Facebook revelations should spur insurers to review data use policies

Now is the time for insurance companies to assess their social media uses and cloud-based software suites.

Now more than ever companies need to review their communication and acceptable use policies. (Photo: iStock)

Recent reports alleging to Facebook’s disinterest in user privacy make for harrowing reading.

Until these reports surfaced, many users were unaware of how brazenly their data and personally identifiable information were being merchandised.

It is natural for companies to want to harness the power of the data they are collecting, but mining private messages and scraping user data can open a company up to risk.

Sign of the times

It’s worth noting that Facebook is not the only Silicon Valley giant leveraging user data to make money. Google, Apple, Amazon and other companies collect far more data than most realize.

Consumers hope that this data is being used to relatively benign ends, but companies need formal policies and procedures to ensure protection. A balance needs to be struck between data collection, mining and analytics, and the vulnerabilities it creates.

How should companies safeguard their data? What’s more, what kind of cybersecurity is sufficient against all-pervasive social media platforms like Facebook?

Call to arms

Now more than ever, companies need to review their communication and acceptable use policies. Determining how employees, contractors or volunteers access and use social media, personal/corporate email and personal/corporate cloud-based services is the first step to gaining a better understanding. Tailor your communication and use policy to these individuals and their online needs. Communicate any updates or additions to your policies across your organization, and make sure that your users are fully trained. A comprehensive use policy only works well if your users are willing and understand how to use it.

When employees stray from the policy, they can reveal faults in a company’s infrastructure. Security assessments often uncover situations where employees are using personal messaging applications to communicate or are sending files through personal email accounts.

In many situations, the reasons for pursuing alternative solutions might be legitimate, such as out of date software or faster applications. Although the intention might be productive, it still opens the company up to tremendous risk for a cyber incident or breach to occur. Companies need to identify the limitations in their infrastructure that may cause their employees to use alternative applications, social media, personal email, or cloud-based services as a work-around and work to address these limitations.

Social media’s many threats

An acceptable use policy may also need to consider threats from extensions of a social media’s services separate from their primary platform. For instance, Facebook’s login API presents employees with another risk vector tied to user convenience. Many websites use Facebook’s universal login credentials as a time-saver, sparing users from the need to track multiple passwords. A study posted on Freedom to Tinker, created by Princeton’s Center for Information Technology Policy, identifies two ways third parties can, at present, quietly collect data through Facebook’s login API: by piggybacking on Facebook access granted to websites; and by following users around the web with a hidden tracker.

In the example of the login API, these vulnerabilities were introduced not from bugs, but from a lack of security boundaries between first- and third-party scripts in the modern web. An employee may understand they are to take precautions with social media platforms, but fail to recognize the vulnerabilities introduced by the ways social media APIs interact with other sites. Do not assume these services will adequately protect their own users, even if they are well-established, deeply-integrated household names.

Facebook’s breach of trust should be a sobering call to executives to assess how their own company is using social media and “indispensable” cloud-based software suites. While these tools have helped build scale and extend reach, we should never forget that omnipresence and ease of use are double-edged swords.

Chris Roach is managing director and national IT Practice leader at CBIZ Risk & Advisory Services. To reach this contributor, send email to croach@cbiz.com.

See also:

5 ways AI and data are transforming the insurance space

3 ways for insurance agents to use data analytics to drive growth