Social Platform Security Tips: Don’t be the next Jeep or Burger King
If you believe its hacked Twitter account, Jeep was sold to Cadillac today. Yesterday it was Burger King’s Twitter account that was compromised.
This rash of hacks is a wake up call for marketers, brands and social platforms alike. Security is an often overlooked aspect of social media management, which stands in contrast against the tools, practices and auditing that goes into website security.
While sensitive information may not be immediately at risk, brand perception and trust can be undermined in an instant, with the bad news pushed directly to users’ feeds.
Before we go any further there are two key points to information security you should come to grips with:
- The only guarantee is to not be a target. The means and lengths people will go to are proportional to their motivation to gain access. Conversely, there are opportunists who will take advantage of any easy situation just for bragging rights.
- Information security is a cat and mouse game, the only effective solution is vigilance.
Simply having a social media presence means your brand is now sitting on the largest and most prized targets online for Hacktivists who may not even have an agenda involving your brand, but will gladly make an example of you to get attention. It’s also no secret that the freedom of expression facilitated by social media is a thorn in the side of many governments who are actively trying to squelch dissent.
The bad news is that there is nothing you can do when attackers go after social networks directly. This is the risk we take when relying on 3rd party platforms and services. Even the mighty fall, as was demonstrated by Twitter’s recent password breach that affected 250,000 users, and one at LinkedIn that affected 6.5 million users. It will happen again, despite best efforts and vigilance. Brands and agencies have to operate on the assumption that social networks aren’t secure.
What it means for social platforms
It’s time to recognize that brands are a different type of user, or as is often the case large groups of users operating on the same page. Facebook has done a reasonably solid job of building team management into brand pages, however pages still rely on traditional Facebook accounts which lead to bad practices and expose them to the same risks. Twitter allows a single account per email address, but this shared account model makes it difficult for agencies to manage access and permissions. With the Bluefin Labs acquisition, it is only a matter of time before media and analytics agencies will be clamoring for access. Facebook, Twitter, Pinterest and anyone else serious about having brands on their platform need to invest time in better understanding how brands operate day to day.
It’s also time for these platforms to use their influence to shape security standards on the web. Username / password combinations are convenient but not the most secure. (When emails are substituted for usernames they are even more convenient, and even less secure.) Facebook provides two-factor authentication, but should be more forceful in promoting it when users sign-up or are added as managers to a brand page or app. Page managers should have the option to make this mandatory when trying to operate as a brand page. Twitter has no such option, which could have saved Burger King from a heap of embarrassment.
In addition, we’d like to see networks get involved in R&D efforts for new ways of authenticating users on the web. Google is researching using a key-file or physical device to make authentication not only more secure, but easier and faster. (Those of you familiar with SSH public key-based authentication will get the drift.)
Third-party management tools such as Hootsuite add an extra layer of insulation, which can help. However, we often find brands using free versions of these tools that don’t offer advanced team management features. These tools are still subject to the same access risks, and can in fact be worse if a breach does occur since an attacker will have access to all of a brand’s social channels.
What it means for marketers and brands
Put simply: tools, training, policy and practices for information security need serious consideration. Your brand website and corporate email are subject to stringent security requirements and audits and are protected by firewalls and access policies. Your social channels often come down to a single username and password. It’s time to think about access to your social channels in the same light.
We’re not going to cover a complete set of company policies and guidelines in this post. That would involve a larger discussion of IT security and enterprise systems; this is a discussion brands should have with their agencies, third parties and related IT departments to define the policies and get the tools in place that are right for their situation.
However, if the Burger King incident kept you up a bit last night, you can follow these simple steps to make some immediate improvements:
- Have a gatekeeper. Any ‘master’ accounts should be managed by a senior owner for the brand. Granting and denying access to master accounts and brand pages should run through this individual. If someone requests access, refer them to your gatekeeper, don’t provide it yourself.
- Keep it professional. Create a Facebook account just for work. Most agencies already follow this practice, but there’s room for improvement on the client side. When dealing with a 3rd party, insist they follow this rule as well.
- Only friend co-workers or vendors working on your brand pages
- Restrict all sharing and privacy settings
- Verify the account
- Enable two-factor authentication
- Don’t log in on a mobile device unless it is absolutely necessary. If you have to, sign-out immediately when you’re done.
As we mentioned earlier, the only way to be successful with information security is through vigilance. No system or tool can protect you, but backed by the right policies, procedures and attention you can make sure your brand doesn’t end up a headline for the wrong reasons.