Does your company have official social media accounts like Twitter or Facebook? How do you protect them from unauthorized access? Get a few tips here and take our poll on security measures.
In the past few weeks, we have seen news stories about Twitter accounts of large organizations being hacked on a regular basis, especially targeting news organizations: the Associated Press account was hacked in late April, along with those of 60 Minutes and 48 Hours (both CBS properties); the Syrian Electronic Army got into the Onion account in early May; and now Sky News just saw its Twitter account compromised as well. There are several reasons why bad guys would want to target news media accounts - they are followed by millions of people, and they often have many people who access the accounts, allowing reporters to post breaking news. But any company with a strong media presence is vulnerable, and we certainly saw cases from all industry types where accounts were compromised and false information posted.
For any spammer or hacktivist, getting instant access to millions of followers is a big incentive. There may also be other reasons, such as using one account to get inside other accounts with more sensitive information, for example, email accounts. Simple malice is also a motivator for some hackers. Regardless of the reason, there is no doubt that security breaches are on the rise with collateral in the digital world, not to mention the stock market. Here we will see some of the techniques that the hackers use to get in, and some protection you can use to ensure that your social media accounts are safe and secure.
Protecting social media accounts
The most common way people use to get into a Twitter or Facebook account is by simply obtaining someone's password, then logging into the system. It may sound trivial, because it is. If someone gains access to your password, then they can log in as you. If your organization's Twitter account has 20 different employees who know the password, then the risk just went up exponentially. The way this password can leak is the same as any other sensitive information. They can send phishing emails, use malware, keyloggers, or even social engineering. In these cases, the success rate is even higher because the bad guys will likely target people that are likely to have access to the corporate account. For example, let's say someone wants to get access to a news organization's account. Chances are all the reporters have access to the account. So all they have to do is create a phishing email that is targeted to them, and send it to all of them.
This technique is exactly how the Onion's Twitter account was hacked. Someone sent an email to all of the contact email addresses with a message saying they had an exclusive story, with a link that appeared to go to the Wall Street Journal. Of course, the link was forged, and it instead went to a fake login page. All these people need is for one employee to get duped, and they can get in. Another way is to try and get access to another account of one of the employees. This can be done with phishing, malware, or through hacking database servers. There are a lot of lists with usernames and passwords circulating out there from compromised servers. If someone happens to have an account at one of the compromised sites, then they may very well use the same login credentials for their Twitter account.
As you see, the more people that have access to a corporate account, the more likely it is to be compromised. This is why you should not give out actual login credentials to employees. Instead, use software like HootSuite, which allows you to give tweeting access to employees without having them know the actual password for the account. This may still allow a compromised employee to tweet, but will prevent them from hijacking the account completely. Educating them is also very important, and basic security should be applied to all of your workstations.
Another good tip is to avoid using your work email addresses for social media accounts. It is far harder for someone to guess a secondary email than it is to find your main work email, which may actually be posted on your organization's contact page. Finally, any corporate account should be monitored and kept up to date by the IT staff. Too many organizations sign on for social accounts once, and then the password remains the same. Whoever created the account originally may not be with the company anymore, employees come and go, and before you know it, no one knows how many people actually have access to that account. By having up-to-date access lists you can control that access much easier.
All it takes is a bit of time, and some security layers, to make sure your corporate social media accounts are not prime targets to be exploited. Remember that any account that is shared by more than one person is infinitely more susceptible to being compromised than your own personal account. And because your Facebook page or Twitter stream may reach clients directly, the last thing you want is for an unauthorized party to start posting things there. In summary, to protect your corporate social media accounts, first follow these basic rules:
- Limit access to employees who are approved to post on any accounts
- Use a social media manager like Hootsuite
- Educate employees about phishing risks and social engineering
- Monitor accounts closely by updating permissions and regularly changing passwords
Has your organization instituted any new security policies aimed specifically at social media use? Has anything been banned? Let us know about your experience. Take the short poll below: