Social media presents many new opportunities — as well as risks — for companies to communicate directly to their customers.
Social media offers many new opportunities for businesses to communicate directly to their clients, in ways that are personal, deep and “sticky.” Unfortunately, along with the benefits that social media brings come significant downsides if it’s ever abused. Because these separate channels can put a “face” on a brand or a company, it’s critical that security for social media accounts is handled properly so this public or semi-public exposure can be managed the right way.
A recent hack of the Twitter account belonging to McDonald’s Corp. gave this well-known brand a terrible public image for several days after an ill-advised political message was briefly made visible and was reported in the media. Fortunately for McDonald’s, the company got a handle on the situation quickly, so the effect of the inappropriate messaging was minimized. But there are some valuable lessons to be learned from this and other cases where similar events have occurred. Here are three major takeaways from these types of incidents that you can use in your own organization:
1. Don’t Allow Your Accounts to Be Compromised
The days of simple, easy-to-guess passwords (such as “password” or “football”) are long over; today, companies should be employing several different strategies to formulate secure passwords that can’t be cracked:
- Using a Password Manager: Using the same password on all your social media accounts is an invitation for trouble; if a person discovered what the password is, they can access not just one of your social media channels, but all of them. Instead, use a password manager program that generates, intense, complex and unique passwords for every social media site you access.
- Using a Passphrase Instead of a Password: For your accounts in the password manager itself, use a passphrase, instead of a password. An example of a passphrase would be: “abunchofwordsstrungtogetherwithoutspacesandmaybea:)attheend.” While a simple password can sometimes be guessed, a passphrase is unlikely to ever be entered at random.
- Using Multi-Factor Authentication: Multi-factor authentication allows you to receive time-sensitive, one-use passwords for your organization to access its password manager and/or other tools. With individuals, it can send to a phone or use an app to generate unique codes. For multiple people in an organization, each person can have their own account that has permission to access an organization’s primary account.
2. Be Sure to Send Messaging to the Right Account
Because employees can quickly switch back and forth between personal accounts and corporate accounts, it can be too simple for someone to accidentally post a message to the wrong account. This can be avoided by using entirely separate apps or browsers to post to each one. If you really want to be safe, use completely different devices for each type of account.
3. Take Care Who Is Handling Your Social Media
This is perhaps the weakest link in the chain because more trust is mandated than in the steps above. You’re never going to be able to monitor every employee’s behavior, but it’s crucial that all staff members and third parties that have access to your accounts can be trusted implicitly. Even taking this into consideration, there are still more steps you can take to prepare for the odd circumstance when someone breaches that trust:
- Always Make Sure That You Have Access to All Pertinent Accounts: Passwords and backup codes may need to be stored in a password vault and/or a physical safe in your office to enable this.
- Prepare a Tweet or Post in Advance That Spells Out How You Will Handle a Misuse Situation: Think of the worst possible scenario for an insider abusing your accounts. Now, imagine that scenario just happened, and you must do damage control. Prepare tweets and/or posts in advance that can be used as templates should such a situation occur.
- Make a List of Who Must Be Notified in the Case of an Insider-Misuse Incident: Make sure you have a list of names, phone numbers and emails of people who need to be informed in the event of a security breach.
- Make a Template Email That Can Be Sent Quickly in the Event of an Incident: Write a template email explaining what the above contacts can expect in terms of how long a tweet or post was “live,” how many people shared it, whether or not the press noticed it, etc. so you can simply pop in real information if and when a breach occurs.
- Formulate a Checklist of Actions to Take in the Case of Any Incident: Make a list of actions to follow if and when an event occurs. Steps can include:
- Re-asserting Control Over the Social Media Accounts in Question
- Changing Passwords and Removing Third-Party and/or App Access
- Removing the Offending Content
- Posting a Prepared Response
- Informing Your Key Contacts
- Beginning an Investigation Into What Occurred
- Keeping Your Audience Updated
This checklist should be in the run book of all your firm’s IT security procedures.
All of the above steps might seem a little onerous, but not following them can be much more costly, in terms of emergency headaches and public corporate embarrassment. There’s no excuse for poor security, and any incidents that could be avoided may put people’s jobs at risk. Being adequately prepared is one of the best defenses you can take for securing social media so it can be used safely, effectively and profitably.