Social Media Accounts are Critical Access Points – Treat Them as Such.
When we talk about security, we often mention protecting social media accounts as a secondary measure to be handled after everything else is properly shielded. Social media, after all, seems trivial and inconsequential compared to protecting the infrastructure that houses your data. Furthermore, social media is usually managed by the marketing department, not IT. Before you dismiss the damage that can be caused in something novel like “the social sphere,” understand that social media account compromises can result in catastrophe.
In a string of recent Twitter hacks, the AP’s Twitter account was attacked through what appeared to be social engineering. The offenders obtained entry to the account through phishing attempts, and sent out a tweet that reported false news that a bomb exploded at the White House, injuring the president. Shortly after the tweet, the stock market plummeted. Panic ensued – all because of one little tweet. The bad news is that the repercussions of misleading or inaccurate claims made from a credible source can reach far and wide. But there is good news too. Companies can successfully guard against these attacks by locking down passwords, testing thoroughly and adding security layers. Here’s how to check all three of these tasks off your list.
Password protection
It’s surprising, but it seems like I read about this simple slip up on a daily basis. Even the most sophisticated security teams can fail to implement a consistent policy for password protection. Social media accounts are critical access points – so treat them as such. If your business doesn’t use a single sign-on solution or some sort of credential management solution, don’t delay getting one. This is probably one of the most effective ways to keep your social media accounts safe from attackers. Also, be sure to restrict access to only those who require it to perform their job duties. The concept of least privilege simply works. Regularly conduct self-audits, and guard your password like your data depends on it – it really might.
Thorough testing, training, and awareness
Just like the AP Twitter account compromise, phishing is one of the main ways that hackers gain access to social media accounts. Social engineering, as long as you employ humans, will most likely be one of your biggest security gaps. It’s proven to be an extremely effective tool for cyber criminals. By conducting social engineering penetration tests, a company can understand where its security plan falls short and educate its employees on how to mitigate attacks.
In other words, continually train your staff on security, especially social engineering. This is the best way to proactively ensure your employees are aware of the risks and not complacent. As security gaps are discovered, they can immediately be handled without hesitation. Test your employees and your infrastructure by conducting social engineering pen-tests and maintaining a thorough and comprehensive risk management program, because both angles matter to the overall sanctity of your public image.
Take advantage of every extra security layer when offered
No doubt in response to the flurry of recent hacks, Twitter rolled out two-factor authentication. Whenever a social media company offers an extra way to safeguard your account – investigate it and try to take advantage of the opportunity. Marketing departments are sometimes hesitant to add extra layers because they’re afraid they will become a hassle, slow down internal processes or remove convenience. However, as evidenced by the recent public incidences – you’d rather take one additional tiny step than deal with the PR and financial nightmare a successful hack creates. Maximize your security by refusing to pass up any available security measures that make sense.
Holes in seemingly minor areas – such as social media account access – could pack a devastating punch if exploited. Practice sound password policies, test your security layers and staff like it’s your job (because, well, it is), and don’t bypass supplemental security features when offered. Your brand reputation will be the better for it.
