While cyberattacks still occur to small businesses that aren’t adequately prepared, most organizations have enough security smarts to defend against most hacks and malware – or that’s what everyone thought, until March 19. News of social media goliath Facebook’s data breach is causing everyone to question current cybersecurity standards. Considering that Facebook’s stock plummeted nearly 7 percent in a matter of hours, the widespread concern makes total sense.
However, Facebook’s data breach wasn’t exactly typical – in fact, the people at Facebook don’t want to call it a data breach at all. So, what did Facebook do wrong, and what can business owners like you do to avoid the same fate?
Inside the So-Called Data Breach
In 2013, Target suffered a major data breach that affected over 60 million cardholders and ultimately cost the company more than $300 million. The Target breach was typical of other hacks then and now in that cybercriminals illicitly gained credentials and siphoned valuable data through a computer gateway. Since 2013 – a year when several high-profile companies endured debilitating breaches – most companies have been more serious about protecting their data, to include restricting access and safeguarding login credentials. Facebook, too, has taken great pains to keep users’ information secure.
The company is an offshoot of SCL Group, which is a government and military contractor that provides strategic communications on a variety of subjects. Though the group has been in operation for 25 years, the CA subsidiary was formed in 2013 with $15 million from Republican billionaire Robert Mercer and involved Breitbart founder and ex–Trump adviser Steve Bannon. The company bolsters political campaigns – notably, Republican political campaigns – by collecting data, predicting voter behavior, and producing targeted advertisements designed to influence behavior. As one might expect, the glut of consumer information acquired from Facebook through Kogan was a miraculous windfall for the group. However, because neither Facebook nor its users permitted their data to be used for such purposes, the group’s operations were ethically dubious, at best.
Worst of all, Facebook was aware of the issue in 2015. Open discovering the misuse of data, Facebook removed Kogan’s app and requested (and received) evidence of the data’s destruction. Yet, by 2015, Trump’s presidential campaign was already in full swing, and with the help of CA’s efforts, the soon-to-be president had a leg-up in understanding and influencing voters. When the news broke of Facebook’s part in the illicit application of user data in the 2016 presidential election, Mark Zuckerberg and other Facebook executives immediately admitted their mistakes and pledged increased efforts to protect user data – but can users ever trust businesses to do the right thing?
Protecting Business Data the Right Way
While this wasn’t a data breach in the typical sense – no hackers broke through digital defenses to pilfer data; the data was initially obtained legally then improperly spread – it is still beneficial for other businesses to recognize this kind of wanton distribution of data as dangerous. Enterprise security is a serious issue, and all organizations must be careful to protect their digital assets, especially those that also belong to their consumers.
Some important lessons from Facebook’s non-data breach include:
- Companies must know exactly who is using their data and exactly why. More investigation into Kogan or the group would have revealed their nefarious purposes. Just as businesses wouldn’t entrust their cash with any entity, they shouldn’t hand over data to anyone without preliminary research and close monitoring.
- Companies must inform users as soon as data misuse is detected. Eventually, the truth will get revealed at the least opportune moment. The Facebook business is already incurring flack for its role in spreading fake news (not to mention Russian propaganda); had Facebook announced the breach in 2015, it might not have lost so much market value at once.
- Companies should have repercussions for those who misuse data. Deletion of the app and data isn’t much – especially since the acting group already received what it wanted. Facebook and other organizations should consider more serious consequences for wrong-doers.