With the increased use of social tools for business communications, social media security is more important than ever.
While the benefits of social are clear, there are risks to be wary of. According to the latest EY Global Information Security Survey, 59% of organizations had a “material or significant incident” in the past 12 months.
If you are on social (and who isn’t?), you need to protect yourself against common social media security threats.
Bonus: Get a free, customizable social media policy template to help you easily create guidelines for your employees’s personal and professional social media use.
Common social media security risks
Unattended social media accounts
It’s a good idea to reserve your brand’s handle on all social media channels, even if you don’t plan to use them all right away. This allows you to maintain a consistent presence across networks, making it easy for people to find you.
But it’s important not to ignore the accounts you don’t use yet, the ones you stopped using, or don’t use often.
Unmonitored social accounts can be the target of hackers, who could start posting fraudulent messages under your name.
Once they gain control, hackers can send anything. That could mean false information that’s damaging to your business. Or maybe it’s virus-infected links that cause serious problems for followers. And you won’t even notice until your customers start coming to you for help.
Everyone makes mistakes. In today’s busy world, it is all too easy for an employee to accidentally expose the company to threats online. In fact, “employee weakness” was responsible for 20% of cyberattacks, according to the EY Global Information Security Survey.
Something as simple as clicking on the wrong link or downloading the wrong file could wreak havoc.
Some online challenges and quizzes can also be problematic. By completing them, employees can accidentally create social media security issues.
Those “learn your elf name” and 10-year-challenge posts might seem like harmless fun. But they can actually provide scammers with information commonly used to hack passwords.
The AARP issued a warning about these types of quizzes to make sure their demographic of older internet users are aware of the issue.
But younger people—including your employees—are not immune.
Vulnerable third-party apps
Locking down your own social accounts is great. But hackers may still be able to gain access to secure social media through vulnerabilities in connected third-party apps
Hackers recently accessed Twitter accounts associated with the International Olympics Committee. They got in through a third-party analytics app. FC Barcelona was a victim of the same hack
FC Barcelona will conduct a cybersecurity audit and will review all protocols and links with third party tools, in order to avoid such incidents and to guarantee the best service to our members and fans. We apologise for any inconvenience this situation may have caused.
— FC Barcelona (from ????) (@FCBarcelona) February 15, 2020
Phishing attacks and scams
Phishing scams create social media information security risks. In a phishing scam, the goal is to get you or your employees to hand over passwords, banking details, or other private information.
One common phishing scam involves fake coupons for big-name brands like Costco, Starbucks, and Bath & Body Works. This is especially popular on Facebook. To claim the coupon, you have to hand over personal information like your address and birth date.
We’re sorry for any confusion as we’re in no way affiliated with the social account or giveaways mentioned. We always recommend exercising caution if asked for any of your personal information online. We invite you to follow our verified social profiles for our promotions!
— Bath & Body Works (@bathbodyworks) April 17, 2020
Some scammers are bolder, asking for banking information and passwords. The Singapore Police Force recently issued a warning about this type of scam. New variations use hashtags related to government programs for COVID-19 relief.
POLICE ADVISORY ON FAKE CASH GIVEAWAYS ADVERTISED ON SOCIAL MEDIA The Police have observed a spike in the number of…
Posted by Singapore Police Force on Wednesday, April 8, 2020
It’s relatively easy for an imposter to create a social media account that looks like it belongs to your company. This is one reason why it’s so valuable to get verified on social networks.
LinkedIn’s latest transparency report notes that they took action on 21.6 million fake accounts in just six months. The majority of those accounts (95%) were blocked automatically at registration. But more than 67,000 fake accounts were only addressed once members reported them.
Facebook estimates that about 5% of monthly active user accounts are fake.
Impostor accounts can target your customers or potential recruits. When your connections are tricked into handing over confidential information, your reputation suffers.
The government of the Canary Islands recently had to issue an imposter alert. Someone was impersonating a government minister on Instagram. They were using the account to contact citizens about a phoney relief grant.
The public are advised that an Instagram account impersonating Minister O’Connor Connolly has been contacting individuals about a relief grant. This is fake.
Anyone needing assistance during this time should visit https://t.co/NQGyp1Qh0w for information on who can help. pic.twitter.com/gr92ZJh3kJ
— Cayman Islands Government (@caymangovt) May 13, 2020
Imposter accounts may also try to con employees into handing over login credentials for corporate systems.
