Learning from Facebook’s Error
The testimonies from the Facebook security scandal spawned a massive dialog regarding privacy across the US and globally. The scandal erupted after Facebook released unsecured customer data to a third party. How could a technology company with vast resources do something so blatantly irresponsible?
For many companies, they view their responsibility to securing data based on two factors. First, is if something is required to be done by law or by a third party vendor. An example would be credit card security (referred to as PCI DSS). The second is if other similar companies are doing something.
The real problem stems from the second point above. If a company believes their security is as good as the other guy, and that other guy's isn't very good, well then you have a serious problem. Typically adding more security adds time and complexity.
The First Step: Individual Awareness and Action
Starting out it may seem like changing your security practices should start with a conversation with your IT team or working with a specialist. But I believe strongly that the first step is to shift the culture of the company; and that starts with a culture shift at the executive level.
Mark Zuckerberg's problem wasn't that he didn't have security police tracking data or the IT team doing some magical cybersecurity scanning. The culture of the company didn't include protecting privacy of the customer. I'm not an expert on their finances, but the last time I checked, Facebook makes money on advertising on the specific preferences of the users of Facebook.
Even the executive team at Facebook can (and must) make a switch and so can leaders at any size company. My recommendation is to start making the changes on how you protectyour personal data. Using third party vendors that monitor your identity, switching to logins with complex passwords (16 characters), securing your financial information with your banks and credit bureaus, and updating all your login identities.
There isn't anything technically difficult to this first step. But it is a conscious shift.
Next: Assessing the Risk
If you ask a cybersecurity professional how to assess risk, I'm willing to bet that you'll get a response involving the words "audit" and "report". A professional audit would be a great action except that it usually takes on a different purpose for an organization and may be financially unfeasible. Another approach is to self-assess the risk at your company.
In order to understand your exposure, I believe you only need to talk to people. Find out what leadership team thinks about security. Ask what they are doing to secure their data. If that question generates responses that are less than reassuring, then ask people what they think the company should be doing.
In the process of doing IT assessments and security audits, I have found that every organization has someone that takes privacy seriously. And just by asking your staff how this could change for the better begins a healthy dialog. A dialog that starts a culture shift.
Improving the security posture of your company will fare much better if the entire company understands and believes in its importance. When the importance is at all unclear or has questionable support, the rest of the staff will understand this as something that is nice to have, but not essential to do my job.
Knowledge is Power
And that takes us back to Mr Zuckerberg and his testimony to congress, Ms. Sandberg and her PR efforts, and Facebook in general. The failure of this recent breach wasn't th due to a security technology failure just as it wasn't a failure on the part of IT. The staff responsible for turning over this data to a third party just wasn't aware that security was really important to the CEO. Why? Well, because it wasn't. Now the entire company is aware that security and privacy of customer data is critical. (And lucky for Facebook, this change has come prior to the EU's implementation of GDPR. More about that in a future post.)
For employees, it isn't enough that there is a priority at the top of the company. There are always priorities. How is this one, on security, going to impact staff? The simple answer is training. Your staff needs more training on what threats look like, what they can do to spot them, and how they can make choices to stop threats from getting through. The training is part of a massive shift in the company's landscape that impacts change.
Change comes in many forms, but good change, change that helps make an organization better and change that makes for better customer relationships; that change will certainly be better served by a company wide, collaborative effort from all staff.