Manage your Social Media Security and avoid hacks, mistweets, and major goofs

(You can download this as a PDF on my slideshare account at www.slideshare.net/brianrudolph_internationalmanofmystery)

Between the most recent Sony hack and some very prominent social media mistakes over the last few years, social media security is top of mind for a lot of companies right now.  Most of the cases that make news are a result of phishing attacks, poor password management, or poor social media tool and process management.  Brand Twitter accounts have been particularly vulnerable to security or process failures.  For example:

• Sony Corporation is compromised during events surrounding the release of “The Interview”
• US Airways accidentally tweets an extremely NSFW image when it replied to a customer.
• Burger King and Jeep had their Twitter accounts rebranded and hackers went on a juvenile rampage commenting from those accounts.  In both of these cases, the root account password was stolen by hackers due to failures in email security.
• Kitchen Aid, Microsoft, StubHub, Chrysler, Red Cross, The Vatican, and even Twitter itself have all posted inappropriate or offensive content when someone with access to multiple accounts on the same device published to the corporate account by mistake. 
• The Associated Press (AP) Twitter account was the victim of a phishing scheme.  During the time the account was compromised, the AP account erroneously reported a bombing in the White House. This threat damaged brand credibility, caused their Twitter account to be suspended, dropped their fan base from 2 million to 100,000 followers (although they gained most back.) The false bombing report also caused a 143 point drop in the Dow Jones stock market index. 

The potential negative impact to a brand or a company from a security breach or social media snafu can be huge.  However, in most cases, these types of incidents can be avoided with the proper planning, workflow, and some good old-fashioned common sense.

Here are some security practices that everyone should be aware of:

Part 1) Creating Accounts on Social Platforms

Don’t register your brands social media accounts with your personal email address.

The registered owner of all social media accounts should be an official address at your company’s domain.  Don’t use your personal email  (like your yahoo address) and don’t use your personal corporate email if you can avoid it.  Best case is to create a new unique email address on your corporate domain – if you register a lot of accounts, perhaps more than one.

• You want to use an email on your corporate domain whenever possible, it can make proving that your company is the authorized owner of the account a little easier should the need arise.
• If you can create a stand-alone email account – even better.  After all, if the account is registered to johnsmith@company.com - what happens when John leaves the company?
• Sometimes, however, you are not able to use a corporate account. YouTube and Google+ typically require a Gmail account. (Of course they do.) For these platforms, you can create a new Gmail account only for this purpose – don’t use your personal one. (Google recently changed this policy and you can now sign up without using Gmail using the link: https://accounts.google.com/SignUpWithoutGmail )
• Facebook requires that your personal Facebook account connect to the brand page to serve as an admin.  That’s fine, but I would strongly recommend using a Facebook Business Account whenever possible to manage your brand pages within the Facebook environment. Read more at https://business.facebook.com/ 

A quick note about Agencies:  If you are a brand, your advertising or marketing agency might be creating these accounts on your behalf.  Make sure that when they are creating your brand’s accounts – they do so using one of your own company’s email addresses.   Some agencies have a practice of creating accounts with agency emails. If you ever decide to take your business to another agency – you might have a challenging time getting ownership of your own account!  (And personnel turnover at agencies is another issue to be aware of….)

Use a strong password, and keep it safe!

You know the rules for a strong password.  Passwords should be at least 8 letters, a mix of lowercase and capital letters, numbers, and special characters.  Don’t have any common words, trademarks, or other guessable phrases. 

While using a strong password, it is still a good idea to choose lengthy, random content that can be remembered and communicated verbally. For instance, ‘BrickFenceCan#23’ may be a better choice than ‘~r_t-*s&PH2’

Limit who has access to the password and keep the password safe.  You might use one of the password keeper apps if needed.  Don’t distribute the password – if you have more than one person who needs to publish (and for a wide variety of workflow and safety reasons) everyone publishing or managing the account should be using a 3^rd party social media management tool such as Hootsuite, ExactTarget, Percolate, Expion, or a host of other options.) More about these tools below.

Don’t share passwords via email.  Let me repeat that louder: DON’T SHARE PASSWORDS VIA EMAIL.  This is one of the easiest ways for hackers to gain access to your accounts. Every time a password is emailed there is a copy of the content created on each recipient’s email provider, desktop, phone, corporate IT server, etc. If any of the recipients lose access to one of these locations your brand’s root credentials would be available.

Change your password at least every 90 days.  

Part 2:  Publishing and Ongoing Management

Use secure third-party social media management and publishing tools.