Another type of imposter scam targets brands hoping to work with influencers. In this scam, someone impersonating a social media personality with a high following reaches out and asks for free product.
Working with real influencers can be a valuable marketing strategy. But it’s important to verify that you’re dealing with the real person rather than an imposter.
Malware attacks and hacks
If hackers gain access to your social media accounts, they can cause enormous band reputation damage.
Hackers recently gained access to the accounts of NBA MVP Giannis Antetokounmpo. When they Tweeted racial slurs and other profanities, his team had to do damage control.
Giannis Antetokounmpo’s social media accounts were hacked this afternoon and have been taken down. An investigation is underway.
— Milwaukee Bucks (at ????) (@Bucks) May 7, 2020
In January 2020, 15 NFL teams were hacked by the hacker collective OurMine. The hackers targeted team accounts on Twitter, Facebook, and Instagram.
Apologies that our account was compromised this morning. We’re back in the game & ready for the Pro Bowl. ????⬇️
— Chicago Bears (@ChicagoBears) January 26, 2020
And in February, OurMine gained access to the official @Facebook Twitter account.
Those hacks were relatively benign, but still a major hassle for the teams involved. Others hacks are much more serious.
Cyberspies posed as University of Cambridge researchers on LinkedIn. They reached out to connect with oil and gas professionals. Once they had established trust, the spy group sent a link to an Excel file. The file contained malware that stole login credentials and other information.
People seem to be well aware of the potential privacy risks of using social media. A recent survey found that only 19% of users trust Facebook with their personal information.
Those concerns, of course, don’t stop people from using their favorite social channels. Sixty-nine percent of U.S. adults use Facebook.
For brands, the privacy risk includes both business and personal use. Make sure you understand the privacy settings on your business accounts. You should provide privacy guidelines for employees who use their personal social accounts at work.
Unsecured mobile phones
Mobile devices account for more than half the time we spend online. Using social network apps makes it easy to access social media accounts with just one tap.
That’s great as long as your phone stays in your own hands. But if your phone, or an employee’s phone, is lost or stolen, one-tap access makes it easy for a thief to access social accounts. And then they can message all of your connections with phishing or malware attacks.
Protecting the device with a password or fingerprint lock helps, but more than half of mobile phone users leave their phones unlocked.
Social media security tips
1. Create a social media policy
If your business is using social media—or getting ready to—you need a social media policy.
These guidelines outline how your business and your employees should use social media responsibly.
This will help protect you not only from security threats, but from bad PR or legal trouble as well.
At minimum, your social media policy should include:
- Brand guidelines that explain how to talk about your company on social
- Rules related to confidentiality and personal social media use
- Social media activities to avoid, like Facebook quizzes that ask for personal information
- Which departments or team members are responsible for each social media account
- Guidelines related to copyright and confidentiality
- Guidelines on how to create an effective password and how often to change passwords
- Expectations for keeping software and devices updated
- How to identify and avoid scams, attacks, and other security threats
- Who to notify and how to respond if a social media security concern arises
For more details, check out our step-by-step guide to creating a social media policy. It includes loads of examples from different industries.
2. Train your staff on social media security issues
Even the best social media policy won’t protect your organization if your employees don’t follow it. Of course, your policy should be easy to understand. But training will give employees the chance to engage, ask questions, and get a sense of how important it is to follow.
These training sessions are also an opportunity to review the latest threats on social. You can talk about whether there are any sections of the policy that need updating.
It’s not all doom and gloom. Social media training also equips your team to use social tools effectively. When employees understand best practices, they feel confident using social media for their work. They’re then well-equipped to use social media for both personal and professional purposes.
3. Limit access to increase social media data security
You may be focused on threats coming from outside your organization. But employees are a significant source of data breaches.
Limiting access to your social accounts is the best way to keep them secure.
You may have whole teams of people working on social media messaging, post creation, or customer service. But that certainly doesn’t mean that everyone needs to know the passwords to your social accounts.
It’s critical to have a system in place that allows you to revoke access to accounts when someone leaves your organization or changes roles. Learn more about how this works in the Tools section below.
4. Set up a system of approvals for social posts
Not everyone who works on your social accounts needs the ability to post. It’s an important defensive strategy to limit the number of people who can post on your accounts. Think carefully about who needs posting ability and why.
