Many businesses rely on Facebook to promote themselves and engage with customers. But recent reports about Facebook’s cavalier attitude toward user privacy, and evidence of vulnerabilities to scraping user data, may give you cause to wonder if Facebook exposes your business to risk.
Facebook is not alone in providing “indispensable” services for free and using the data they obtain to make money. Amazon, Google and other tech heavyweights collect your data too – more than you might think! Users hope that the data is used benignly. But businesses and insurers shouldn’t trust Silicon Valley giants to be infallible. For the sake of a business’s own protection, formal policies and procedures are necessary.
If Facebook’s revelations have not spurred you to review acceptable use and communication policies, there’s no time like the present. You should begin by deciding how employees, contractors or volunteers access and use social media, personal/corporate email and personal/corporate cloud-based services.
From there, tailor your communication and use policy to these individuals and their online needs. Communicate any updates or additions to your policies across your organization, and make sure that your users are fully trained. A comprehensive use policy only works well if your users understand it and want to use it.
No one is perfect, and employees will inevitably stray from the policy. It’s possible a fault in a business’ infrastructure encourages breaking from the policy as the perceived point of least resistance. For example, security assessments often uncover situations where employees are using personal messaging applications to communicate or are sending files through personal email accounts. In many situations, the reasons for pursuing alternative solutions might be legitimate, such as out of date software or faster applications. Although the intention might be productive, it still opens the company up to tremendous risk for a cyber incident or breach to occur.
Companies need to identify the limitations in their infrastructure that may cause their employees to use alternative applications, social media, personal email, or cloud-based services as a work-around and work to address these limitations.
An acceptable use policy may also need to look beyond a social media service’s primary platform to identify threats. For instance, Facebook’s login API presents employees with another risk vector tied to user convenience. Many websites use Facebook’s universal login credentials as a time-saver, sparing users from the need to track multiple passwords. A study posted on Freedom to Tinker, created by Princeton’s Center for Information Technology Policy, identifies two ways third parties can, at present, quietly collect data through Facebook’s login API: by piggybacking on Facebook access granted to websites and by following users around the web with a hidden tracker.
In the example of the login API, these vulnerabilities were introduced not from bugs, but from a lack of security boundaries between first- and third-party scripts in the modern web. An employee may know to take precautions with social media platforms, but fail to recognize the vulnerabilities introduced by the ways social media APIs interact with other sites. Do not assume these services will adequately protect their own users, even if they are well-established, deeply-integrated household names.
Facebook’s breach of trust should jolt executives to re-examine how their businesses use social media and the cloud-based software they feel they can’t live without. The cost savings these tools create can help a business grow. But we should never forget that the omnipresence and ease of use of these “indispensable” services can cut both ways.