Social media security is all about identity management
If I could have 5 minutes of every CIO, CTO and CRO’s time, I would use it to tell them two things:
Managing social media is increasingly a massive exercise in identity management.
Your organization probably has a huge blind spot in this area.
Let’s talk about how so many organizations find themselves in this exact position. It boils down to what I call a “gap in understanding.”
On one side of the gap, you have the social media team. Quite simply, social media teams are generally understaffed and under-resourced. They are tasked with the day-to-day of “doing” social media, which includes responding to comments and questions, creating content, getting approvals, posting the content, executing advertising campaigns, managing agencies, dealing with vendors, managing invoices and thousands of conversations with internal stakeholders. And that’s all before a crisis happens. In other words, social media teams are hella busy doing social media and may not have time to put the effort into managing their social media identities the way they should. In some cases, they don’t understand the importance of doing this well. But more often, the teams know it’s important but simply don’t have the time and resources to do more.
Then on the other side of the gap, you have the IT, security and risk groups within your organization. They are responsible for the protocols and execution for keeping your company’s identities safe. And generally, they do a really good job. But unfortunately, most teams like this simply don’t know enough about how social media management truly works to identify it as a risk to be managed. The nuances of responsibly doing identity management for social media are truly complicated, and most of these IT-related teams simply have no visibility into that world. They don’t even know they should be asking questions about it.
And so, we have a gap in understanding that results in poor social media identity management at many of the world’s largest companies. It’s no one’s fault. But with the increase in hacking events, cybersecurity attacks and most recently ransomware (see Colonial Pipeline), I predict it’s going to be something companies must address in a more systemic way in the near future. I also predict that more and more companies will be caught with their virtual pants down as these incidents become more common and the criminals get smarter.
If you are currently on the IT/security side of the gap, let me drop a little knowledge on you. Imagine you work for a large company that is global in scale and has several hundred social media accounts across the globe. Here are just some of the identity management things your social media team deals with daily:
Maintaining a running list of all those accounts (we call them channels)
Keeping and maintaining the passwords for all of the Twitter, Instagram, Pinterest, Snapchat, Tik Tok, YouTube and other accounts that work with a straight username/login credential system.
Managing access for Facebook and LinkedIn accounts, for which access is provisioned through the individual’s personal Facebook or LinkedIn page. Yes, you read that right. There is no other way to do it.
Managing the login credentials for the Google accounts that are tied to each YouTube account.
Maintaining the company’s Business Manager (Facebook/Instagram) and Campaign Manager (LinkedIn), which are centralized places where access is managed.
Maintaining a parallel list of the company’s ad accounts, which are used to do paid advertising on all these social media platforms. In a large organization, there could be hundreds of these, too.
Maintaining access for hundreds of people to all of those ad accounts as well.
Maintaining relationships with possibly dozens of agency partners and making sure their people are given the right level of access.
Maintaining at least a handful of social media-related tools, onboarding and ultimately access to them as well for hundreds of people.
Ensuring that people leaving the company or an agency partner are removed from all of these systems in a timely manner so access is not maintained once a person has left the company or an agency partner.
Maintaining records of all of these changes as people come and go in case of audit, lawsuit, regulatory violation or any other issue that might require them to provide records of who had access to what, and when.
It is a gross understatement to say that it is an incredibly matrixed and complicated thing to manage at a large scale. There are literally dozens of touchpoints a day just to ensure access is being maintained responsibly. Just like there’s a protocol for when someone joins or leaves the company (they get an email account, a Microsoft account, a user profile, etc.) there is a parallel process for social media onboarding and offboarding. Adding and removing a user is not a one-click operation. It involves dozens of systems and identities. And I’m guessing you may have thought that managing social media access was as simple as pressing a button. It is 100 percent absolutely not.
So, what can you do?
First, if you don’t know your social media team, set up a meeting and get to know them. Ask them how many of these things they deal with and most importantly, how you can help. There should be an absolute alliance between the two teams at any company – not a gap.
Second, have some high-level internal discussions about this work. Recognize that it is real work that takes time and resources. Discuss whether a dedicated resource or two is needed, and where those resources should sit.
If I had my druthers, I would advise most organizations to create a full-time position or three and have them sit within the social media team with a dotted line to IT. These could be good learning positions for mid-career folks but I wouldn’t recommend them as entry-level positions unless you have an extremely organized, extremely responsible individual. Managing social media and all of these different systems requires deep expertise on the social media ecosystem and a very high level of touch. Each situation is different, and the tools change all the time. You need someone who is both a social media expert and a security expert to bridge the gap. I would not recommend having IT try to take over the process entirely like email provisioning. It won’t work that way. And the needs are too immediate to be done via helpdesk ticket.
Most of all, make sure you start considering social media as part of your overall company identity management effort. It’s long overdue and will help you prevent a cybersecurity incident that has your company in the headlines for the wrong reasons.