Social Media Security: Why it Matters and How to Protect your Brand

Security is often a blind spot for companies when it comes to social media.

But neglecting it can cause big problems in the short and long-term. As I mentioned in my previous blog post comparing surfing to social media , it’s always worth hoping for the best – but preparing for the worst.

Social media teams are often lean, and busy managing social media accounts. Sometimes they ‘just do social’ without a strategy, which can cause more issues. But that’s a topic for another day.

These teams also have to align with internal stakeholders, partners, create social content, engage with followers, and manage communities, work with influencers, employees and executives’ social media, so they’re kind of busy ??. Even if they know it’s important, they rarely have time to deal with social media security.

IT or cyber security teams, meanwhile, have their own issues to fix. They’re responsible for protocols and execution, and keeping your organizations’ identities safe. They rarely consider all aspects of social media security.

And of course, there’s the fact that these two teams aren’t usually connected.

On top of this, most organizations don’t understand the risks associated with poor social media identity management and/or impersonations on social media. With the increase of hacking events, cybersecurity attacks and ransomware, it’s something that companies must address.

Owning it

This raises the question: who does own social media security?

But this is the wrong question to ask.

It doesn’t matter who owns it. 

Instead, the focus should be on what strategies are in place to mitigate any security issues that could arise.

Identity management

Most brands have several social media accounts – Facebook, Twitter, LinkedIn, Instagram, YouTube, Pinterest, TikTok, Flickr…the list goes on. And this is only organic. We haven’t even talked about multiple ad accounts across all platforms. It’s a huge environment and a lot to manage.

Social media teams also need to manage who has access, from multiple agencies, to internal employees, to each and every social media and ad account. And of course, check who’s still there, who’s left, revoke access, and onboard any newcomers.

It’s hard to monitor and keep track of all of that when you’re a small team.

I think it’s worth pointing out how complex and complicated it is at a large organization and what exactly it entails:

• Maintaining and updating a list of all branded social media accounts and ad accounts. In large organizations these can add up to hundreds
• Keeping and maintaining usernames and passwords for all social media accounts
• Managing access for Facebook and LinkedIn accounts, where the access is granted through the individual’s personal profile
• Maintaining the brand’s Business Manager (Facebook/Instagram) and Campaign Manager (LinkedIn) – the central places where access is managed
• Maintaining relationships with dozens of agencies and managing their access level
• Maintaining social media related tools, granting access, and onboarding for sometimes hundreds of people
• Revoking access from people who leave the company or an agency
• Maintaining records of all these changes as people change, in case of an audit, lawsuit, or other issue. You might need to provide information on who had access to what and when.

Social media teams simply don’t have the bandwidth to do proper identity management as well. Even if they know how important it is, they’re just not staffed for it.

Keeping track of, updating, and documenting all access levels for all social media and ad accounts can take up 1/3 of an employee’s time, sometimes even becoming a full-time job for big brands.

This is where IT or cyber security teams come in. Unfortunately, most of the times they don’t know enough about how social media management truly works, so they can’t identify it as a risk.

Social media identity management is really complex and most IT/cyber security teams have no visibility into this world. It’s key for them to work with the central social team to do proper identity management.

Building a secure base

As mentioned above, most brands have several social media accounts and connected ad accounts to manage. If the passwords to these accounts aren’t secure, or they fall into the wrong hands, it opens them up for hacking.

Employees who leave on bad terms could use their access to damage the brand, something which takes years to build but seconds to destroy.

Password management tools can help to mitigate this, as access can be shared with employees and agencies without them being able to read or copy – or even need to remember – the password.

Two-factor authentication is another security step that’s also neglected and can open companies up to problems.

Impersonations

Most people think they need a social media account. If you’re part of a large company or franchise with lots of offshoots, every branch or store may feel they need an account. You may even have enthusiastic employees creating accounts with your brand identity.

Addressing and limiting the number of social media accounts associated with your brand is one thing, but there needs to be clear guidance on who does have an account. What’s the business rationale for owning one? What’s the approval process for opening one? How do you keep and retire social media accounts?

Managing a branded account takes time, knowledge, and money. It has to be a skilled person or two responsible for it, but it often isn’t. Instead, it falls to someone who’s enthusiastic, not skilled. Which risks opening up the company to even more security and PR problems.

It’s surprisingly common for people to impersonate brands or top-level executives at a company. But nobody really talks about it.

This is even happening to employees who are thought leaders in their industry.

Sometimes these fake accounts are opened by enthusiastic employees, but aren’t relevant.

Most of the time, the people behind these accounts have malicious or fraudulent intent.

Someone with malicious intent may copy the profile of your branded account, an executive, or an employee they found on social media.

It doesn’t take much to copy someone’s updates, photos, and videos on to a fake profile. Then for that fake profile to find connections.

Some people even create fake branded Facebook accounts to post paid advertisements on behalf of your brand. The sooner these are taken down, the better.

It can be difficult to identify fake accounts. Even if you find them somehow, the take down process is cumbersome on each platform. Working with a vendor who specialises in this makes the process a lot easier.