You don’t need to give your passwords out to everyone who is posting to your account.  Instead, provide each person access to a 3^rd party social media management tool such as Hootsuite, ExactTarget, Percolate, Expion, or many others.**  We are focused on security here, so I won’t go into details of selecting a publishing or management tool – pretty much all of them support multiple users with unique user accounts and role permissions for each person. 

Don’t use the same publishing tool for your personal accounts as you do for company accounts.

If your company uses one tool – use a different publishing tool for your personal accounts. If you have two completely unique tools, it will considerably reduce the risk of accidentally publishing a personal post on the company account.  

Limit the number of third party applications that have access to your account

Every so often, review your account and remove access to any third party applications that you don’t recognize or are no longer being used.   

(A third party application is any piece of software that needs access to your presence, typically through an API. If the application is no longer being used, it should no longer have access to your social account.  And if it is being used – it might be good to go in and update the passwords periodically.)

Restrict mobile device publishing to approved tools

It’s best practice to restrict direct access to your accounts and to use a 3^rd party publishing tool for publishing. This is true on both mobile devices as well as computers.  If you are going to be publishing a lot from mobile devices – you should look for a publishing program that has a robust mobile version to compliment your desktop access.

Cell phones and tablets get lost and stolen.  Keep that in mind when selecting “save my password” or “keep me logged in” options on your mobile device. It’s a risk!

Part 3:  Staying safer from hacking and phishing schemes

It’s hard to stay perfectly safe – but here are a few tips and best practices that can help keep your passwords safe and your system clean from malware and attacks that can compromise your accounts…

• Keep anti-virus software up to date, and run scans regularly.
• When possible, use 2-factor authentication. Using both a password and RSN key or SMS approval is much more secure than even the best password practices.
• Never login to your accounts when connected to public Internet access (such as a Starbucks.)  Instead, use a VPN to connect to your company network to create a secure connection before publishing to any social networks, accessing emails, etc…  from any public location. If you don’t have a corporate VPN, you can create personal a personal VPN on a computer that you keep at your office for this purpose.
• Never email your password.  If you are using a 3rd party publishing tool – the times you will need to provide your actual password to someone are pretty seldom.  However, if you do need to provide your password to an agency partner or a remote employee – give it to them directly to them over the phone or through some other more secure means. Several of the most prominent hacks in recent years were specifically due to hackers finding a password in an email message.
•  Limit the amount of time people need the administrator password, and reset the password when their task is complete.  Do now allow anyone to maintain an admin password for any extended period of time.  
• If you change agencies, fire your social media manager, or change your administrators for any reason – make sure you change the password before you give them the news.  I know we trust and want to think the best of the people we work with – but it’s always better to be safe. 

Be aware of phishing scams.  Here are some ways to avoid getting caught by a phishing email or message:

• Read your emails in plain text.
• Don’t open or click on any emails or messages from people you don’t know that contain any type of link.  Also be aware of:

• Unofficial “from” addresses

• Emails requiring “Urgent Action” from someone you don’t know.

• Generic Greetings

• Unexpected password resets:  Did you request a password change on your account before an unexpected email notification arrived? If not, you should be very suspicious.
• Are there spelling errors or bad grammar in what is expected to be a professional email?  This is a key indicator of a phishing scam email.
• Is a business email from an unexpected email address?  Beware of “spoofing” – when a scam artist pretends to represent a legitimate company.  You can mouse over (hover over) addresses and links to ensure they are really how they appear.
• Facebook, Twitter, Google (YouTube/G+) and other legitimate companies will never request personal information or passwords via email.   If you get a request asking you to “verify” your password, PIN, or other identifying information – don’t.

 Part 4: Create a Social Media Crisis Plan (just in case)

Even with the best-laid plans, you may still have a social media crisis that you have to deal with.  Loosing access to your account (whether by a deliberate hack or something less sinister) is something I hope you never have to deal with – but a scenario that should be part of your social media crisis plan.

I’m not going to go into the full details of a social media crisis plan here, as a good crisis plan deals with much more than just the security of your accounts.   I’ll simply remind you that 1) you need to have one, 2) it should contain contact information for the key people responsible for a response (and their backup,) and 3) it should clearly outline what anyone in the company should, and should NOT do on social media in a crisis situation.  

If your account is ever hacked, compromised, or part of any other type of social media crisis situation (even a PR issue) having an easy reference guide for everyone in your company that describes who to contact and what steps to take are crucial. 

**I’ve published a “Bag O’ Tricks” document which lists a number of free and paid tools for social publishing along with many other social media resources that may be handy to managers. You can find it here: bit.ly/brians-bag-o-tricks

Co-Authored by:

Brian Rudolph   

http://www.linkedin.com/in/brianrudolph/

Wes Finley   

http://www.linkedin.com/in/wesfinley/