Companies: pull your heads out of the social media security sand

Here’s an ugly truth: most companies spend little to no time considering social media governance and security – even though ransomware, malware and other cyber attacks are on the rise and cost big-name companies millions of dollars every year. That’s the equivalent of sticking your head in the cybersecurity sand. But I think there are signs that 2022 may be the year this really changes.

Since it’s Data Privacy Week, it’s a perfect time to discuss why so many companies do this and what your company should do to protect itself. Take action now so your company isn’t an easy target. Criminals love an easy target and will go for the easy target every single time.

Let’s start with how we got here. Even though social media is now prevalent for users of all ages, many people still do not follow best practices even for their personal social media accounts. They re-use passwords, set insecure passwords like “password123” and do not utilize security features like two-factor authentication. How many of your friends have had their Facebook account hacked? Have you? 

So it should be no surprise that the same bad behaviors that endanger personal social media accounts translate to corporate social media as well – especially since so many companies still make fundamental errors in how they resource social media, including…

  • “Social media is free, why do you need people and a budget?”

  • “I do social media for myself, so I can do it for my company.”

  • “The intern/youngest person on staff should do it because they’re young.”

Social Media Today released some really interesting data this week about people’s increasing concern about their personal social media security. Among the most interesting findings:

  • 58% of people said their social media accounts had been hacked in the last year. Let me say that again: 58% in the past YEAR!

  • 81% of people are more concerned about their social privacy than they were last year

  • 69% have deleted or thought of deleting a social media account because of recent social media data breaches 

I sincerely hope the growing concerns over personal social media security will result in increased attention to corporate social security as well. Companies need to be aware of these things not only to protect their own accounts but also because platforms like Facebook and Twitter will become entirely ineffective communication tools if users bail en masse. The two are definitely intertwined.

There are also some changes that are long overdue from the platforms that would help all companies maintain a higher level of security by default. It’s still insane that Facebook and LinkedIn admin rights are provisioned through someone’s personal account. That means that the risk of a hack goes way up – because any one person who has poor personal social media security themselves can compromise the entire organization’s social media by association.

So what should a company do to mitigate the risks of poor social media security? Below is a quick punchlist of top things you should tackle. In addition, you might want to read some of my more in-depth posts on governance, including The Four Pillars of Good Social Media Governance, Is Your Company Stuck in the Social Media Wild West? and Protect Your Passwords.

Passwords:

  • Make sure you have them all and they are all accurate.

  • Do NOT write them on a sticky note or store them in another unsecure place, including an Excel spreadsheet or even a password-protected PDF. Neither is safe. If you are serious, employ a tool like LastPass or Keeper Security to bring your security level to the next game.

  • Create a schedule for regularly changing all passwords and make guidelines for passwords so that people don’t use easy-to-guess passwords.

Personnel:

  • Make sure you know who has access to your accounts at all time – including consultants, agency partners, interns, etc.

  • Be sure you are actively tracking when people leave the company or change roles so you can change passwords when needed and have accurate records.

Process:

  • Have a standard process for creating new social media channels and shutting dormant accounts down.

  • Create SOPs for onboarding and offboarding people as there is turnover.

  • Consider purchasing a social media management system (SMMS) to help manage channels and keep accurate records of account activity. My top picks in this space are Khoros, Sprinklr, Sprout Social and Hootsuite Enterprise (depending on your organization, scale and budget).

Third parties:

  • If you engage with agency partners or others who work on your social media accounts, be sure you have outlined expectations and guidelines for them. Remember governance extends to everyone who touches your social media – not just internal folks.

  • Make sure you are auditing any third-party apps or systems that have access to your accounts. This is one area where companies consistently fail. It is very common for hackers to gain access to your accounts through a third-party app that is connected to your account but is far less secure. Be sure people are not using the “log in through Facebook” buttons that are prevalent on websites because that establishes a connection between the two platforms. And be sure you are removing anything that is not essential as soon as you can.

Finally, a note on Data Privacy Week. This is an annual event that comes from the National Cybersecurity Alliance. Serna Social is extremely proud to be a Data Privacy Champion for the second year in a row. I encourage you to read more about Data Privacy Week and the NCA here.  

Disclaimer: I am not paid to mention or promote any of the tools mentioned in this post.

Previous
Previous

Your online security is up to YOU

Next
Next

Social media data is a competitive advantage, and your competition may already know it