What does the Cambridge Analytica scandal mean for Workplace?

The recent allegations about Cambridge Analytica using data obtained via Facebook to influence elections have made a serious dent in Facebook’s reputation. Its share price fell by 7%and MPs have summoned CEO Mark Zuckerberg to give evidence over the “catastrophic failure of process”.

Inevitably, this has led to those using Facebook’s enterprise product, Workplace, to ask if their company conversation is safe on the platform.

Security and privacy will always remain major parts of your digital workplace strategies. If you’re considering Workplace by Facebook at all, keep this in mind. There are other options out there. https://t.co/Vv4nzCGiBe

— Matt Wade (@thatmattwade) March 19, 2018

From a technical perspective, nothing’s changed. The suspension of Cambridge Analytica and SCL Group from Facebook was not due to a data breach – no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.

Instead, the ‘hypertargeting’ of political advertising was based on information users gave away about themselves and their friends via a quiz app. In a post on Facebook, Zuckerberg explains what happened in detail – and how changes to the platform in 2014 mean sensitive data can no longer be collected.

In any case, Workplace doesn’t host apps such as quizzes, nor does it allow advertising, so any suggestions that employees could be subject to manipulation in the same way are wide of the mark. It’s simply not possible.

The old adage “if you’re not paying for the product, you are the product” applies here in reverse. Workplace is a paid-for product, and in return companies using it can expect their data is not sold on. Your company data remains yours.

Nonetheless, Facebook have sought to reassure businesses using Workplace:

“Protecting people’s information is at the heart of everything we do, across both Facebook and Workplace. Workplace is set up differently than consumer Facebook. Workplace user accounts are created separately, rather than using consumer Facebook accounts. There is absolutely no connection between Workplace and the suspension of Cambridge Analytica and SCL Group. Workplace has security certifications to serve the largest companies in the world, including banks and governments.”

For more information on Workplace’s security credentials, take a look at the Workplace security page

But the real challenge for digital workplace teams is managing the impression that this creates. Perception is every bit as important as reality and the last thing anyone needs when driving adoption of enterprise social is a nagging sense that it’s unsafe or unethical.

Over the past few days outrage has grown over the amount of data Facebook holds on each of us, including – for those using phone apps – details of users’ phone contacts and SMS messages. Both users and IT teams will be asking tough questions about whether they’re also doing the same with enterprise users’ phone data, for example.

Facebook have struggled to understand the stakeholder engagement challenges that come with building and maintaining support for use of social tools inside the enterprise, and it’s unlikely this will change now. Don’t expect a huge amount more support from Facebook themselves beyond the statement above, which has also been shared with customers.

More positively, scandals like this can be useful in driving home a message to users about information security. Remember, in the Cambridge Analytica scandal data wasn’t ‘hacked’, but freely given away by individuals. This illustrates the importance of individual responsibility in keeping data safe. The weakest link in any information security policy isn’t systems – it’s people.

This could be a good time to remind users about their obligations in looking after personal and sensitive data.

Users often have a sharp appreciation of the sensitivity of their own data, but a more lax view of other people’s data. We are aware of one multi-national who launched an intranet with quick access to payslips direct from the homepage which created significant noise and employee anxiety. The reason? That other employees could get a sneak view of their payslip when they stepped away from their laptops. Their advice — and ours!  — was to invite employees to lock their laptops preventing unauthorised access to personal and corporate data alike. Employees don’t tend to consider them equally important but their companies do.

Workplace is not an appropriate place to share or store personal or customer data. This episode is a timely reminder why this is and should remain the case. We hope this also prompts Workplace to make this easier for organisations to enforce through the platform.

Finally, remember that Facebook’s own standards only apply to the platform itself. If you’re using any third-party integrations such as bots or file storage, you’ll need to check the security standards of these too as they may differ.

Has the Cambridge Analytica scandal made your users and stakeholders worried? How have you responded to this? Let us know in the comments below.