Third parties: the social media security weak point no one considers
Adobe Stock
Let’s say you are very diligent about the security of your home. You have a fancy video doorbell. You lock the front door, back door, windows and gate every time you leave the house. You probably think you’ve done enough to secure your residence.
But that’s not true.
An enterprising thief could discover your spare key hidden in one of those fake rocks we all think are so clever. Or perhaps you still keep a spare key under the doormat, making you easy prey. Or, maybe you entrust a neighbor with a spare key and the thief just makes up a convincing story about who they are and why they need to borrow that key urgently. There are a million ways for him or her to break into your house even though you did a good job with the first line of defense.
Sadly, this analogy really speaks to what’s happening in social media security and governance. First, many companies don’t even think about social media security at all, and they are basically leaving the wide windows open for the crooks. But even among those who do have a social media governance program, many overlook these kind of extended security weak points.
Enter the latest example: Clorox. Everyone’s favorite bleach company recently revealed in court documents that a 2023 hack happened because a third-party technology provider called Cognizant handed over employee passwords without thoroughly vetting the callers to the help desk. In other words, the hackers just called up Cognizant’s help desk, asked for the passwords and received them. No special hacking skills required – just the huevos to ask.
That hack cost Clorox $380 MILLION DOLLARS. I’m gonna say that again - $380 MILLION DOLLARS. If you ever have trouble convincing your leadership that this is something to take seriously, throw that number into the conversation. Cyber events can be financially devastating to companies. That’s why you and your organization have to care.
In all of my work with the world’s biggest companies, it’s often third-party groups that cause the issues. This can take many flavors:
Like Clorox, it could be a third-party vendor who has access to your systems but does not have rigorous security protocols in place.
Or, like that water treatment plant that was hacked in Florida awhile back, it could be that a third-party vendor is running outdated and therefore vulnerable software. (The vendor in that case was still operating on Windows 7 not a typo!)
And, most commonly, security issues are caused by lack of protocols and procedures relating to third-party partners like agencies who have access to your social media accounts. Without SOPs surrounding password access, rotation and hygiene, many times agency partners maintain access longer than they should have it, own things they shouldn’t own or do things outside of the purview of the people who hired them.
Long story short, if you truly want to secure your social media “house,” you need to look at anything and anyone that touches your social channels and particularly your login credentials. Just locking the doors is not good enough. You need to evaluate all third parties with access, and you need to ensure they are equally as secure. Otherwise, you’re just begging a clever hacker to take advantage of your oversight.