Paul Colombo: How To Stop Your Social Media Getting Hacked
Director of Technology at Deep Focus agency offers helpful insights into how companies can avoid unwelcome and malicious vistors.
If you believe its hacked Twitter account, Jeep was sold to Cadillac today. Yesterday it was Burger King’s Twitter account that was compromised.
This rash of hacks is a wake up call for marketers, brands and social platforms alike. Security is an often overlooked aspect of social media management, which stands in contrast against the tools, practices and auditing that goes into website security.
While sensitive information may not be immediately at risk, brand perception and trust can be undermined in an instant, with the bad news pushed directly to users’ feeds.
Before we go any further there are two key points to information security you should come to grips with:
- The only guarantee is to not be a target. The means and lengths people will go to are proportional to their motivation to gain access. Conversely, there are opportunists who will take advantage of any easy situation just for bragging rights.
- Information security is a cat and mouse game, the only effective solution is vigilance.
Simply having a social media presence means your brand is now sitting on the largest and most prized targets online for Hacktivists who may not even have an agenda involving your brand, but will gladly make an example of you to get attention. It’s also no secret that the freedom of expression facilitated by social media is a thorn in the side of many governments who are actively trying to squelch dissent.
The bad news is that there is nothing you can do when attackers go after social networks directly. This is the risk we take when relying on 3rd party platforms and services. Even the mighty fall, as was demonstrated by Twitter’s recent password breach that affected 250,000 users, and one at LinkedIn that affected 6.5 million users. It will happen again, despite best efforts and vigilance. Brands and agencies have to operate on the assumption that social networks aren’t secure.
What it means for social platforms
It’s time to recognize that brands are a different type of user, or as is often the case large groups of users operating on the same page. Facebook has done a reasonably solid job of building team management into brand pages, however pages still rely on traditional Facebook accounts which lead to bad practices and expose them to the same risks. Twitter allows a single account per email address, but this shared account model makes it difficult for agencies to manage access and permissions. With the Bluefin Labs acquisition, it is only a matter of time before media and analytics agencies will be clamoring for access. Facebook, Twitter, Pinterest and anyone else serious about having brands on their platform need to invest time in better understanding how brands operate day to day.
It’s also time for these platforms to use their influence to shape security standards on the web. Username / password combinations are convenient but not the most secure. (When emails are substituted for usernames they are even more convenient, and even less secure.) Facebook provides two-factor authentication, but should be more forceful in promoting it when users sign-up or are added as managers to a brand page or app. Page managers should have the option to make this mandatory when trying to operate as a brand page. Twitter has no such option, which could have saved Burger King from a heap of embarrassment.
In addition, we’d like to see networks get involved in R&D efforts for new ways of authenticating users on the web. Google is researching using a key-file or physical device to make authentication not only more secure, but easier and faster. (Those of you familiar with SSH public key-based authentication will get the drift.)
Third-party management tools such as Hootsuite add an extra layer of insulation, which can help. However, we often find brands using free versions of these tools that don’t offer advanced team management features. These tools are still subject to the same access risks, and can in fact be worse if a breach does occur since an attacker will have access to all of a brand’s social channels.
What it means for marketers and brands
Put simply: tools, training, policy and practices for information security need serious consideration. Your brand website and corporate email are subject to stringent security requirements and audits and are protected by firewalls and access policies. Your social channels often come down to a single username and password. It’s time to think about access to your social channels in the same light.
We’re not going to cover a complete set of company policies and guidelines in this post. That would involve a larger discussion of IT security and enterprise systems; this is a discussion brands should have with their agencies, third parties and related IT departments to define the policies and get the tools in place that are right for their situation.
However, if the Burger King incident kept you up a bit last night, you can follow these simple steps to make some immediate improvements:
- Have a gatekeeper. Any ‘master’ accounts should be managed by a senior owner for the brand. Granting and denying access to master accounts and brand pages should run through this individual. If someone requests access, refer them to your gatekeeper, don’t provide it yourself.
- Keep it professional. Create a Facebook account just for work. Most agencies already follow this practice, but there’s room for improvement on the client side. When dealing with a 3rd party, insist they follow this rule as well.
- Only friend co-workers or vendors working on your brand pages
- Restrict all sharing and privacy settings
- Verify the account
- Enable two-factor authentication
- Don’t log in on a mobile device unless it is absolutely necessary. If you have to, sign-out immediately when you’re done.
- Be stingy. Only grant access to logins and brand pages to those who absolutely need it. For Facebook pages, grant the lowest level of permission needed for a person to do their job. A media partner who just needs Facebook Insights access shouldn’t have Manager permissions on your page. If someone needs temporary access, set a calendar reminder to remove it when they’re done.
- Never ever, ever, EVER send logins details over email or text. Call or hand-deliver a note instead.
- Update Often. As a rule, your gatekeeper should update all passwords at least once a quarter. Whenever someone leaves the team (on either the agency or client side), immediately revoke any access their individual accounts might have, and change passwords to shared logins they might have.
- Store Securely. Free tools like KeePass make it easy store your personal logins in a strongly encrypted file. Online services like LastPass will do the same while enabling remote access and managing access for teams. Keeping a mail folder of logins, or sharing a spreadsheet over Dropbox isn’t secure and shouldn’t be acceptable.
- Take it personally. Follow best practices with your own sensitive information. Use tools like KeePass for your own logins if there’s no system to support you. Ask your IT or HR department to provide training and resources. Spear phishing is the most common vector for attack inside a target organization. One click on the wrong email could be enough. Make sure you know how to spot a phishing email.
- Use the tools you have. Audit all the settings in the accounts you own. In addition to enabling two-factor authentication for Facebook, you update your Twitter settings TODAY to require verification for password changes:
As we mentioned earlier, the only way to be successful with information security is through vigilance. No system or tool can protect you, but backed by the right policies, procedures and attention you can make sure your brand doesn’t end up a headline for the wrong reasons.