In the space of just a few years, social networking sites have grown to form some of the largest communities in the world, but what impact are they having on privacy and the security of information? Michael Hill investigates.
The digital age has seen its fair share of phenomena grow and develop from modest beginnings to become integral parts of everyday life, but few have done so quite as remarkably as social networks, which now form some of the largest communities on the planet.
In 2004, Mark Zuckerberg and peers at Harvard College launched ‘The Facebook’. Originally a networking site restricted to students of Harvard, within a month the service was being used by more than half of Harvard undergraduates. Two years later and after a slight name change, Facebook became publicly usable to anyone aged 13 years or more with a valid email address.
Whilst Facebook wasn’t the first social networking service to come along, it has certainly grown to be the biggest. Earlier this year, findings from Statista revealed that, as of August 2017, Facebook had a staggering two billion active users worldwide. That was some 800 million more than the next largest, the Facebook-owned WhatsApp messaging service (created in 2010), used by 1200 million people across the globe. The statistics also showed that photo- and video-sharing service Instagram had, in just the seven years since it was founded, gained 700 million users, with Twitter (320 million users), Snapchat (255 million users) and LinkedIn (106 million) all included in Statista’s top 20 most popular social network sites.
Whether it’s tweeting, checking-in, sharing photos, going live or professional networking, more and more of us are interacting with social media to digest, swap and share our personal lives. Likewise, it has also transformed the way enterprises go about conducting their business, with companies of all sizes taking to networking sites to build their brands, advertise new job vacancies, engage in customer feedback and initiate campaigns.
Social media growth shows no signs of slowing. It is estimated that there will be more than three billion social media users around the globe by 2020, up from 900 million in 2010. Further, a Cisco study predicts that mobile video traffic, often considered the future of social media with video sharing already very popular among social network users, will account for 75% of total mobile data traffic within the next three years.
With its speed of evolution, widespread popularity and ambiguous nature, social media is having a significant impact on the security of data and privacy, providing means of solving some of the problems the information security industry faces whilst, at the same time, creating a whole host of others.
“Social media platforms are like any tool,” Raef Meeuwisse, author of Cybersecurity for Beginners and external relations director, ISACA London Chapter, tells Infosecurity. “Whether they are something of great value or great harm really depends on how they are used.
“Effective use of social media can enhance both your career prospects and security. Conversely, using those same platforms unwisely can have exactly the opposite effect.”
Sharing information is what makes the internet such a wondrous, sophisticated tool, and it simply wouldn’t exist without it. However, information sharing is not always a good thing and when it comes to social media profiles, some users have developed a culture of ‘over-sharing’ which can put them and those around them at risk.
"Whether they are something of great value or great harm really depends on how they are used"
You Are What You Share
“Social media has been a complete game changer as people have gradually become accustomed to sharing data widely and trusting people more readily,” says Jenny Radcliffe, social engineer, speaker and host of The Human Factor podcast. “These days, a huge amount of data is easily obtainable in almost no time due to the amount of information held on people on various sites, as well as most people's readiness to share anything and everything about their lives.”
These days, users may not understand concerns around sharing information. We do a great deal of socializing online and it can enrich our lives, but the fact is, social media sites have also become ‘treasure-troves’ of data from which cyber-criminals can and do source a lot of the information they need to craft and carry out their attacks.
“Malicious social engineers use social media to research their target organizations’ employees,” explains Sharon Conheady, director of First Defence Information Security and a founding member of The Risk Avengers. “Most people don’t realize how much information they publish about themselves and rarely consider how it could be used against them.”
This information is useful in so many ways to a malicious individual, Radcliffe adds.
“Whether it’s helping to build a profile of the organization to aid spear phishing emails, gain information as to site layouts and operational details, or even to find the psychological levers that will help coerce an individual into compliance, information is often the key to a successful attack and yet people generally are very careless about sharing it.”
The Trouble with Trust
As Robert Schifreen, founder and editor of SecuritySmart.co.uk explains, users have a tendency to put absolute trust in social media, and it is that trust that causes a lot of the security and privacy problems that follow.
“People generally assume that all their faceless friends and contacts are genuine and are telling the truth all the time, and that all the information they post and share is safe to do so,” he says. “However, it's so easy to pretend to be someone on social media – you can be anyone you like. Want to elicit confidential information from an employee at Company X?
Just set up profiles on Facebook and LinkedIn, pretending to be someone who also works in that company, and you'll get follow-backs and likes from lots of people who think you're their colleague. You then get to hear all the gossip, or you can even invent your own and start spreading it.”
