Last week I talked about how to respond to a Workplace hacking event.

But in reality, it’s far easier to protect your environment than it is to recover it.

So now, I want to make last week’s blog post obsolete.

I want to make sure that you never actually need an emergency response plan to a successful Workplace hack.


By helping you make your instance of Workplace more secure.

But first, I want to dispel some myths.

Some of the feedback I got last week was quite predictable:

‘Facebook is reading your data.’

‘If you put your company data on Facebook then you deserve everything you get.’

The list goes on.

And I get the concern:

Facebook as a brand has issues with its reputation when it comes to data.

But as I write this, there have been no breaches or confirmed cases of data loss as a result of Workplace.

Now, we all know that there’s no such thing as a system that’s 100% secure.

Microsoft and Google have both been found to be in contravention of GDPR – and Cisco, British Airways, the NHS and Reddit (and many more) all suffered data losses in 2018.

Workplace is ISO 127001 and ISO 27018 certified, and has a public SOC3 audit which I can share with anyone who’s interested.

(There’s also an SOC2 but that requires you to sign up to an NDA – talk to me if you’d like to know more).

Workplace is an exceptionally secure system. But it can only be as secure as the weakest link in the chain.

And this post will help you strengthen those weakest elements.

So let’s start with the big one:


Workplace has its own authentication mechanism which it will use by default.

Facebook calls this ‘Password’ authentication.

From a technical perspective, it’s extremely secure (it’s effectively what consumer Facebook uses for its 2+ billion active users).

But it has some limitations from a process point of view. Passwords never expire, sessions never expire, and there are no controls to manage MFA (Multi Factor Authentication) in bulk.

So to help with this, I would encourage most organisations to look at an alternative authentication mechanism, ideally using an IDP (Identity Provider).

Workplace supports SAML authentication (Security Assertion Markup Language).

That means that any IDP will work.

But in particular, it has specific support for the big players in the market: Okta, Google, Azure, OneLogin and Ping. There are also some easy-to-follow guides for ADFS and Auth0.

Once we’ve enabled SSO authentication (Single Sign-On), we can now tweak some of the default settings.

By default, SAML reauthentication is set to never expire – so we’ll need to change that to something shorter.

You can do this under the Authentication tab in the Security section of the admin panel.

While you’re there, it’s also worth thinking about changing the default authentication mechanism for new users to SSO – or better still, whether you can turn off Password authentication entirely.

Admin Security

With these changes in place, we can start to think about the next important element:

Multi-Factor Authentication (MFA)

Multi-Factor Authentication (or Two-Factor Authentication) simply means adding an extra piece of information when you log in.

You’ve almost certainly seen this when using online banking or when shopping online.

The shop sends you a text message with a code you enter into their website. And this extra step proves that you have more than just a password: you also have access to the phone number associated with the account.

Think of it like an extra piece of the puzzle (and an extra layer of security) when proving that you are who you say you are.

All of the IDPs mentioned above support MFA – and each has its own mechanism for enabling it.

I would strongly suggest that you use MFA for all of your users. But at the very least, you absolutely must do this for your admins.

If you’re using Password Authentication, then things get a little trickier.

IDPs give admins the power to force users to use MFA – but Password Authentication doesn’t.

Any user can enable it, but there’s no way for your admins to enforce it.

This guide shows you the process that your users will have to go through, but it’ll be down to your education and governance processes to make sure people actually do it.

(And when it comes to your admins, I would personally stand next to them and watch them enable the setting. Don’t take risks with your admin accounts!)

User life cycle

People come and people go. And those who leave your organisation pose a potential security risk if they still have access to your data.

Let’s say one of your colleagues is head-hunted by a competitor. If you don’t disable their account, that person could be passing on your secrets to their new employer (your competitor).

The simplest way to manage this is to align your security measures with your existing user life cycle process and to make sure it’s robust.

If your HR system is feeding your IDP then the account of the person leaving should get disabled in the HR system. It should then sync to the IDP and sync again to Workplace.