It’s important to notify security teams as soon as a fake account is discovered, even if it gets taken down. It could be the first sign of a bigger issue. For instance, someone trying to get into a company system through a fake employee or executive account, connecting first with other executives or employees, then gathering information through and from them.

Unfortunately, fake accounts are a lot like mushrooms after the rain – you get rid of one and two more appear.

Creating a better social media experience

When a company has lots of accounts, it doesn’t create a great social media experience for general users. It sends mixed messages. There’s no way to check posts from these smaller accounts are on brand. Which means they could inadvertently hurt your brand reputation.

Users are also left wondering which account they should follow, too. How do they know which content will be the most relevant to them? It may lead to them choosing not to follow any company account, decreasing the number of people you can reach.

It’s therefore important to address how you can design your brand’s social media architecture. You want to support business objectives while creating something that’s based on go-to-market models and which attracts key audiences. You also need to limit the number of these accounts.

Searching on each platform to see how many accounts use your brand name and or visuals is time consuming. It’s also a slow and troublesome process to issue takedowns via each platform.

It helps to use a vendor which can search for impersonations of your brand and executives for you. They can look for impersonations based on logos, visual identity, names, and mentions. It will then send you an alert and ask if you’d like to issue a takedown of the account. If you say yes, you’ll get a notification when it’s gone. This makes the whole process of removing fake accounts much easier.

Let’s talk about it

Most brands simply don’t talk about social media security. They either aren’t aware of it, or they don’t see the risk. Maybe they think it’s being overly cautious.

Too often, people only focus on the nice side of social media – employee activation, marketing, and recruitment.

Being active on social media inevitably comes with risk, though. The more active a brand is, the more exposed it is in the online space, leading to all sorts of potentially risky situations.

Social media teams are too busy interacting internally – and engaging externally – to deal with this. They get alerts to see social accounts when it’s too late, or when they’ve been hacked. Maybe a malicious link is posted on a company account, or malware is installed on an employee’s device. Whatever it is, by then, it’s too late. The damage is done.

On the other hand, cyber security teams don’t reach out to social media teams because they don’t understand the social media landscape. It’s therefore important to raise awareness and get people talking.

It’s hard to gain trust, but easy to lose. If any of your branded accounts or anyone at the company gets hacked, it looks bad on the brand. Trust is the highest valued commodity, and losing that creates a huge risk. Be preventative, but prepare for the worst.

Fixing – and preventing – social media security risk

The first step in solving this issue is to get social media teams and IT/cyber security teams to communicate. They need to have an open discussion about what the area is and how to secure it. It needs to be discussed in an open and collaborative space.

The second step is a social media audit. This isn’t an easy or quick process, but it can save brands time in the future – and mitigate risk.

Start by gathering all social media account information in a spreadsheet internally.

Collect all the social accounts you’re aware of, and reach out internally to any social media teams. Ask questions like:

• What platform(s) are they on?
• Who’s responsible for the account(s)?
• How many followers do they have?
• Do they use two-factor authentication?
• Who has access to the account(s)?
• Do they use your social media management system?
• Who has access to their accounts?
• What 3rd party apps have access to the accounts?

Be sure to take a note of the login details too, and any other details you think are relevant.

It will turn into a huge spreadsheet, but once you have these details, you can follow up to get any missing information. (Don’t forget to keep it updated, too!)

Once you have all this information, you can create a plan with the cyber security team. It should include things like:

• How to address identity management
• Who should be responsible
• Which team has the resources to manage this (usually the IT/cyber security team is better staffed than the social team, however they lack the social media access knowledge).

Look for vendors within the social media security space which can help you with:

• Identifying fake branded accounts
• Identifying impersonations of executives
• The take down process.

You’ll need to get the CMO’s attention so that you can get a budget for this. It helps if you can show them how many impersonated accounts are out there and creating a huge risk that can backfire quickly. Any responsible CMO will be aware of – and wary of – the risk to brand trust.

It’s good to be prepared. You may never need this security, but even social media platforms get hacked – look at what happened to Twitter last year. It’s better to assume that everyone is a target than nobody.

Crisis management

Crises can come in all shapes and forms. PR, security, and social media teams need to work together to form a plan on how to manage any crises that arise. What’s the protocol if a ransomware comes up? How do they handle a local, compared to a company-wide, issue?

And of course, make sure to run through the crisis communication plan every quarter. That way, everyone knows who should be alerted, how to assess the situation, and what protocol is in place.

It’s key that the central team has access to all social media accounts. It helps to manage these through a social media management system, too, as this is more secure and effective than managing accounts directly. When you choose a social media management system, always check their security certification.

Brands tend to forget they’re different organizations, and who has the ownership. So it turns into an organizational/internal politics issue. It doesn’t matter who owns – or pays for – it, though. What matters is that you make sure your brand is as safe and protected as possible.

Question?

If you’d like some tips on how to get started, or have any questions, I’m happy to jump on a call and chat about social media security. Or you can post your questions in the comments and I’ll get back to you.

If you’re interested, I could do a follow-up blog post or video answering your questions on social media security. Let me know if that would be of interest to you.

I’d love to hear your examples of how you solved social media security issues, too!

Anita Veszeli

Follow #SocialAnita for all my articles and posts

Follow me on Twitter and Instagram