When we think about social media, we think about the nice side of it: staying in touch with friends and family, getting updates about our interests – but the more active we are on it, the more risk we’re exposed to. The more exposed we are in the online space, the more potential there is for risk to a business. Having policies and procedures to secure social media accounts and minimise the potential for incidents can help. So in this blog, I’ll talk about the risks and steps to mitigate them.
More than 4.7 billion people are on social media, and businesses have come to rely on these channels in their everyday operations as a form of advertising, recruiting and more. By one estimate, more than three out of four businesses use social media to interact with their customers.
Recently, a client with several different social media accounts and a large team of people working on them approached BH Consulting to review its security and policies around them. The organisation had suffered reputational damage after one of the team followed some accounts that didn’t fit with its values.
What’s Social Media Security Risks
Some companies might have just one person responsible for running social media accounts, but often this job falls to a team. When there are many people who are working on social media accounts, they need to implement appropriate measures to ensure they’re not open to potential security risks.
Those risks include:
- Fraud, spam or virus attacks
- Falling prey to online scams, resulting in data or identity theft
- Potential for negative comments from employees about the organisation
- Legal consequences if employees use these sites to view or distribute objectionable, illicit or offensive material.
According to figures from Gitnux, the cost of cybercrime on social media is $3.25 billion dollars in annual global revenue. The company’s data also claims that 64 per cent of companies have experienced social media-related incidents like hacking and fraud. It estimates there are at least 30 attempts to take over corporate social media accounts per year, per institution.
Another risk is social media hacking. This isn’t a new concept, but its goal can be to:
- gain the user’s personal data which can be misused later
- cause embarrassment to someone
- be malicious just because they can.
On the business end of account hijacking
Let’s look in more detail at how some businesses have been affected. Disneyland Resorts is a theme park business with 8.4 million followers on Instagram. In July 2022, its Facebook and Instagram accounts were briefly compromised, and four posts appeared with racist slurs, homophobic comments, and a false threat of a new Covid 19 strain. Many people would have seen the offensive posts before the company was able to act and remove them. The incident shows that not all hackers’ motives are financial or data collection. Sometimes, they want to damage the victim’s reputation.
Here’s another example of hackers wanting to cause reputational damage: in February 2013, Burger King’s Twitter account was hijacked and rebranded with the logo of arch-rival McDonald’s. One day later, the same thing happened to Jeep.
A disgruntled former employee of House of Wolf, a gastropub in Islington, London, took over the company’s Facebook and Twitter accounts. As part of their job, this employee had access to the pub’s social media accounts. But when the owners fired that person, it obviously never crossed their mind to change the passwords.
Here are five tips to avoid these kinds of situations, and I’ll cover each one in more depth after that.
- Have a strong social media policy
- Track who has access to your social media accounts
- Implement staff security training for social media
- Continuously monitor social media accounts for potential threats
- Enable multi-factor authentication.
Tip 1: Have a strong social media policy
For any company using social media, the first place we need to start is with a strong policy. And we need to ensure all employees buy into it, whether they’re actively posting on behalf of the company or not. Social media has the power to influence a company’s perception positively and negatively, so it’s important that everyone is on board.
The policy needs to be clear about who’s responsible for the organisation’s social media team (SMT). It should also state that requests for social media accounts should go through this person or unit. They should have final say on who gets access, and be responsible for passwords and security.
- Keep a record of exactly what social media accounts your company has
- Regularly review security settings on your social media accounts, making sure they’re at the most stringent level
- Plan how the business will use social media to promote the brand
- Decide who posts, how often and who approves content
- Monitor social media for spoofs of your account or attempts to impersonate the brand
- Designate a person to oversee and co-ordinate a crisis response
- Decommission old accounts no longer in use.
Tip 2: Track who has access to your social media accounts
It’s essential to be clear about who in the company is on the SMT – and that only this team has the right to access the company social media accounts.
- All team members should read and acknowledge that they have read and understand the social media policy
- All members of the SMT should receive security training (see below)
- Social media should be linked into the joiners, movers and leavers policy
- HR and IT departments should control access to the social media accounts. This way, no one can access these accounts if they are no longer part of the SMT.
Tip 3: Implement staff security training for social media
Set up formalised training about acceptable use of the company’s social media accounts. This should cover guidelines for appropriate access to the companies social media accounts. For example, access to social media accounts is only allowed from company laptops or mobile phones.
- Create training specifically for social media security issues e.g. potential for phishing through social media accounts, malware or use of vulnerable third-party apps
- Give guidance on responsible posting and interacting with your followers online
- Provide clear guidance on following other accounts
- Be wary of the types of individuals and businesses you’re connecting with on social media platforms. Review connections carefully and don’t affiliate with those that appear disingenuous or suspicious.
Tip 4: Continuously monitor social media accounts for potential threats
Check your use of social media management platforms regularly. For example, are they licenced correctly, so that each user has their own login when interacting with your social media accounts.
- Regularly audit logins and posts, to ensure you recognise the devices that are logging in
- Identify and decommission old social media accounts.
Hackers can take over and use old accounts to try and represent themselves as genuine accounts to fool your followers, so it is important not to leave old accounts sitting there unused. If you stop using an account on a particular platform, then go through the proper procedures to disable that account officially.
Tip 5: Enable multi-factor authentication
If you’re using a social media management platform for posting. Check you have appropriately secured the actual accounts, with multi-factor authentication. If this option is unavailable for the platform you intend to use, then use an authenticator app.
As a final point, remember to regularly check and change passwords at appropriate intervals or when members of the SMT leave. Keep a record of new passwords with the appropriate person or unit.
Anne-Marie O’Donnell is a Senior Cybersecurity Consultant with BH Consulting