Just make sure you test it! Test how your HR system works with your IDP, and fix any gaps in the process.

What happens if the manager doesn’t report the colleague as a leaver? Are there any processes you can introduce to mitigate this?

Unfortunately, this problem is bigger than Workplace.

The user would still have access to email and file sharing tools like Dropbox and OneDrive – or any other systems which connect to the IDP. So this is an opportunity to use your Workplace program to enhance the security of your overall estate.

Once you’ve tidied up the processes surrounding your staff turnover, it’s time to start looking at some of the more technical bits of Workplace:

Integrations and Bots

I’m a massive advocate for integrations.

But as another possible route for an attack, it’s vital that you’re careful with them.

Luckily, Facebook has a built-in integrations directory. That means that if you get your integrations through the official directory, you can be assured that Facebook has reviewed the application and deemed it secure (and in some cases subjected it to OWASP testing).

You can also get integrations outside of the directory (they’re called Custom Integrations).

But with these, it’s up to you to review the application and specific vendor – and to understand what they are doing with your data.

In most cases, it just involves a bit of common sense. By looking at the permissions you’re being asked to grant, you can decide whether an integration is asking too much. Does that calendar bot really need to view all private messages in order to accomplish its task?

Custom Integrations will require you to share a security token with the vendor (or your internal IT team).

Protect that token like your own password.

Don’t send it over email, and don’t store it in a text file on your laptop. Because if a hacker gets that token, they can do anything that your vendor can.

Luckily, monitoring integrations is about to get a lot easier:

Facebook is about to roll out a feature which lets you see exactly what your integrations are doing. So if they’re looking at private messages when they really shouldn’t be, you’ll be able to see it more easily.

You’ll also be able to review the permissions you’ve given the integration.

Let’s say you’ve allowed it to grab the email address of a user, but it’s never actually used that permission. In that case, Facebook will automatically revoke that permission – helping to automatically strip down the permissions you grant to the absolute minimum that you really need.

So, to recap:

  • Only give integrations the permission they need.
  • When you’ve finished with them, delete them.
  • And if the integration interacts with another system, whitelist its IPs.

Admin Security Dashboard

Security Dashboard

At the time of writing, Workplace’s Security Dashboard isn’t fully rolled out. So it might not be available in your instance yet – but it is coming in the very near future.

Check this screen daily or push its data into your SIEM of choice (see the next section).

Let’s go through the features:

1.    Accounts at risk

Facebook scans sites like HaveIBeenPwned and finds the accounts of your users which might have been compromised.

Unfortunately, humans love re-using their passwords – and they have a habit of using their work email addresses for non-work sites.

If Facebook finds on HaveIBeenPwned, you’ll be notified here, and you’ll have the opportunity to force a password change and expire their login session.

2.    Malware upload blocked

If Joe Bloggs accidentally uploads ‘virus.exe’, this will alert you and give you the opportunity to speak to them and improve their training.

3.    Integration created & edited

Integrations can access almost every aspect of your Workplace instance.

So it’s crucial that you know which integrations you have and (perhaps more importantly) when they change.

If you have an integration with a benign name like ‘Out of Office bot’ – but that integration actually has permissions to create new users – then this interface will tell you.

4.    Profile data download request

In order to comply with GDPR, admins have the option to enable a feature which lets end users download all of their information about themselves from Workplace.

This is both powerful and dangerous, as it allows your colleagues to export company information.

Most companies disable this feature, and find other ways to comply with the GDPR requirements instead.

5.    Accounts promoted to admin

Do I need to explain this?

If someone compromises your system, they’ll often leave themselves ‘back doors’ to help them regain access after you shut down their main entry point.

Creating new admin accounts is a blunt and obvious way of creating a back door – but it’s not uncommon for hackers to try it.

At the top of the screen you’ll also see a tab called ‘log’.

