You may have heard that 117 million LinkedIn user credentials are up for grabs on the Dark Web for just five bitcoins, or about $2,200. As this most recent attack emphasized, the social media hack is a popular option for cybercriminals.
Social Media Is a Popular Target
According to a survey by the University of Phoenix, nearly two-thirds of U.S. adults who use social media say they are aware that their accounts have been hacked. With 76 percent of online adults using social networking sites, according to the Pew Research Center, that’s quite a decent repository for the black market.
While the LinkedIn hack has mostly made individual users nervous, companies should be worried too: Those regular users are the very people who have access to a company’s social media accounts. Users often manage company pages through their personal accounts as well, so once attackers gain access to a personal account, they can easily move on to all the pages that a given individual controls.
Fortune 100 brands experience at least one compromise on their social media channels every business day. Wondering what can happen when cybercriminals get their hands on your company’s account? It depends on their agenda. Common goals include getting access to information, taking advantage of the brand’s credibility for spamming purposes and embarrassing the company. But whether for monetary gain or to harm the company’s reputation, cybercriminals pose a serious threat to corporate social media accounts.
Three Ways to Prevent a Social Media Hack
Many companies had to learn this the hard way. While social media hacks can be very crafty, many times you can avoid trouble if you follow these three steps.
1. Educate All Employees
This is the most important point to follow. While you should pay special attention to instructing those who have direct access to your company’s social media accounts, all employees should go through basic social media safety training.
Considering that people check their social media accounts a staggering 17 times a day and more than 60 percent of enterprises allow employee use of personal devices to access corporate data, cybersecurity has quickly become everyone’s concern. Training sessions should specifically focus on fostering good password hygiene, recognizing spam and phishing attempts, sharing personal information and establishing privacy settings.
2. Limit Access
I have read articles that advise not giving social media staff access information at all and instead letting them use third-party tools such as Hootsuite or Sprout Social. That’s usually not feasible; someone on the social media team will likely need to know account information to fulfill certain job responsibilities such as advertising or adding other tools.
However, not all employees on the social media team necessarily need to know the login information to your accounts. By using third-party management tools, more junior employees or occasional users who don’t necessarily require full access credentials can publish and monitor the accounts without having control over settings. Only trusted, reputable apps should be allowed to connect to the account.
3. Make Good Password Hygiene Easier
Every company should have a social media security policy in place, and it should have guidelines for proper password use. Make this document easy to find and digest. Since people learn better through visuals, it’s a good idea to highlight key points with images or infographics.
For the employees who have the keys to the castle (typically the company’s social media managers), create a checklist that gets emailed to them every three months as a reminder to:
- Change the passwords on social media accounts and third-party management tools per company guidelines (e.g., minimum number of characters, upper- and lowercase letters, letters and numbers included, etc.).
- Avoid reusing the same password.
- Verify that the information connected to the account (e.g., email, phone number, etc.) is current.
- Remove admins who no longer need access.
- Eliminate apps that no longer need access.
For accounts that are administered via employees’ personal accounts, prompt them to change passwords there as well. Two-factor authentication should be enabled on sites that offer this option. If an employee who had access to these accounts leaves the company, the password should be changed immediately.
Passwords Present a Challenge
A big challenge that continues to haunt companies is that even though employees are often aware of good password hygiene, they choose to ignore it. Many sites give guidance on strong passwords when creating a login, yet easy-to-hack passwords like “123456” and “password” continue to top the popularity charts.
Since stronger passwords are often harder to remember, users simply opt to let convenience trump security. They either pick trivial passwords when possible or, if the system forces users to set stronger passwords, they write them down. Did you know that anyone could walk into an office and see 20 percent of passwords written on a sticky note?
To encourage staff to adopt good password hygiene, educate employees on the use of a password manager. While not foolproof, it is a more secure option than not having one at all.
Starting the Process
Where should you begin when trying to avoid a social media hack? Sit down with your social media staff and ask the following questions.
Product Marketing Manager, IBM Security