Between the most recent Sony hack and some very prominent
social media mistakes over the last few years, social media security is top of
mind for a lot of companies right now. Most
of the cases that make news are a result of phishing attacks, poor password
management, or poor social media tool and process management. Brand Twitter accounts have been particularly
vulnerable to security or process failures.
For example:
- Sony Corporation is compromised during
events surrounding the release of “The Interview”
- US Airways accidentally tweets an
extremely NSFW image when it replied to a customer.
- Burger King and Jeep had their
Twitter accounts rebranded and hackers went on a juvenile rampage commenting
from those accounts. In both of these cases,
the root account password was stolen by hackers due to failures in email
security.
- Kitchen Aid, Microsoft, StubHub,
Chrysler, Red Cross, The Vatican, and even Twitter itself have all posted
inappropriate or offensive content when someone with access to multiple
accounts on the same device published to the corporate account by mistake.
- The Associated Press (AP) Twitter
account was the victim of a phishing scheme.
During the time the account was compromised, the AP account erroneously
reported a bombing in the White House. This threat damaged brand credibility, caused
their Twitter account to be suspended, dropped their fan base from 2 million to
100,000 followers (although they gained most back.) The false bombing report also
caused a 143 point drop in the Dow Jones stock market index.
The potential negative impact to a brand or a company from a
security breach or social media snafu can be huge. However, in most cases, these types of
incidents can be avoided with the proper planning, workflow, and some good old-fashioned
common sense.
Here are some security practices that everyone should be
aware of:
Part 1) Creating Accounts on Social Platforms
Don’t register your brands social media accounts with
your personal email address.
The registered owner of all social media accounts should be
an official address at your company’s domain.
Don’t use your personal email
(like your yahoo address) and don’t use your personal corporate email if
you can avoid it. Best case is to create
a new unique email address on your corporate domain – if you register a lot of
accounts, perhaps more than one.
- You want to use an email on your
corporate domain whenever possible, it can make proving that your company is
the authorized owner of the account a little easier should the need arise.
- If you can create a stand-alone email
account – even better. After all, if the
account is registered to johnsmith@company.com
- what happens when John leaves the company?
- Sometimes, however, you are not able
to use a corporate account. YouTube and Google+ typically require a Gmail
account. (Of course they do.) For these platforms, you can create a new Gmail
account only for this purpose – don’t use your personal one. (Google recently
changed this policy and you can now sign up without using Gmail using the link:
https://accounts.google.com/SignUpWithoutGmail
)
- Facebook requires that your personal
Facebook account connect to the brand page to serve as an admin. That’s fine, but I would strongly recommend
using a Facebook Business Account whenever possible to manage your brand pages
within the Facebook environment. Read more at https://business.facebook.com/
A quick note about Agencies:
If you are a brand, your advertising or marketing agency might be
creating these accounts on your behalf.
Make sure that when they are creating your brand’s accounts – they do so
using one of your own company’s email addresses. Some agencies have a practice of creating
accounts with agency emails. If you ever decide to take your business to
another agency – you might have a challenging time getting ownership of your
own account! (And personnel turnover at
agencies is another issue to be aware of….)
Use a strong password, and keep it safe!
You know the rules for a strong password. Passwords should be at least 8 letters, a mix
of lowercase and capital letters, numbers, and special characters. Don’t have any common words, trademarks, or
other guessable phrases.
While using a strong password, it is still a good idea to
choose lengthy, random content that can be remembered and communicated
verbally. For instance, ‘BrickFenceCan#23’ may be a better choice than
‘~r_t-*s&PH2’
Limit who has access to the password and keep the password
safe. You might use one of the password
keeper apps if needed. Don’t distribute
the password – if you have more than one person who needs to publish (and for a
wide variety of workflow and safety reasons) everyone publishing or managing
the account should be using a 3rd party social media management tool
such as Hootsuite, ExactTarget, Percolate, Expion, or a host of other options.)
More about these tools below.
Don’t share passwords via email. Let me repeat that louder: DON’T SHARE PASSWORDS VIA EMAIL. This is one of the easiest ways for hackers
to gain access to your accounts. Every time a password is emailed there is a
copy of the content created on each recipient’s email provider, desktop, phone,
corporate IT server, etc. If any of the recipients lose access to one of these
locations your brand’s root credentials would be available.
Change your password at least every 90 days.
Part 2:
Publishing and Ongoing Management
Use secure third-party social media management and
publishing tools.
