Imagine you are the CEO of a bank. Despite the grey suit you are down with the kids, tweeting regularly, and generally being hip.
And then your twitter account is hacked. Someone sends out a tweet in your name that says your bank has made huge losses in the financial markets and doesn’t have enough money to repay current account holders. People panic and there is a run on the bank…
Couldn’t happen could it! Or could it? It’s only a year since the AP Twitter account was hacked and messages about bombs in the White House caused a massive 143 point drop on the Dow Jones Index.
Social media are very credible and as a result very powerful.
So of course you want to avoid your social media accounts getting hacked. It’s not easy, in fact it is impossible to guarantee absolute security (and I won’t be surprised if someone hacks into this blog just because I am writing about security!), but there some steps you can take to keep them reasonably secure.
How do social media hacks happen?
First of all though, knowing how social media accounts get hacked will help protect you. Generally this happens because someone who wants to cause mischief or wreak revenge gets access to a password. And they get access in a number of ways including:
- Simple passwords are hacked using “brute force” software that runs through all the possible combinations of letters and numbers
- Unprotected portable devices are lost or stolen
- Devices are infected with spyware
- People who know a password leave a company and that password isn’t changed
- A shared personal device allows access to a social media account by non-authorised people
- Password lists are made available to non authorised people
So what can you do about this?
Use strong passwords
The very first thing you need to do is ensure that social media passwords are strong. That means: a minimum of 12 characters including at least one each of an upper case letter, a lower case letter, a number, and a keyboard symbol (like ! % or &).
Words and names should not be used as part of this: so Password isn’t a great password. And guess what. People realise that numbers are commonly substituted for letters. So P455w0rd isn’t great either!
As words and names are a no-no you will need a simple trick to come up with a great password. It’s easy in fact. Think of a phrase such as “I love my wife Delvina and my two boys Caspar and Tarquin!”. Now take the first letters and turn that into a password: “IlmwD&m2bC&T!”. Complex but easy to remember. And so much better than Password!
Next it is sensible to ensure that passwords are different for all your social media accounts. After all if one does get hacked you don’t want them all being hacked. And change them a couple of times a year. Scott Aurnou has written an excellent post on passwords.
The next step is to limit the number of people who have access to the social media accounts. Simple if they are your own accounts but more complex in a company where you may want several people to be able to post content.
Start by doing an audit. And remember to check whether any third parties like your PR company also have access (if so do you will want to know whether they share your password with all their employees).
Next, severely limit the number of people who have access in future. And make sure that written into their contracts is a stipulation that passwords must not be shared and an explanation of sanctions if they do so. If necessary appoint an “editor” who uploads content written by other people. Oh, and do make sure you keep a record of who does have access somewhere.
Ideally, and if budgets allow, you will also implement Single Sign On (SSO) technology (such as Nexgate provide) to manage access to your social media accounts. This means that when people sign into their work computers only authorised people will be given access to social media accounts, but they will be given access without having to input a password. As they don’t know the passwords then you can simply deny them access should they leave or their role change.
One more thing to lookout for. Some social media platforms including Facebook and Google+ require business pages to be set up from private social media accounts. If this is the case you will have trouble managing these accounts in the future if the person who set them up leaves your company. The easiest thing to do is probably to start afresh with these platforms, even if it means sacrificing some assets such as people who Like you.
Prevent cookie attacks
Several big social media platforms including Twitter and Facebook are designed to remain open continuously, so that every time you go to your computer or mobile phone you can read and post content.
Convenient; but keeping an account open all the time can give people a really easy way into your social media account, especially if the account is open on a mobile device which subsequently gets lost or if you are using a shared device and forget to log out.
As people will inevitably forget to log off on some occasions, the most secure way to handle this is to require access to corporate social media only via fixed company equipment. This does mean that people won’t be able to post updates from Twitter and Facebook when they are out and about. I’ll come you how you manage that disadvantage in a moment.
Avoid phishing attacks
Another common problem is “phishing” which is where a hacker sends you message that seems to be from your social network, asking you to log in to your account for some plausible reason. They provide you with a handy link. You, thinking you are logging into your Twitter account, enter your username and password into a fake login page, which promptly captures the data. You have been hacked. Often these attacks are highly personalised and will use your name, as a result looking very credible.
The only way to prevent phishing attach is through education. Train people to look for suspicious emails. Get people to check the actual address of the site they are logging into by looking at the address bar or better still avoid clicking on links (especially shortened URLs) in emails and navigate directly to their social media account instead.
Additional security can be provided by using the SSO technology mentioned earlier as these tools won’t automatically complete your log in information if you aren’t on a legitimate site. But if you don’t have that then education (and common sense) is your only defence.
Protect mobile devices & manage wi-fi use
Business people who have a requirement to post on social media sites for their employers are highly likely to have a smart phone or a laptop. And mobile devices represent a real risk because:
- They can be lost or stolen
- They may connect to the internet via unsecure or dangerous connections
The easiest way to manage risk this is to limit access to corporate social media accounts via fixed computers in secure office locations. This might sound draconian but in practice most social media can be managed in this way with executives who are out of the office mailing posts to colleagues who can post from the secure location of the office.
But what about newsy posts that require immediate publication? For instance tweets at a conference or Facebook posts at an industry event? Here are some ideas:
- Ensure the mobile device you are using is adequately password protected, especially if you are using a password vault like LastPass to make logging on to a number of different accounts easy
- Password vaults remember passwords for you. Ideally I wouldn’t use them on a mobile device but if you do make sure you have the ability to lock or wipe it remotely in case you lose it; (IT managers should audit the remote use of social media and where appropriate provide such remote locking or wiping capabilities to privately owned devices)
- If you are logging on to Twitter or Facebook on a mobile device make sure you log off after you finish
- If you are accessing social media via wi-fi then check to make sure it is the official wi-fi (check the exact name) and don’t be tempted to use an unsecured wi-fi that seems to offer easy access; (personally I would never use wi-fi outside the home or office for any sensitive purpose, but then I am a cynic)
- If you are tweeting via wi-fi then don’t use the corporate account, or your own account if you are a prominent person (e.g. a director of a large corporate). Set up a secondary account and use it for out-of-office events. Use the hashtag for the event to ensure that people find your posts. Get colleagues to follow the secondary account and share your posts via the main corporate account as soon as possible
Ultimately a lot of protection can be gained through education. Help people understand where the risks lie and what they can do to minimise them. Education is a cornerstone of security. It won’t protect you all the time (nothing will) but with the right processes and attitudes in place the risks can be reduced massively.