Most enterprises don’t think small when it comes to cybersecurity. Bigger is better — bigger budgets, bigger reach, bigger payoff, right? However, at Facebook’s recent F8 conference, Chief Executive Officer Mark Zuckerberg touched on “small” security tactics the site uses to avoid larger issues down the line. Can enterprises benefit from this kind of scaled-down security thinking?

Fast and Stable

While most F8 attendees got what they were hoping for — more about new developer initiatives such as the Messenger Platform and the evolving Facebook Login app — Zuckerberg also made it clear that he is committed to improving security. According to a recent Motley Fool article, safety is vital for users’ ability to trust a social platform.

“We need to put people first by keeping them safe and giving them more control of their experiences,” Zuckerberg said.

Meanwhile, Fortune noted that Zuckerberg had taken to repeating a slightly altered version of a Silicon Valley mantra: “Move fast and break things.” His version? “Move fast and with stable infra.”

So how is Facebook thinking small but getting big results? It starts with events such as Hacktober, which sees the company’s internal security experts trying to dupe other employees into falling for security scams such as phishing attacks and other socially engineered threats. Additionally, the company scatters USB sticks and other devices marked “confidential” around its headquarters and satellite offices and then tracks their use to see which employees take the bait. On the surface, this seems like small potatoes; tricks and traps are hardly enterprise-grade security measures. However, according to Facebook security engineer Ted Reed, the idea here is to create a company culture that is naturally resistant to security threats, which helps limit the chance of a large-scale breach.

Curated Security Tactics

Meanwhile, social sharing site Twitter just debuted a new feature that aims to filter out offensive tweets and notifications. As reported by Naked Security, this “quality filtering” will remove any content that contains “threats, offensive or abusive language, duplicate content” or anything sent from suspicious accounts. The new feature is currently only available to verified Twitter users and those running iOS, but if the service proves to be popular and effective, expect to see this roll out across devices and even to unverified users.

The small lessons here? First is the concept of starting small and only expanding security services as necessary. Spending big on company-wide rollouts does no good if security measures can’t keep up or don’t have their intended effect. Twitter’s effort also speaks to the opposite side of the security coin: While Facebook looks to create a culture of security among its employees, Twitter wants to do the same among users. Not only does this help them feel safe — and more likely to use the sharing app — but it also makes it more likely they will report emerging security issues.

Evolving Information

Professional sharing site LinkedIn is also taking small steps to shore up its security tactics. According to its official blog, the company has launched a new security site to “help our members and the businesses that use LinkedIn better understand our security practices.” The site includes a safety center with tips to protect user information, a list of LinkedIn security practices and a security blog to offer more direct insight into the company’s efforts to keep users safe. The takeaway for enterprises? Information matters. Easy-to-find best practices and use expectations, combined with transparency about existing security measures, goes a long way toward bolstering large-scale security efforts. When employees and users feel like they are in the loop, security becomes more than just a buzzword.

For social media sites such as Facebook, Twitter and LinkedIn, the mandate is clear: Smaller security tactics make a world of difference. The same holds true for enterprises. By getting employees involved, curating user content and providing easy ways to access pertinent security data, it’s possible to think small, spend less and sidestep bigger security issues.

Image Source: Flickr

More from Application Security

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Audio-jacking: Using generative AI to distort live audio transactions

7 min read - The rise of generative AI, including text-to-image, text-to-speech and large language models (LLMs), has significantly changed our work and personal lives. While these advancements offer many benefits, they have also presented new challenges and risks. Specifically, there has been an increase in threat actors who attempt to exploit large language models to create phishing emails and use generative AI, like fake voices, to scam people. We recently published research showcasing how adversaries could hypnotize LLMs to serve nefarious purposes simply…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today