Employee Advocacy; Don`t let lack of security and compliance kill your Employee Advocacy program!

It’s not faithin technology.It’s faithin people. (2).png

In the current turmoil of the "random" data ethics of Facebook - and showing how the platform easily can be - and are  - misused by ill-intended and dubious partys, it must call for IT security officers to re-examine the use of employees using social logins and social connects in work related tools and softwares.

As CMO at RSA Security Holly Rollo`s reveils on the state of Martech security in 2018;

Marketing is on the front lines of risk when it comes to cyberattacks. 75% of IT leaders surveyed believe vulnerabilities from marketing infrastructure will be the source of a breach. Deeper regulations like GDPR have organizations focusing on the digital front door where personal data enters and flows. 

Is your brand value as important and business critical as any other IT infrastructure ?

Off course it is! And no one would even consider allowing employees to use their facebook account to log in to software, network resources or services holding business critical data residing in the company....so why allow it with the company`s brand value ?

Most IT security officers and legal departments are well aware the importance of not allowing the use of social logins and social connects in tools, softwares and SaaS products which their employees use - and this off course also goes for the companys employee advocacy platform.

But apparently many Employee Advocacy admins are not aware of this, or the IT dept. simply haven`t been involved in the implementation as far as I have experienced when introducing our employee advocacy platform Sociuu to prospect customers.

When we built our platform it was imperative that security and compliance was mandatory - both in relations to GDPR and IT security in general. But just as important it was vital that the platform was safe and secure to use both by employees and the company.

Therefore social logins and social connects was discarded right from the start, as it simply represents a wealth of security and compliance issues ;

Responsibility of the employees private social media accounts via the use of them in the EA platfom, and thereby the data exchanged, falls on the company.

The company`s password policies is instantly compromised, as it cannot be enforced on employees private social media accounts. (Btw. Oauth which is the protocol on which social logins rely to authenticate the user is NOT a security measure)

GDPR compliance is mandatory as it is employees private social media accounts used for both social login and social connect - so consent compliance etc. needs to be regarded as if it was data handled & stored from ie. customers or other public sources.

For every employee accessing the EA platform with social login, there is a potential breach of the companies security perimeters. People are in general very careless with their usernames/passwords on their private social media accounts, as numerous research shows.

In case the tool/platform is compromised potentially all employees private social media accounts are made vulnerable and possibly accessable - again responsibility will fall on the company.

There are many more risks and potential breaches in allowing employees using social logins and social connects - and besides protecting the company`s perimeters by not allowing it, it is just as paramount to secure your employees and make sure that they can use the tools, softwares and SaaS products securely and confidently - as it should be in the workplace.

So - in order not to put your hard work and your efforts made with employee advocacy at stake, make sure to involve and consult legal and your IT security prior choosing a platform. And if you are unintentionally using a platform with options to use social logins/connect, investigate whether it can be switched off, and consult your legal/IT security on what to do with the accumulated data from your employees.

Employee Advocacy is at a stage where many companies are adopting it for obvious reasons, and it would be a pity if security and compliance should stand in the way - which it does`nt have to do;-)