Why Facebook keeps security experts up at night

Social media is making the world a smaller, more interconnected place. And that’s precisely what worries security experts like Matthew McCormack, the Defense Intelligence Agency's chief of cybersecurity.

Speaking at the Department of Defense Intelligence Information Systems (DODIIS) conference in Detroit on May 4, McCormack said the increasing use of social media sites, such as Facebook, creates a host of challenges for protecting networks and sensitive data.

Cyberattacks continue to be a major threat to organizations. In 2008 and 2009, $1 trillion in intellectual property was lost to cyberattacks.

However, social networking is a new and growing challenge. McCormack said that users in the U.S. spend about 63.5 billion minutes a month on social networks compared to 26.1 billion minutes for online games or 19.9 billion minutes for e-mail. As of January 2010, average daily use for Facebook was 14 minutes per person, he said.

The size and reach of Facebook represents the prevalence of social media and why security experts need to be aware of the threat it presents, McCormack said. Citing data from Nielson, he said that Facebook has 500 million users globally, 48 percent of whom access it via smart phones, which bypass traditional computer and network security infrastructures.

E-mail providers have experience in deploying security technology on a regular basis to keep hackers and spammers at bay. But social media companies are just starting to become aware of the security challenges facing them, McCormack said. This new awareness is important because criminals are beginning to shift their efforts from e-mail to social media.

As thieves focus on social media, it presents new security risks for organizations because employees will either try to access sites from the office or they will bring personal wireless devices with a similar capability into the network. McCormack said that 30 percent of attacks on social media sites seek out personal data, another 13 percent cause monetary loss and 10 percent successfully install malware on a computer.

Almost half of all employers in the United States ban their personnel from accessing social media sites. Besides of the obvious security concerns, McCormack said that, from a networking perspective, social media can cause a loss of productivity and suck up bandwidth from access to streaming media such as video.

But banning social media is not a complete option. McCormack said security experts must understand the nature of the challenge they face. Young generation “Y” workers expect the same level of technology access at work as they have at home. They collaborate more in the workplace and they spend more time using instant messaging than in face-to-face conversation, he said.

In this new environment, security professionals have to look beyond defending the network or its hardware. “I’m not trying to just protect my infrastructure — I’m trying to protect my ecosystem. Employees are part of that ecosystem,” McCormack said.

Security professionals also need to change their thinking regarding new technologies and applications, such as social media. “The mindset needs to change from securing the perimeter — keeping the bad guys out — to securing the data,” he said.

Instead of being gate keepers, McCormack said that security personnel need to become risk managers. Security staff should shift from automatically saying “no” to user requests to “yes, but ...”

“It’s not just vanilla security any more, it’s risk management. That’s the new mindset,” he said.