AppRiver Update

Cybersecurity News and Threat Intelligence for Business

Most U.S. SMBs see Facebook as a cybersecurity risk – but why?

June 20, 2019 | by AppRiver | social networks, AppRiver Cyberthreat Index for Business, cybersecurity

Fairly or not, Facebook has become a favorite punching bag for many, frequently criticized for its practices on the world stage. But it’s worth asking: is it a cybersecurity risk at the workplace? Is it more of a risk than other popular social media platforms? 

In a recent survey of over 1,000 small-to-medium-sized business (SMBs) executives nationally, 84% say they are concerned about the cybersecurity risk associated with employees’ use of social media at the workplace or on a business device. To no one’s surprise, 77% say they are most concerned about the risk presented by the most popular social media platform, Facebook. 

While nearly eight in 10 SMB executives (including IT decision makers) feel this strongly about Facebook, only 19% feel the same about Instagram, a Facebook-owned social media platform. Only 13% are concerned about LinkedIn, a platform from which in 2012 a whopping 164 million users’ email addresses and passwords were stolen in one of the largest and most publicized cyberattacks ever. Pinterest is reported to be a concern to only 3% of all SMB executives who participated in the same survey.

What has Facebook done to deserve such a strong association as a cybersecurity ticking time bomb? And why is it considered so different in this regard than, say, WhatsApp, another Facebook-owned platform, or Pinterest? 

Here are some theories:

1. Facebook has been entangled in privacy issues, and privacy is a keyword when the public thinks of cybersecurity.

Facebook has received growing criticism for giving companies special access to users’ data without anyone else knowing, starting with its infamous Cambridge Analytics scandal. Not to mention, the social media giant has suffered multiple massive-scale breaches. The long string of security breaches its experienced over the last year – with the most recent affecting 1.5 million users – has stirred debate around the need for more regulation of the platform. 

2. More people are on Facebook than on other social media platforms.

One third of the world’s population, including counting newborns, are on Facebook or use a Facebook app. It’s reasonable to deduce that more employees of any SMB would be more likely to use Facebook than Pinterest, which has about a tenth of Facebook’s user reach, making it a less likely security risk entry point. More users on Facebook also means more people could be sending virus- or malware-infected files to your SMB. In other words, more Facebook users mean potentially more people on both the receiving and sending ends who could be doing something malicious or simply careless.  

3. Facebook is bigger, more influential, more high-profile, and so it is more top of mind.

As an analogy, more SMB executives might well say Beyonce is a higher cybersecurity risk than Dua Lipa, if they were asked about the two musicians, only because one is a well-known megastar. It doesn’t help that Mark Zuckerberg himself, founder and the face of Facebook, was called to testify in front of Congress in what turned out to be a highly-watched television – and live social media – event.

These are all likely theories, but is there anything unique in how the platform is designed or operates that makes Facebook a higher risk than other social media platforms? Or does it shed light on SMB executives’ lack of understanding of cyber risks and how breaches are deployed when Facebook is considered 26 times riskier than Pinterest is to SMBs? 

In reality, there are valid reasons for why Facebook should be viewed as a cybersecurity risk. Cybercriminals know Facebook is likely one of the most visited websites in the workplace, hence making it a wide and ripe attack surface. Facebook is also the world’s largest microphone through which employees could knowingly or unknowingly post confidential information a company would not want to make public. 

However, SMB executives could also be underestimating the inherent risks on platforms such as Twitter and Pinterest. On Twitter, the use of URL shorteners and the ease with which a malicious tweet could be retweeted to thousands in an instant are both causes for concern. In the case of Pinterest, where clicking on images posted by strangers has become routine, users accessing these unknown files in the workplace could be inadvertently opening doors to cyberattacks on their businesses. 

More important than worrying about a specific platform is helping employees understand how breaches happen and why they should be incredibly careful about what information they share with the public. At the end of the day, any social media post – regardless of platform – is potentially a message to a cybercriminal.