You don’t need to give your passwords out to everyone who is
posting to your account. Instead,
provide each person access to a 3rd party social media management
tool such as Hootsuite, ExactTarget, Percolate, Expion, or many others.** We are focused on security here, so I won’t
go into details of selecting a publishing or management tool – pretty much all
of them support multiple users with unique user accounts and role permissions
for each person.
Don’t use the same publishing tool for your personal
accounts as you do for company accounts.
If your company uses one tool – use a different publishing
tool for your personal accounts. If you have two completely unique tools, it
will considerably reduce the risk of accidentally publishing a personal post on
the company account.
Limit the number of third party applications that have
access to your account
Every so often, review your account and remove access to any
third party applications that you don’t recognize or are no longer being
used.
(A third party application is any piece of software that
needs access to your presence, typically through an API. If the application is
no longer being used, it should no longer have access to your social account. And if it is being used – it might be good to
go in and update the passwords periodically.)
Restrict mobile device publishing to approved tools
It’s best practice to restrict direct access to your
accounts and to use a 3rd party publishing tool for publishing. This
is true on both mobile devices as well as computers. If you are going to be publishing a lot from
mobile devices – you should look for a publishing program that has a robust
mobile version to compliment your desktop access.
Cell phones and tablets get lost and stolen. Keep that in mind when selecting “save my
password” or “keep me logged in” options on your mobile device. It’s a risk!
Part 3: Staying
safer from hacking and phishing schemes
It’s hard to stay perfectly safe – but here are a few tips
and best practices that can help keep your passwords safe and your system clean
from malware and attacks that can compromise your accounts…
- Keep anti-virus software up to date,
and run scans regularly.
- When possible, use 2-factor
authentication. Using both a password and RSN key or SMS approval is much more
secure than even the best password practices.
- Never login to your accounts when connected to public Internet access (such
as a Starbucks.) Instead, use a VPN
to connect to your company network to create a secure connection before
publishing to any social networks, accessing emails, etc… from any public location. If you don’t have a
corporate VPN, you can create personal a personal VPN on a computer that you
keep at your office for this purpose.
- Never email your password. If you are using a
3rd party publishing tool – the times you will need to provide your actual
password to someone are pretty seldom.
However, if you do need to provide your password to an agency partner or
a remote employee – give it to them directly to them over the phone or through
some other more secure means. Several
of the most prominent hacks in recent years were specifically due to hackers
finding a password in an email message.
- Limit the amount of time people need
the administrator password, and reset the password when their task is
complete. Do now allow anyone to
maintain an admin password for any extended period of time.
- If you change agencies, fire your social
media manager, or change your administrators for any reason – make sure you
change the password before you give them the news. I know we trust and want to think the best of
the people we work with – but it’s always better to be safe.
Be aware of phishing scams. Here
are some ways to avoid getting caught by a phishing email or message:
- Read your emails in plain text.
- Don’t open or click on any emails or
messages from people you don’t know that contain any type of link. Also be aware of:
- Unofficial
“from” addresses
- Emails
requiring “Urgent Action” from someone you don’t know.
- Unexpected password resets: Did you request a password change on your
account before an unexpected email notification arrived? If not, you should be
very suspicious.
- Are there spelling errors or bad
grammar in what is expected to be a professional email? This is a key indicator of a phishing scam
email.
- Is a business email from an
unexpected email address? Beware of
“spoofing” – when a scam artist pretends to represent a legitimate company. You can mouse over (hover over) addresses and
links to ensure they are really how they appear.
- Facebook, Twitter, Google
(YouTube/G+) and other legitimate companies will never request personal information or passwords via email. If you get a request asking you to “verify”
your password, PIN, or other identifying information – don’t.
Part 4: Create a Social Media Crisis Plan (just in
case)
Even with the best-laid plans, you may still have a social
media crisis that you have to deal with. Loosing access to your account (whether by a
deliberate hack or something less sinister) is something I hope you never have
to deal with – but a scenario that should be part of your social media crisis
plan.
I’m not going to go into the full details of a social media
crisis plan here, as a good crisis plan deals with much more than just the
security of your accounts. I’ll simply remind you that 1) you need to
have one, 2) it should contain contact information for the key people
responsible for a response (and their backup,) and 3) it should clearly outline
what anyone in the company should, and should NOT do on social media in a
crisis situation.
If your account is ever hacked, compromised, or part of any
other type of social media crisis situation (even a PR issue) having an easy
reference guide for everyone in your company that describes who to contact and
what steps to take are crucial.
**I’ve published a “Bag O’ Tricks” document which lists a
number of free and paid tools for social publishing along with many other
social media resources that may be handy to managers. You can find it here: bit.ly/brians-bag-o-tricks
Co-Authored by:
Brian Rudolph
Wes Finley
