2018 has been a rough year for Facebook, to say the least. In early spring, the Cambridge Analytica scandal revealed that user data is being collected and used for more than just benign targeted advertising. That case showed that when something goes wrong on a platform as large as Facebook, the victim tally can run into millions of users.
Those issues are now back in the spotlight after a massive data breach. The access tokens of upwards of 50 million Facebook users have been stolen, essentially granting account access to cybercriminals. The attack is still under investigation, but the breach has already unearthed some valuable lessons about the present and future of cybersecurity.
What your business can learn from this latest breach depends on your perspective. The situation is troubling for many reasons but, at the same time, it does offer some hope for tomorrow. Consider both sides of the equation to learn the pertinent business lessons from this unfortunate event.
Positive: The Breach Was Announced in a Timely Manner
Facebook announced the breach roughly two weeks after it was detected. Contrast that with Equifax, which took nearly six weeks to disclose a breach, or Uber, which took over a year. Early disclosure allows those affected to take the steps necessary to protect their accounts and data, thereby minimizing the damage done.
Companies as big as Facebook have an obvious incentive to keep breaches under wraps, but recent history has shown that waiting before going public tends to multiply the damage. By expediently disclosing information, Facebook demonstrated how all companies should respond to a breach.
Negative: The Announcement Was Light on Details
Facebook detected the attack quickly, but it will take a lot longer to understand how it was carried out. As a result, when Facebook disclosed the attack, the company was unable to identify the attackers – or even all the users who were affected. That left users with a lot of questions and not many answers.
Facebook is still working to figure out details surrounding the attack, and its full impact is still unknown. Companies must carefully balance the need to disclose early with the importance of providing concrete information and actionable solutions.
Positive: GDPR Appears to Be Working
Facebook’s quick response wasn’t entirely altruistic. In the wake of the General Data Protection Regulations (GDPR) passed last spring in the EU, Facebook is required to disclose a breach within 72 hours. If they don’t comply, they face potentially huge fines. Facebook’s quick action suggests that GDPR has the attention of Big Tech and creates a precedent that other companies will likely be compelled to follow.
Negative: GDPR Rules Need Adjustment
The Facebook breach has been something of a test for GDPR as well, and it hasn’t passed with flying colors. By forcing companies to disclose quickly, GDPR essentially forces them to go public without a lot of information. Even if Facebook had wanted to wait an extra week to explore the breach and be able to answers questions, they wouldn’t have been able to.
It’s also unclear whether Facebook will be fined and for how much, but some experts put the total above $1 billion. Widespread cybersecurity rules are still relatively new (and likely coming to the US), but the details of what constitutes compliance are still very much in question.
Positive: It Took Sophisticated Technology to Pull Off the Hack
Hackers exploited three different bugs in the Facebook interface to gain access to accounts. They followed this strategy mainly because the back-end of Facebook is so secure. The company has invested heavily in cybersecurity, and breaking through that wall took a genuinely creative and sophisticated hack. Companies should be encouraged that the cybersecurity measures they are putting in place do effectively defend against low-level hackers and the most common hacking methods.
Negative: Hackers are in Possession of Sophisticated Technology
The undeniable fact is that Facebook is one of the biggest, richest, and smartest tech companies – and even they were hacked. The recent history of cybersecurity is proving that everyone is a target and no one is immune. Facebook reportedly has a cybersecurity staff of over 10,000; yet a team that large was still outwitted by hackers with sophisticated technology and incredible tenacity.
The obvious takeaway is that if Facebook can fail at cybersecurity, every company needs to reconsider its own strengths and weaknesses.
Positive: Facebook is Being Proactive
There are few doubts that Facebook is doing everything possible to get to the bottom of this attack. The company has announced that it will double the size of its security team by the end of 2018, a major commitment. They will also surely take steps to enhance the platform’s security and give users greater control over their data.
Some may dismiss these measures as too little, too late, but Facebook is doing more to resolve the fallout and prevent a repeat than many companies. The era when a slow and underwhelming response was enough is quickly coming to an end.
Negative: The Damage Spread Outside of Facebook
Facebook is a leader in single sign-on, the ability to use your Facebook login credentials to access your accounts on other sites. The hackers can now access many of these accounts using the stolen access tokens, and Facebook can do little to stop them. At present, they’re not even sure which third-parties are affected, and how.
Positive: Facebook is Likely to Survive the Breach
Facebook will probably lose some users, pay some fines, make significant internal investments, and humble themselves publicly. However, despite this latest breach and on top of everything else the company has faced, Facebook is likely to continue to be a dominant social media platform for years to come. This is heartening because it shows that cybersecurity issues, though incredibly disruptive, may not always be totally destructive.
Negative: Data Breaches are Worse PR Than Ever
One 2017 study indicated that 70% of consumers would cease doing business after a data breach. Facebook is unlikely to experience that kind of backlash, but confidence in the platform and enthusiasm about continued usage have undeniably suffered. There is a limit to have much bad news users will endure. Facebook may not have reached the tipping point yet, but it’s taken a big step in that direction. It’s time for all companies to acknowledge that cybersecurity threats are not minor problems – they’re existential issues.
What can you do to prevent a breach? The answer is different for every company. It requires an in-depth analysis of your IT infrastructure and practices, along with a solid understanding of how to plan for tomorrow’s threats.