebook," says Hill. "I think we're also a player other people in the industry watch. Security-key technology is something the whole industry should be adopting."