You can use Hootsuite to give employees or contractors the ability to draft messages. Then, they’re all set to post at the press of a button. Leave that last button press to a trusted person on your team.
5. Put someone in charge
Assigning a key person as the eyes and ears of your social presence can go a long way towards mitigating risks. This person should:
- own your social media policy
- monitor your brand’s social presence
- determine who has publishing access
- be a key player in the development of your social media marketing strategy
This person will likely be a senior person on your marketing team. But they should maintain a good relationship with your company’s IT department to ensure marketing and IT work together to mitigate risk.
This is the person team members should turn to if they ever make a mistake on social that might expose the company to risk of any kind. This way the company can initiate the appropriate response.
6. Set up an early warning system with social media security monitoring tools
As mentioned at the start, unattended social accounts are ripe for hacking. Keep an eye on all of your social channels. That includes the ones you use every day and the ones you’ve registered but never used at all.
Assign someone to check that all the posts on your accounts are legitimate. Cross-referencing your posts against your content calendar is a great place to start.
Follow up on anything unexpected. Even if a post seems legitimate, it’s worth digging into if it strays from your content plan. It may be simple human error. Or, it may be a sign that someone has gained access to your accounts and is testing the water before posting something more malicious.
You also need to watch for:
- imposter accounts
- inappropriate mentions of your brand by employees
- inappropriate mentions of your brand by anyone else associated with the company
- negative conversations about your brand
You can learn how to monitor all the conversations and accounts relevant to your brand in our complete guide to social media listening. And check out the Tools section below for information on resources that can help.
7. Regularly check for new social media security issues
Social media security threats are constantly changing. Hackers are always coming up with new strategies, and new scams and viruses can emerge at any time.
Regular audits of your social media security measures will help keep you ahead of the bad actors.
At least once a quarter, be sure to review:
- Social network privacy settings. Social media companies routinely update their privacy settings. This can impact your account. For example, a social network might update its privacy settings to give you more precise control over how your data is used.
- Access and publishing privileges. Check who has access to your social media management platform and social accounts. Update as needed. Make sure all former employees have had their access revoked. Check for anyone who’s changed roles and no longer needs the same level of access.
- Recent social media security threats. Maintain a good relationship with your company’s IT team. They can keep you informed of any new social media security risks they become aware of. And keep an eye on the news—big hacks and major new threats will be reported in mainstream news outlets.
- Your social media policy. This policy should evolve over time. As new networks gain popularity, security best practices change and new threats emerge. A quarterly review will make sure this document remains useful and helps to keep your social accounts safe.
6 social media security tools
No matter how close an eye you keep on your social channels, you can’t monitor them 24 hours a day—but software can. Here are some of our favorite social media security tools.
1. Permissions management
With a social media management platform like Hootsuite, team members never need to know the login information for any social network account. You can control access and permission, so each person gets only the access they need.
If someone leaves the company, you can disable their account without having to change all your social media passwords.
2. Social monitoring streams
Social monitoring lets you stay ahead of threats. By monitoring social networks for mentions of your brand and keywords, you’ll know right away when suspicious conversations about your brand emerge.
Say people are sharing phoney coupons, or an imposter account starts tweeting in your name. If you’re using a social media management platform, you’ll see that activity in your streams and can take action.
When you integrate ZeroFOX with your Hootsuite dashboard, it will alert you to:
- dangerous, threatening, or offensive content targeting your brand
- malicious links posted on your social accounts
- scams targeting your business and customers
- fraudulent accounts impersonating your brand
It also helps protect against hacking and phishing attacks.
4. Social SafeGuard
Social SafeGuard screens all incoming and outgoing social posts against your social media policy before distribution.
This can help protect your organization and your employees from social media risks. It’s also a great compliance tool for organizations in regulated industries.
5. Hootsuite Amplify
We’ve already said that your social media policy should outline how employees use social media at work. By providing pre-approved posts for employee sharing, Amplify extends your company’s social reach without additional risk.
BrandFort can help protect your social accounts from spam comments.
Why are spam comments a security risk? They’re visible on your profiles and may entice legitimate followers or employees to click through to scam sites. You’ll have to deal with the fallout, even though you did not directly share the spam.
BrandFort can detect spam comments in multiple languages and hide them automatically.
Use Hootsuite to manage all your social media accounts safely and securely in one place. Mitigate risks and stay compliant with our best-in-class security features, apps, and integrations.