Last month, businesses and consumers around the world were shocked to learn that Facebook enabled third-party companies to collect the personal information of more than 87 million Facebook users. As Facebook’s public relations apparatus shifted into damage control mode and issued fervent apologies, we saw Mark Zuckerberg publicly admit to a “huge mistake” and promise to adjust his company’s third-party consent policies (forcing advertisers to prove they have user consent). In the wake of all this, accounting firms are left wondering how this breach might affect the security of firm and client data — and what procedures they should implement to protect that data.
This enormous data scrape by Cambridge Analytica exploited certain loopholes, which made the violation technically legal, but ran afoul of Facebook’s Terms of Service — and has evoked consumer enmity. Most Facebook users didn’t realize that third-party apps could acquire personal information not only from those who gave consent, but also from the friend’s accounts of those who gave consent. The result was that if you were Facebook friends with someone who agreed to share data with a third-party app, then that third-party app could acquire whatever information you let your Facebook friends see. The loophole also allowed businesses to share Custom Audience data from one account to another, facilitating the illegal sale of consumer information.
Here are three actionable steps that should be on your radar:
1. Secure Your Business’s Facebook Page
More than 60 million businesses have Facebook pages. If you’re one of them, then you must review the security settings of your page and the administrative accounts associated with your page.
Start by reviewing and updating your page settings, permissions, and administrative accounts. Avoid setting a “Featured Admin,” or else that admin’s name and Facebook account will be visible to those looking at your page. Exercise extreme caution when downloading or installing apps that add features to your Facebook business page. Any of these apps could eventually be compromised — and if those apps are compromised, they could be used to scrape data from your business page.
2. Understand Data Collection Rules
If you advertise your accounting firm on Facebook, then you may want to consider joining businesses like Mozilla and Sonos in indefinitely suspending your Facebook advertising. Despite Facebook giving access to more than 2 billion active monthly users, a growing number of businesses have elected to shift away from Facebook and focus on other advertising opportunities.
Should you decide to continue advertising with Facebook, ensure that you carefully review all new rules regarding data collection and user consent, including a tool that requires you to confirm you received consent before you collect email addresses and a new streamlined privacy and security page. Also keep in mind that as alarmed users update their privacy settings and limit which ads they want to see based on their interests, you may see decreased return on your advertising investment.
3. Educate Your Clients
Depending on your client’s level of technology literacy, they may seek your help in understanding that social media isn’t innocuous — rather, it poses very real threats and dangers in regard to protecting their personal and business data.
For example, in one experiment, Sophos created two fake Facebook accounts to see how easy it would be to steal personal data from users. Forty-six percent of users accepted the requests, giving the company access to full birthdates, email addresses, and locations — in what was a relatively unsophisticated experiment. Note that nearly half of all participants elected to provide their information without a second thought, demonstrating a widespread problem that may directly affect your clients.
This lack of awareness provides you with an opportunity to become a valuable resource by educating your clients on the risks inherent in storing data online and allowing unfettered access to that data from social media applications. Advise your clients to carefully protect their accounting login information and limit how and when their data is shared. Another immediate step they can take is to avoid single-sign-on authentication to social media accounts like Facebook, Twitter, Google, and any programs that have access to their personal information, including payment details.
In today’s complex software and application environment, data security isn’t a given. The Cambridge Analytica scrapes – Facebook data debacle is yet another example of just how vigilant accounting firms must be in defending themselves against unwanted data exposure. These global data breaches and cyberattacks also present an opportunity for accounting firms to grow the trust relationship with their clients by educating them on how to protect their personally valuable data online.