Social media has become a vital tool in helping businesses share their brand values and products, garner essential feedback from customers, and interact with new and existing audiences. However, as social media has become more sophisticated, so too has its security risks, making social media security best practices increasingly multifaceted in response.
This module will cover how to identify social media security risks for businesses and how to help safeguard your accounts from potential attacks.
How can social media security be improved?
Security risks for businesses are evolving rapidly, and yet many organizations either overlook or underestimate the need to implement social media best practices - or have simply grown complacent. The reasons for this are multi-layered and include:
- Lack of awareness. Many small and medium-sized business leaders lack cybersecurity knowledge and skills, consequently failing to train their staff to identify and manage potential threats to businesses.
- An evolving cyberthreat landscape. It can be overwhelming to stay on top of the latest cyberthreats, and not having the right cybersecurity software in placemay leave businesses vulnerable to cyberattacks.
While it remains important for businesses to actively share information through various social media platforms, such as Facebook, LinkedIn, and Twitter, it is also vital to educate all parties on identifying, managing, and reducing the risk of potential threats.
Three top Cyber Safety tips to help reduce security risks across your social media accounts include:
- Conduct regular staff training to raise awareness of the risks and signs of a data breach or cyberattack
- Devise and implement IT protocols and policies that outline what information can be shared and over which networks
- Implement robust password security and other authentication measures
Businesses will need to embed strict controls to authenticate and authorize users to access confidential data across various devices and networks. The most popular social media sites opt for Role Based Access Controls (RBAC). This means that access settings are set by the administrative role each user plays.
On Facebook, for example, an "Advertiser" can create ads or boost posts, but cannot remove or ban people from the page. An "Editor" can do both things but can't manage page roles - this must be done by an "Admin."
On Twitter, an "Organic analyst" can view the profile analytics but can't access paid campaigns. A "Campaign analyst" can access paid campaign data but can't post any Tweets. On LinkedIn, only the "Super Admin" has access to all settings and controls.
This approach is based on the Principle of Least Privilege (PoLP), which means that only the minimum level of permission required to complete a task is granted to an individual.
While it can be tempting to have a single login that all employees use, giving multiple users control over all aspects of a profile can create a security risk. This can make mistakes due to human error or malicious insider activity difficult to trace. Likewise, if the single login is compromised, a hacker can take full control of the business page, including any sensitive payment information.
A best practice is for employees to have individual logins based on their role and use the access levels set out by the social media platforms. Further information on access control models can be explored in our Identity Management Training.
It’s tempting to have the same password for every account or to choose a password that's easy to remember, but this can put confidential business data and security at risk.
Introducing password security training is a key part of social media security best practices – ensuring all parties are aware of the risk of using weak passwords, such as the risk of data breaches or identity theft, which could lead to significant financial and reputational damage for you and your business.
- Be over 12 characters and include letters, numbers, and characters
- Not include any personal information, that could be found on social media, such as family names or memorable dates
- Be unique to each account – this includes avoiding variants, such as changing one character
- Not be written down or shared with anyone else
Creating robust, unique passwords can be difficult for employees who already have multiple logins to remember. A password manager should therefore be implemented across your business to help users create, manage, and store their passwords.
Multi-Factor Authentication (MFA)
Multi-factor authentication (MFA) provides an additional layer of security when accessing accounts by requiring users to provide two or more security credentials. The main types of MFA include:
- A password or PIN
- One-time passwords (OTP), which are generated on request and sent via SMS or email
- Security keys, tokens, or certificates, sometimes accessed via an authentication app
- Biometrics, such as voice or face recognition, or a fingerprint
More sophisticated types of MFA include:
- Location-based MFA, which analyzes a user's IP address or geolocation to block access from unrecognized locations
- Risk-based authentication, which looks for unusual behaviors, such as the time of day an account is being accessed, the type of network used, and the type of device
All employees with admin access to your business social media accounts should be required to turn on MFA when logging into each platform.
Single Sign On (SSO)
Single Sign On (SSO) enables users to access multiple applications and devices through a single, more secure user ID. It is popular across social media platforms, notably Facebook, which allows users to access third-party apps using their personal profiles.
SSO has become a useful authentication and authorization tool for businesses with remote workers – enabling employees to work across various platforms, such as Microsoft Teams, Zoom, Slack, and Google Workspace – providing speed and efficiency along with strengthening access security.
Update security software
Making sure that your security software remains up to date is an important social media security best practice. This will ensure that it helps protect against hackers or malicious software that attempt to attack your business network via its social media accounts.
Firewalls, scanners, and business antivirus should be implemented and regularly updated to make sure vulnerabilities are fixed (or “patched”) to help detect, restrict, and remove cybersecurity threats. Patch management tools can help to automate this process.
Use a Virtual Private Network (VPN)
Virtual Private Networks are an essential tool for hybrid and remote workers. helping to connect them to the company network more securely. The data traffic is sent via an encrypted channel, helping block third parties from accessing confidential data traffic. This is especially important for social accounts that may be managed and updated on mobile devices outside of the traditional office network and usual working hours.
By creating a private channel, a VPN server can also mask a user's IP address, offering extra online privacy for employees using their home networks.
Check account security settings
All businesses must be mindful of the security settings across their social media accounts. It is common for privacy policies and associated security settings to be updated regularly by platforms, yet users do not always keep up to date with these changes.
To ensure your social media security remains robust and that all cybersecurity controls are in place, it is important to regularly check that all social media accounts and network security settings are correct and continue to deliver the required level of protection. This could include reviewing the following:
- Ensuring that the individuals with account access have permission levels that are relevant to their role
- Checking that security features such as Multi-Factor Authentication are turned on
- Making sure recovery contact information is up to date
- Reviewing what details are shared in posts, such as location or admin names
- Determining whether posts can appear in search engines’ searches
- Checking whether individuals can tag the business in posts
Manage third-party app permissions
Any third-party applications with permission to connect to, access, or collect data from your social media accounts must also be secure. Common examples include scheduling software, and marketing tools.
Conduct a routine audit of which third-party apps are connected to your business social media accounts and what details they can access. Only use applications that have robust data information policies, and ensure that they cannot create or amend posts or harness controls that are not relevant to their purpose.
Training and education
As social media security threats rise, businesses should invest in employee training and education to raise awareness of potential attacks and embed good practices across all levels of the organization.
Employees should be responsible for ensuring they can identify suspicious behavior when using social media platforms, such as sharing sensitive information or connecting to accounts using unsecured Wi-Fi. They should also be made aware that bad actors can use social media to gather information for spear phishing – for example, information on colleagues, connections, and email addresses can be obtained easily on LinkedIn. Collecting publicly available data in this manner is known as scraping.