This will give you access to a log of all security events – such as log-ins, integration changes, and any downloading of files.

You can download this log if you like. But there are better, less manual solutions below.

Admin Log

Webhooks for activity logging

Most of the features above can be logged in to another system for automation.

To do this, you first create an integration, and then grant it the ‘Read security logs’ permission.

Once you’ve done that, look at the ‘Security’ tab in the ‘Configure webhooks’ section:

Admin Webhooks

Most of the security events mentioned above are also available here, along with other features, such as logging when someone joins a Multi-Company Group (MCG).

This will POST data to a webhook which you need to set up.

So what’s a webhook?

Essentially, a webhook is just a listener which Facebook can access, which is hosted on the publicly facing internet.

So let’s say that Joe Bloggs joins an MCG. Facebook will send that as a POST to your webhook – and your webhook can then process it and generate a workflow.

At a basic level, it might just log the event. But if something more serious happens, it should probably take some action.

In the event of the compromised_credentials webhook being fired, for example, I would trigger a password reset and then email the user to inform them.

You should also look at the other webhook tabs. It’s slightly beyond the scope of this blog post, but you may want to consider logging your users’ activities.

Imagine this Workplace Chat conversation taking place:

Frank: Hi, Sam. I work on the helpdesk and I’m looking at your support ticket now. Before we get started, what’s your password?

Sam: Hi, Frank. My password is SillyPerson321.

Sam then realises he shouldn’t have sent this message, and he deletes it: 

Sam: Hi, Frank. My password is SillyPerson321.

Sam: Sorry Frank. I can’t give you my password.

If you log all events to an SIEM tool you would have captured all of the above conversation – including the parts that were deleted.

By contrast, if you look at the UI or request the conversion through the API, you would only see the following:

Frank: Hi, Sam. I work on the helpdesk and I’m looking at your support ticket now. Before we get started, what’s your password?

Sam: Sorry, Frank. I can’t give you my password.

So as you can see, the API and UI are ‘point in time’.

They show how the conversation looks now – but they don’t give you the complete picture.

Webhooks, on the other hand, show a timeline of what happened and allow you to reconstruct how the conversation looked at any moment in time.

Compliance software

As I hope I’ve made clear above, you can protect your environment through a combination of common sense and manual monitoring.

But as with all platforms, the manual work can become time-consuming – so you might consider looking at a Security & Compliance tool to help you.

Netscope and Wiretap’s Aware are available from the Integration Library, and there are also a few options outside of the library, such as Revevol’s Harbor.

These are powerful tools and if they suit your business and your budget then I’d strongly recommend them.

The problem is that you probably already have a security infrastructure and your existing tools might not have added Workplace support yet.

This can be wasteful and expensive – and it may even be against your internal policy.

So I’d always recommend that you reach out to a Workplace partner (such as Coolr) to help you decide which tools are suitable, and whether you should look into building an integration with your existing security infrastructure.

Ready for a more secure Workplace?

We’ve covered a lot of ground here – and I hope this has been helpful.

But while there are plenty of powerful features to help you make your instance of Workplace more resilient, remember this:

No system is perfect.

And that means you should always be vigilant when you administer internet-facing systems – whether that’s Workplace, Office 365, GSuite or anything else.

Protect your data, your people and your processes – and then monitor everything.

And never forget that this is an ongoing challenge:

Hackers are changing their tactics – and that means we need to change ours.

While this blog is comprehensive at the time of writing, there are likely to be developments in the near future, and I’ll do my best to keep coming back and updating this post whenever we learn something new.

But that doesn’t mean you shouldn’t do your own research, too.

If you’ve got doubts, concerns, or questions about how secure your instance of Workplace is, please do reach out to me:

Enjoyed this case study? Share!

Coolr thinking

Check out our latest news, blogs, cases studies and rants below.

Read more

Coolr story

We're doing things a little different at Coolr. We're part agency, part tech start-up, part consultancy - and we have big plans.

Learn more