You may have heard that 117 million LinkedIn user credentials are up for grabs on the Dark Web for just five bitcoins, or about $2,200. As this most recent attack emphasized, the social media hack is a popular option for cybercriminals.

Social Media Is a Popular Target

According to a survey by the University of Phoenix, nearly two-thirds of U.S. adults who use social media say they are aware that their accounts have been hacked. With 76 percent of online adults using social networking sites, according to the Pew Research Center, that’s quite a decent repository for the black market.

While the LinkedIn hack has mostly made individual users nervous, companies should be worried too: Those regular users are the very people who have access to a company’s social media accounts. Users often manage company pages through their personal accounts as well, so once attackers gain access to a personal account, they can easily move on to all the pages that a given individual controls.

Fortune 100 brands experience at least one compromise on their social media channels every business day. Wondering what can happen when cybercriminals get their hands on your company’s account? It depends on their agenda. Common goals include getting access to information, taking advantage of the brand’s credibility for spamming purposes and embarrassing the company. But whether for monetary gain or to harm the company’s reputation, cybercriminals pose a serious threat to corporate social media accounts.

Three Ways to Prevent a Social Media Hack

Many companies had to learn this the hard way. While social media hacks can be very crafty, many times you can avoid trouble if you follow these three steps.

1. Educate All Employees

This is the most important point to follow. While you should pay special attention to instructing those who have direct access to your company’s social media accounts, all employees should go through basic social media safety training.

Considering that people check their social media accounts a staggering 17 times a day and more than 60 percent of enterprises allow employee use of personal devices to access corporate data, cybersecurity has quickly become everyone’s concern. Training sessions should specifically focus on fostering good password hygiene, recognizing spam and phishing attempts, sharing personal information and establishing privacy settings.

2. Limit Access

I have read articles that advise not giving social media staff access information at all and instead letting them use third-party tools such as Hootsuite or Sprout Social. That’s usually not feasible; someone on the social media team will likely need to know account information to fulfill certain job responsibilities such as advertising or adding other tools.

However, not all employees on the social media team necessarily need to know the login information to your accounts. By using third-party management tools, more junior employees or occasional users who don’t necessarily require full access credentials can publish and monitor the accounts without having control over settings. Only trusted, reputable apps should be allowed to connect to the account.

3. Make Good Password Hygiene Easier

Every company should have a social media security policy in place, and it should have guidelines for proper password use. Make this document easy to find and digest. Since people learn better through visuals, it’s a good idea to highlight key points with images or infographics.

For the employees who have the keys to the castle (typically the company’s social media managers), create a checklist that gets emailed to them every three months as a reminder to:

  • Change the passwords on social media accounts and third-party management tools per company guidelines (e.g., minimum number of characters, upper- and lowercase letters, letters and numbers included, etc.).
  • Avoid reusing the same password.
  • Verify that the information connected to the account (e.g., email, phone number, etc.) is current.
  • Remove admins who no longer need access.
  • Eliminate apps that no longer need access.

For accounts that are administered via employees’ personal accounts, prompt them to change passwords there as well. Two-factor authentication should be enabled on sites that offer this option. If an employee who had access to these accounts leaves the company, the password should be changed immediately.

Passwords Present a Challenge

A big challenge that continues to haunt companies is that even though employees are often aware of good password hygiene, they choose to ignore it. Many sites give guidance on strong passwords when creating a login, yet easy-to-hack passwords like “123456” and “password” continue to top the popularity charts.

Since stronger passwords are often harder to remember, users simply opt to let convenience trump security. They either pick trivial passwords when possible or, if the system forces users to set stronger passwords, they write them down. Did you know that anyone could walk into an office and see 20 percent of passwords written on a sticky note?

To encourage staff to adopt good password hygiene, educate employees on the use of a password manager. While not foolproof, it is a more secure option than not having one at all.

Starting the Process

Where should you begin when trying to avoid a social media hack? Sit down with your social media staff and ask the following questions.

More from Identity & Access

How to Keep Your Secrets Safe: A Password Primer

There are two kinds of companies in the world: those that have been breached by criminals, and those that have been breached and don't know it yet. Criminals are relentless. Today’s cyberattacks have evolved into high-level espionage perpetrated by robust criminal organizations or nation-states. In the era of software as a service (SaaS), enterprise data is more likely to be stored on the cloud rather than on prem. Using sophisticated cloud scanning software, criminals can breach an enterprise system within…

Making the Leap: The Risks and Benefits of Passwordless Authentication

The password isn't going anywhere. Passwordless authentication is gaining momentum, though. It appears to be winning the battle of how companies are choosing to log in. Like it or not, the security industry must contend with both in the future.  But for some businesses and agencies, going passwordless is the clear strategy. Microsoft, for instance, has recently stopped forcing users to use a password to access their account, which allows access to a wide range of Microsoft business and personal…

Old Habits Die Hard: New Report Finds Businesses Still Introducing Security Risk into Cloud Environments

While cloud computing and its many forms (private, public, hybrid cloud or multi-cloud environments) have become ubiquitous with innovation and growth over the past decade, cybercriminals have closely watched the migration and introduced innovations of their own to exploit the platforms. Most of these exploits are based on poor configurations and human error. New IBM Security X-Force data reveals that many cloud-adopting businesses are falling behind on basic security best practices, introducing more risk to their organizations. Shedding light on…

Why Your Success Depends on Your IAM Capability

It’s truly universal: if you require your workforce, customers, patients, citizens, constituents, students, teachers… anyone, to register before digitally accessing information or buying goods or services, you are enabling that interaction with identity and access management (IAM). Many IAM vendors talk about how IAM solutions can be an enabler for productivity, about the return on investment (ROI) that can be achieved after successfully rolling out an identity strategy. They all talk about reduction in friction, improving users' perception of the…