Also, he adds, getting ransomware onto someone's computer is much easier if the recipient thinks they know the sender, as they then won't think twice about clicking on the link or attachment.
“Trying to educate people is really hard,” warns Schifreen. “You need to change their default way of thinking, in environments such as email and social media, from ‘why might this not be genuine?’ to ‘why might this be genuine?’”
Schifreen points to one particular scheme he is aware of, where a company offered a weekly prize to the employee who reported the largest number of phishing emails to the IT department.
“This worked really well, and had the desired effect of making people question every social media post and email message that they encountered. We need to see more companies setting up similar schemes.”
"These days, a huge amount of data is easily obtainable in almost no time due to the amount of information held on people on various sites"
A Risky Business
Whilst social media used to be something that people would use solely in their personal lives, its presence in the enterprise arena has grown significantly in recent years. From companies implementing it intentionally and strategically in their business operations, to users logging in to their favorite social media site themselves, with or without administrative permission to do so; both can bring about added risks to an organization’s security, privacy and compliance postures.
“Corporate security and personal security are very much intertwined,” Conheady says. “If employees don’t look after their personal security, this can lead to corporate security issues, especially where employees have remote access or in a BYOD environment. Even without this, employees who are lax about their personal security are more likely to fall for social engineering attacks that can have serious consequences for both the individual and their employer.”
Schifreen agrees, stating that whilst corporate spam filters may block some unsolicited emails carrying dodgy links, corporate executives and people holding key positions are only too willing to freely open links in Twitter, Facebook or LinkedIn.
“It’s also a reputational/PR management thing,” he adds. “You need to ensure that people don't post officially on behalf of the company unless they're trained and authorized to do so – and that grievances are dealt with in private rather than in public forums.
“Legally, it's important to ensure that staff don't make promises that the company is unable to keep, because something said only semi-seriously online could be regarded as binding by a good lawyer if the person who said it could be reasonably expected to have the authority to have done so.”
"Many of the leading social media platforms have some of the best security authentication available"
Not All Bad
Thus far it all seems pretty gloomy when it comes to the impact that social media growth has had on efforts to keep data safe and secure. However, as Meeuwisse argues, that may not necessarily be the case – at least, it doesn’t have to be.
“Many of the leading social media platforms have some of the best security authentication available”, he says. An accurate statement. All of the main social networking platforms offer various security and privacy settings which can be tailored to suit the circumstances of individual users.
“Some also offer their authentication as a service to help you maintain your log-in at other sites,” Meeuwisse continues. “If you decide to use the stronger security options on offer, which can include two-factor authentication and a restricted list of authorized devices, using your social media account to help control your online identity can help improve your security.”
Meeuwisse’s example is apt: strategies for better, quicker and stronger authentication have been sought after for some time, particularly in the last few years when the efficiency and reliability of traditional passwords has been seriously questioned. Social networking platforms have the potential to help here.
“What we already see happening is that many technologies no longer try to run their own authentication but instead use log-in authorization options from Facebook, Twitter, LinkedIn, Google or other global technology companies. That trend is likely to gather momentum as the price and sophistication of correctly authenticating access starts to go beyond the affordability of most applications and organizations.”
Although, Meeuwisse is quick to point out that “if you do choose to use a social media account as an authentication option for other services, but do not invest time in setting up robust security options (for example, a long, strong password plus two factor authentication) – then rather than improving your security, you will have weakened it.”
A Question of Responsibility
What’s apparent is social media has the potential to be both a means of strengthening data security and the privacy of information and a vector that can seriously threaten both, but where does the responsibility lie to ensure it’s the former?
"The responsibility for how our data is used lies with social media companies and bodies like the Information Commissioner’s Office who oversee data protection regulation,” explains Pam Cowburn, communications director at Open Rights Group. “Privacy policies and terms and conditions should be written in clear language that explains how our data will be used. The ICO should also help people to understand their data protection rights.”
Schifreen agrees, suggesting that morally and legally (to a degree), responsibility should lie with the social media company itself to ensure security. However, he admits that in practice, it often falls to users, something that is especially important to get right when it comes to youngsters.
“The most worrying thing for me is that the age of people using social media is dropping all the time,” Radcliffe adds. “A youngster is clearly at risk online from any number of different types of threat but they very often have even less of the judgement filters that an adult might have in terms of suspicious behavior. Keeping children and young people safe online should be a priority for us all.”
If there’s one piece of advice that Radcliffe wants users to take it’s to be very careful about how much information they share online and who can see it. “We all live in a digital age and benefit from social media but we don't have to put everything about ourselves out there! Think before you post and be more cautious, the world does not need to know everything about you”, she concludes.
Sound advice indeed!