Security rules for social networks won't resolve breaches

Establishing basic security standards on social networks is unlikely to be effective to thwart hacks and data theft, since user data on these platforms isn't necessarily considered critical.
Written by Jamie Yap, Contributor

Recent cyberattacks on social networks have raised concerns over the safety of user data. However, any call to establish mandatory security regulation or standards for this industry will be limited because data on social media is not considered critical and safeguards do not guarantee hackers will not strike again.

Twitter last week revealed some 250,000 of its users were affected in a security breach, giving hackers access to usernames, e-mail addresses, and encrypted versions of passwords. Social networking juggernaut Facebook also experienced several hacks in the past including one as recent as last month when Israeli hacker Hannibal claimed he had stolen 185,000 logins from Arab users.

Security regulation on social networks is unlikely to be effective to thwart hacks and data theft, since user data on such platforms is not necessarily considered critical

As social networks increasingly are used as a dominant communication channel by consumers and companies alike, the value of these platforms and information shared also increases. Hence, if information on social media is lost, leaked or stolen, it can result in serious consequences, warned Luis Corrons, technical director of PandaLabs at Panda Security.

Jake Wengroff, social technologies analyst at Gleanster, though, argued that while there the volume of data amassed is vast, it does not involve critical information. "[That is, unless] you consider gender, age, location, and shopping and entertainment preferences to be 'critical'," Wengroff said.

"Companies will not ask individuals to enter their credit card information on the social network platform, but direct them to a phone number or staff member. Even power users [of a social network] themselves also will not upload their credit card information to their online profile," he pointed out.

But while there is little confidential information in, for example, a Twitter account, hackers can exploit such data to gain access to other information such as the user's e-mail address, he noted.

Jonathan Andresen, Asia-Pacific product marketing director at Blue Coat, added that social networking inherently is about users sharing and interacting freely, so it is not a viable option for individuals and businesses to reveal sensitive data on the platform.

But attacks on these networks cannot be ignored or treated lightly because a large number of people can easily be hit within a short period of time, Andresen pointed out.

Mandatory security standards won't plug holes
And even if there were mandated security standards for social networks, for example, similar to those in the banking sector, these would not be as effective or sufficient in addressing the issue.

Joseph Steinberg, CEO of Green Armor Solutions, for one, said government-created cybersecurity regulations can be overly restrictive and process-intensive, thus hampering progress.

In addition, regulations may also be ineffective because the government body in charge is subject to influence by large corporations, lobbyists, and special interest groups. "Often, "[it] creates regulations that appear to be subjective and designed to drive business to vendors of specific technologies, regardless of whether such technologies adequately address the security concerns at hand," Steinberg explained.

Panda Security's Corrons added that increased regulation does not automatically lead to greater safety or guarantees that attacks will not happen.

Social media companies themselves are well aware of the risks their networks are exposed to, he noted. Since they handle personal and sensitive information, they will implement their own security measures and build their own security teams. Failure to do so could result in them losing their customers, he said. Facebook and Twitter, for example, a few years ago implemented https connection to enable secure browsing of their sites, Corrons said.

Paul Ducklin, head of technology for Asia-Pacific at Sophos, concurred, noting that social media companies already do face regulatory pressure, albeit in other forms, such as privacy laws and breach disclosure laws.

If mandatory minimum standards were implemented as part of an anti-hacking law, this would lead some to question why these special rules should apply to social media, when they should also apply to every Web property, Ducklin noted.

Breach disclosure laws are the necessary first step, considering not all jurisdictions worldwide have them in place, he said.

"There's no point having strict rules about security if you can violate them and then have no obligation to tell anyone," he said.

Editorial standards